Transcript Compliance: E-Science Mandates and Policies

Compliance: E-Science
Mandates and Policies
Sarah J. White
Director of Research Compliance
Rice University
April 4, 2012
Data, Data, Who owns the Data?
• This a contentious point:
– Data is the life’s work of the researcher
– The Institution has legal and ethical responsibilities
which require custodial ownership
– Unless the institution owns the data they cannot
transfer it, need to consider compliance
responsibilities
– Data is an intangible asset (hardware is a tangible
asset)
– Bottom line is protection of research data is a shared
responsibility
Data Sharing
Timing for data sharing
• Data sharing should be timely and no later
than acceptance for publication of the main
findings
• Data from large studies can be made available
over time as data becomes available
NIH Data Sharing Policy
• “Data should be made as widely and freely
available as possible while safeguarding the
privacy of participants, and protecting the
confidential and proprietary data”
– Final NIH Statement on Sharing Research Data
– February 26, 2003
NIH Data Sharing Requirements
• Plans must be includes in proposals which
request $500K or more per year if required in
the RFA or PA:
• Plans should provide a:
– Schedule for data sharing
– Format for the final data
– Documentation
– Analytical tools to be provided (is any)
– Mode of data sharing
NSF Data Sharing Policy
• Investigators are expected to share with other
researchers, at no more than incremental cost
and within a reasonable time, the primary data,
samples, physical collections and other
supporting materials created or gathered in the
course of work under NSF grants. Grantees are
expected to encourage and facilitate such
sharing. See Award & Administration Guide (AAG)
Chapter VI.D.4.
• Guide (GPG) Chapter II.C.2.j for full policy
implementation.
NSF Data Management Plan
Requirements
• Proposals submitted or due on or after
January 18, 2011, must include a
supplementary document of no more than
two pages labeled “Data Management Plan”.
This supplementary document should
describe how the proposal will conform to NSF
policy on the dissemination and sharing of
research results.
NSF Data Management Plan
DMP
Is reviewed as part of the intellectual merit or broader impacts of the
proposal or both.
• Includes:
– The types of data (physical and digital), samples, physical collections,
publications, software and/or models that will be produced during the
project
– Any standards to be used for data and metadata format and content
– Policies for access and sharing the intellectual property provisions
– Provisions for reuse, redistribution and the production of derivatives
– Plans for archiving data and for preservation of access to them
– Period of data retention.
• A valid plan may consist of a statement that no detailed plan is
needed, as long as the researcher provides clear justification.
Does all data need to be shared?
• No--A key to working with data which involves
human subjects is knowing when and how
Privacy Rules apply.
– HIPAA Health Insurance Portability and
Accountability Act
• Cannot disclose personally identifiable data
• PI needs to identify the use of identifiable data in data
sharing plan
• Informed Consent plans must fully inform participants
of the intended use of the data being collected
De-Identification of Data
• Under Privacy rules the following must be
removed from data sets:
– Geographic information
– Dates of birth, hospital admission/discharge,
death
– Address, e-mail, phone, SSN, license plate, or any
other unique numbering
– Finger prints, voice prints, photos or images
Other Data Access Issues
• Freedom of Information ACT (FOIA)
– Pertains to federally sponsored research
– Research data may be requested under two
circumstances:
• It has been published in a peer reviewed scientific or
technical or
• The federal agency publically cites the research findings in
support of an agency action
• Family Educational Rights and Privacy Acts
(FERPA)
– Pertains to non-public student records and the data
associated with them
Proprietary Data
• Access to data collected may be restricted
because of co-funding from private sources, or
there are patent issues.
• Any restrictions due to IP concerns must be
identified in the data sharing plan
IP and Data
• On March 16, 2013
• US Patent filing system switched from a “first
to invent” to a “first inventor to file”to be in
line with the rest of the world.
• It will remain critical to be able to document
their lab notebooks and back it up with
supporting data.
• Pate of the America Invents Act
Data and Copyright
• Many Universities cede copyright to their
faculty
• Many journals require copyright ownership
• Sometimes ownership of data is specified
• Faculty should be aware that this is not in
their best interests
Data Security
Sensitive Information
Human Subjects Context
•
Information is considered sensitive if the loss of confidentiality, integrity, or
availability could be expected to have a serious, severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals (definition
from the Guide).
•
Guide for Identifying Sensitive Information at the NIH is intended to provide useful
guidance on how to effectively identify sensitive information (including PII) and
Privacy Act records. The publication suggests some insight into the complexity of
identifying this type of data. While it’s not an exact science and requires some
thinking on the part of the user, context is often a determining factor.
•
For example, a picture of an employee along with their name placed in a
newsletter article recognizing their achievements is not sensitive. However, that
same picture and name contained in a file named “Genetic screening results” or
“Staff placed on probation” would be considered very sensitive. The same
information in different contexts can make a tremendous difference in how the
information needs to be protected
And Super Sensitive
Unclassified Data
National Security Context)
• The term “sensitive but unclassified” (SBU)
information was used before the terrorist attacks of
September 11, 2001, even though there is no statutory
definition for it. Since 9/11 more agencies have started
to use
• the term “SBU,” or some variant of it, and to
implement security systems to identify
• and protect nonclassified information whose release
might benefit terrorists
• Department of Homeland Security: agriculture,
chemical, biological, nuclear and radiological, cyber
terrorism and the behavioral aspects of terrorism
Export Control
• Although most research conducted at Universities
will fall under the fundamental research
exemption
• The PI must comply with any restrictions
pertaining to US laws and regulations controlling
the export of:
– Technical data
– Computer software
– Laboratory prototypes used in connection with their
research
Fundamental Research Exemption
• Basic and applied research in science and
engineering, the results of which ordinarily
are published and shared broadly within
the scientific community, as distinguished
from proprietary research and from
industrial development, design,
production, and product utilization, the
results of which ordinarily are restricted for
proprietary or national security reasons.
Export Control
• Despite these generally useful exclusions, some university
activities remain subject to export control. The following are
examples of common situations in which these exclusions or
exemptions will not apply.
1. Restricted Projects
2. Certain Federal Sponsors
3. International Travel
4. Sponsor of 3rd party proprietary items or technical data
5. Physical exports
6. Deliverables to a foreign sponsor
7. Use, transfer, or development of a controlled item or
technical data
(Your can’t) take it with you
• The applicability of export control regulations will
depend the following:
– country(ies) you will be visiting;
– what you'll be taking with you or sending to support
your work;
– what you will be doing abroad; and
– who you will be working with.
Data Retention
Okay, I’m done
• Not so fast….
– How and when can you dispose of data?
• Term is usually stipulated for sponsored research 3
years after the funding period ends for federal sponsors
and 4-6 years for state sponsors
• University policy may stipulate a longer time frame
• PI should make the determination after the minimum
term expires
• Some stricter guidelines depending upon the type of
data;
• FDA has longer timelines as well
Destroying Data
• Best practices ensure that the data cannot be
reconstructed.
Comments and
Questions?
Thank You!