Enthusiasm for data sharing and research transparency has grown across the social sciences. This newer scholarly imperative has begun to overlap with the long-standing mandate to minimize risks for human subjects in research. IRBs play a crucial role in this realm, as the IRB’s recommendations on a social science research protocol will often determine whether or not the data obtained through the study may be shared in the future. IRBs are tasked with assisting and educating social scientists to include the appropriate elements, language, and procedures in their protocol materials in order for researchers to approach data sharing in an ethical and responsible manner.
On May 1, PRIM&R hosted a webinar, Data Sharing in SBER: Balancing Transparency and Human Research Protections to provide expert input on this timely issue and offer strategies for IRBs to implement when facilitating data availability. The speaker panel consisted of Dessislava (Dessi) Kirilova, MA, curation and IRB specialist at the Qualitative Data Repository (QDR), and Kathleen Murphy, PhD, CIP, manager of the social and behavioral IRB office at Northwestern University.
After the webinar, Ms. Kirilova and Dr. Murphy responded to some of the attendee questions time didn’t permit us to address live. We’re pleased to share those responses with the readers of Ampersand.
What kinds of things have you done to promote data sharing at your institution?
Kathleen Murphy (KM): At my institution, we have included a paragraph about data sharing in our protocol and our consent templates. This encourages researchers to think about it. There are many examples of sample language out there but just to illustrate, here is what we include in the protocol template:
Long-term Data and Specimen Storage and Sharing
If data/specimens will be stored and shared long-term for future research studies, explain the plan for storing and sharing the data. If you plan to place your data in a data repository, explain which repository/database and why.
Explain whether identifiers will be included with the data/specimens when they are shared.
In the consent template we provide this suggested language if it is appropriate:
De-identified data from this study may be shared with the research community at large to advance science and health. We will remove or code any personal information that could identify you before files are shared with other researchers to ensure that, by current scientific standards and known methods, no one will be able to identify you from the information we share. Despite these measures, we cannot guarantee anonymity of your personal data.
Because we find that researchers assume the IRB wants them to destroy their data after a certain period of time, we do what we can to get the word out there that this is not an IRB expectation; in fact, we would like them to consider future uses of their data more broadly. To help change the culture, in addition to offering templates, we include the possibility that researchers think about the future uses for their data when we provide IRB education in the classroom, during brownbag lunch sessions, and in various other types of presentations. We also talk about what “de-identified” means in this day and age, as that can be the more labor-intensive and therefore daunting part of data sharing.
It seems like the new exempt categories 7 and 8 in the revised Common Rule are designed to promote data sharing, and yet it seems complicated. What are your thoughts on how that will work?
KM: I would agree that Categories 7 and 8 are designed to promote sharing of specimens and information. However, we are not implementing broad consent at my institution and therefore are not going to implement exempt categories 7 and 8. Our reasoning for this is that the administrative burden associated with long-term monitoring of those who do not consent to data sharing, as well as those who do but request withdrawal later, is just too labor-intensive and unfeasible in the rapidly evolving research enterprise. In addition, because it is feasible to ethically share data in other ways without using broad consent, continuing to use the expedited categories that have always been used for that purpose seems to be a better choice. Although the intent of exempt categories 7 and 8 was to reduce administrative burden, that is not the net effect. Until the expedited categories are revised and we need to refresh our thinking about the use of expedited review, at my institution, we see no reason to use the new exempt categories to share data. That is not to say that someone could not figure it out —this is one of those aspects of the revised Common Rule that may need to be revisited periodically.
Would we have to change the review category of a study where data sharing of identifiable data is proposed (even under access controls of some sort) if, without that component, it would have been exempt?
KM: I am going to resort to the ever-useful IRB response of “it depends.” For the most part, if data sharing is included in the protocol and the consent, and the participant has agreed to the data sharing, the actual sharing of already collected data will be under the purview of a data use agreement (DUA). Therefore, it will not have anything to do with the level of review under which the data were collected. That said, the IRB will consider the sharing of data when they review the initial protocol in the context of the sensitivity of the data. The IRB will always consider the probability and magnitude of harm to the participant, as well as the sharing of the data after the research is conducted. However, it is important to keep in mind that the presence or absence of identifiers is a consideration in level of review, but only as it relates to the risk of harm. Identifiers can be collected and retained with exempt review; the identifier is not the issue. The issue is the risk of harm if the participant is identified as connected to the data collected. Sometimes there is a tendency for researchers and IRBs to equate “identifiable” with “risk” and that is not always the case especially with research that is exempt.
What is being referenced with regard to legal statutes for data management for IRBs?
KM: During the presentation, the reference to “legal statutes” was shorthand for the regulations, which for our purposes was generally referencing the Common Rule, although regulations such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) could also be included in how we think about legal statutes and regulations. The kind of blurring of the language around “legal” and “regulatory” comes from the actual structure of how laws come into existence in the regulatory world of IRBs. Laws created by agencies are called “regulations.” Regulations usually must be authorized by a government statute, and while regulations are subordinate to the statutes, they have the same legal force as statutes. The Office of Human Research Protections (OHRP) has the mandate from the Department of Health and Human Services (HHS), which has the mandate from the Congress to create the regulations for the protection of participants in research. Agencies that are part of the executive branches of state and federal governments are tasked with the execution of the law to, in this instance, protect participants in research, and so we have the core regulatory requirements that are spelled out in 45 CFR 46. Not to complicate matters, but the 17+ agencies that have signed onto the Common Rule also have their own regulations that are spelled out in the Code of Federal Regulations. While the other agencies generally mirror 45 CFR 46 in their regulations, that is not always the case. That is why, for example, with Department of Defense (DOD)-funded research we have to consider the additional DOD regulations/laws that apply.
Data disposition and destruction is a part of a data management cycle. For example, in most qualitative research, researchers don’t need to keep direct identifiers once the data have been coded. So how do IRBs convey to researchers that they need to explain their retention and destruction plan for certain types of information without making sweeping statements about the destruction of data? (The reason we often see statements about data destruction on consent forms is because IRBs ask about this—researchers don’t need to indefinitely retain sensitive identifiers. There is an expectation that such information will be destroyed once is no longer needed.)
Dessi Kirilova (DK): As part of our ongoing engagement with the IRB community, the main point we at the QDR are trying to make is exactly that—more nuanced guidance for researchers is needed, so that they understand that data sharing is not an all-or-nothing proposition. Indeed, different types of data (and even different formats of the same data content— for example, an audio recording and a typed transcript of the same conversation) should be managed as appropriate, which might differ in some respects, such as whether an actual data destruction step is necessary. To the degree in which we understand how IRBs signal one thing or another to their PIs on campus, we recommend that IRBs write a more detailed guidance for the types of scenarios they most frequently encounter, and that they include some type of questionnaire in their IRB application form that helps their researchers think through these differentiated options. Of course, we are also happy to offer remote advice or webinar training on that either to the IRB (say, if they need to brainstorm through options for detailed guidance) or to researchers.
What if the data was collected from a subject prior to consent when consent should have been obtained?
KM: The conduct of research that is inconsistent with what was IRB approved would generally mean the data cannot be used. While consideration of going back to the participant to request consent for the use of the information might be appropriate, that would need to be discussed in the context of the project. This would include how it happened that no consent was obtained and the related ethical considerations around going back to the participant. While I think most IRBs would rather not have data wasted, the rights and welfare of the participant are the priority. Data that were collected as part of human research without consent (or waiver) are unauthorized. While IRBs generally do not tell researchers they cannot use data, I do tell researchers that they use those data at their own academic and reputational peril as it relates to ethics and integrity.
DK: For the purposes of data sharing specifically (i.e., consent for research participation was obtained, but data sharing was not contemplated and asked for at the time), such data will not be acceptable to share. A possible solution could be requesting further consent for sharing, which—as pointed out by Kathleen above—might itself necessitate an IRB protocol amendment. We at QDR have had successful situations where researchers went back to their participants and asked for permission to share the data (formal re-consent), but obviously this was time-consuming for all involved. The best scenario is not just to ask for consent for participation before any data collection begins, but also to explicitly explain one’s data sharing plans and ask for agreement to those plans.
PRIM&R thanks Ms. Kirilova and Dr. Murphy for sharing their expertise.
The recording of this webinar is available for individuals to purchase in PRIM&R’s online store. If you would like to purchase the webinar for group viewing, please download the order form (PDF) and send it to firstname.lastname@example.org.