ACN - 101321555 Australasian Human Research Ethics Consultancy Services Pty Ltd (AHRECS)

Resource Library

Research Ethics MonthlyAbout Us

Research Integrity

Australasian Human Research Ethics Consultancy Services Pty Ltd (AHRECS)

Ethics, Security and Privacy – the Bermuda Triangle of data management?0

 

Malcolm Wolski and Andrew Bowness
Griffith University

 

To manage sensitive research data appropriately, ethics, security and privacy requirements need to be considered. Researchers are traditionally familiar with ethics, but often have not considered the privacy and security pieces of the puzzle. Our reasons for making this statement are:

  • IT products used in research change rapidly
  • Legislation changes rapidly and there are jurisdictional issues
  • Most researchers are not legal or IT experts
  • No one teaches them enough basics to know what is risky behaviour

The recent revision to the Australian Code for the Responsible Conduct of Research (2018) on Management of Data and Information in Research highlights that it is not just the responsibility of a university to use best practice, but it is also the responsibility of the researcher. The responsible conduct of research includes within its scope the appropriate generation, collection, access, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of data and information. Researchers have a responsibility to make themselves aware of the requirements of any relevant codes, legislation, regulatory, contractual or consent agreements, and to ensure they comply with them.

It’s a complex world

However, this is becoming an increasingly more complex environment for researchers. First, privacy legislation is dependent on jurisdiction of participants. For one example, a research project involving participants in Queensland is impacted by not only the Australian Privacy Act but also the Queensland version (Information Privacy Act 2009 Qld), and, if a participant or collaborator is an EU citizen, the General Data Protection Regulation (EU GDPR).

Secondly, cybersecurity and information security activities in universities have increased dramatically in recent times because of publicised data breaches and the impact of data breach legislation. If your research involves foreign citizens, you may also find foreign legislation impacting the type of response required.

Thirdly, funding agencies, such as government departments are increasingly specifying security and privacy requirements in tender responses and contracts.

These are having an impact on research project governance and practices, particularly for projects where the researcher has identified they are working with sensitive data. While the conversation typically focuses on data identified under the privacy acts as sensitive (e.g. Personally Identifiable Information (Labelled) under the Australian Privacy Act), researchers handle a range of data they may wish to treat as sensitive, whether for contractual reasons (e.g. participant consent, data sharing agreements) or for other reasons (e.g. ethical or cultural).

We have noticed an increasing trend within institutions where researchers are being required to provide more information on how they manage data as specified in a proposal or in a data sharing agreement. This typically revolves around data privacy and security, which is different from the ethics requirements.

What does “security” and “privacy” mean to the practitioner

IT security is more about minimising attack points though process or by using IT solutions to prevent or minimise the impacts of hostile acts or alternatively minimise impacts though misadventure (e.g. leaving a laptop on a bus). Data security is more in the sphere of IT and not researchers. This is reflected in which software products, systems and storage are “certified” to be safely used for handling and managing data classified as sensitive. IT usually also provides the identity management systems used to share data.

We have also noticed that researchers are relying on software vendors’ website claims about security and privacy which is problematic because most cloud software is running from offshore facilities which do not comply with Australian privacy legislation. Unless you are an expert in both Australian legislation and cybersecurity you need to rely on the expertise of your institutional IT and cybersecurity teams to verify vendors’ claims.

In the current environment, data privacy is more about mandated steps and activities designed to force a minimal set of user behaviours to prevent harm caused through successful attacks or accidental data breaches. It usually involves punishment to force good behaviour (e.g. see Data Breach Legislation for late reporting). Typically, data privacy is more the responsibility of the researcher. It usually involves governance processes (e.g. who has been given access to what data) or practices (e.g. what software products the team actually uses to share and store data).

What we should be worrying about

The Notifiable Data Breaches Statistics Report: 1 April to 30 June 2019 highlighted that only 4% of breaches, out of 254 notifications, were due to system faults, but 34% were due to human error and 62% due to malicious or criminal acts. Based on these statistics, the biggest risk associated with data breaches is where the data is in the hands of the end-user (i.e. the researcher) not with the IT systems themselves.

We argue the risks are also greater in research than the general population because of a number of factors such as the diversity of data held (e.g. data files, images, audio etc), the fluidity of the team membership, teams often being made up of staff across department and institutional boundaries, mobility of staff, data collection activities offsite, and the range of IT products needed in the research process.

For this discussion, the focus is on the governance and practice factor within the research project team and how this relates back to the ethics requirements when it has been highlighted that the project will involve working with sensitive data.

Help!!

We have worked closely with researcher groups for many years and have noticed a common problem. Researchers are confronted with numerous legislative, regulatory, policy and contractual requirements all written in terminology and language that bears little resemblance with what happens in practice. For example, to comply with legislation:

  • what does sending a data file “securely” over the internet actually look like in practice and which IT products are “safe”?
  • Is your university-provided laptop with the standard institutional image certified as “safe” for data classified as private? How do you know?
  • Is your mobile phone a “safe” technology to record interviews or images classified as private data? What is a “safe” technology for field work?

Within the university sector a range of institutional business units provide support services. For example, IT may provide advice assessing the security and privacy compliance of software, networked equipment or hardware infrastructure and the library may provide data management advice covering sensitive data. At our institution, Griffith University, the eResearch Services and the Library Research Services teams have been working closely with research groups to navigate their way through this minefield to develop standard practices fit for their purpose.

What we think is the best way forward

Our approach is to follow the Five Safes framework which has also been adopted by the Office of the National Data Commissioner. For example:

  • Safe People Is the research team member appropriately authorised to access and use specified data i.e. do you have a documented data access plan against team roles and a governance/induction process to gain access to restricted data?
  • Safe Projects Is the data to be used for an appropriate purpose i.e. do you have copies of the underlying data sharing/consent agreements, contracts, documents outlining ownership and licensing rights?
  • Safe Settings Does the access environment prevent unauthorised use i.e. do IT systems and processes support this and are access levels checked regularly?
  • Safe Data Has appropriate and sufficient protection been applied to the data i.e. what is it and does it commensurate with the level of risk involved?
  • Safe Outputs Are the statistical results non-disclosive or have you checked rights/licensing issues?

Expect to see a lot more of the Five Safes approach in the coming years.

References

Hardy, M. C., Carter, A., & Bowden, N. (2016). What do postdocs need to succeed? A survey of current standing and future directions for Australian researchers.2, 16093. https://doi.org/10.1057/palcomms.2016.93

Meacham, S. (2016). The 2016 ASMR Health and Medical Research Workforce Survey. Australian Society of Medical Research.

Contributors

Malcolm Wolski, Director eResearch Services, Griffith University

Andrew Bowness, Manager, Support Services, eResearch Services, Griffith University

This post may be cited as:
Wolski, M. and Bowness, A. (29 September 2019) Ethics, Security and Privacy – the Bermuda Triangle of data management?. Research Ethics Monthly. Retrieved from: https://ahrecs.com/research-integrity/ethics-security-and-privacy-the-bermuda-triangle-of-data-management

The F-word, or how to fight fires in the research literature0

 

Professor Jennifer Byrne | University of Sydney Medical School and Children’s Hospital at Westmead

 

At home, I am constantly fighting the F-word. Channelling my mother, I find myself saying things like ‘don’t use that word’, ‘not here’, ‘not in this house’. As you can probably gather, it’s a losing battle.

Research has its own F-words – ‘falsification’, ‘fabrication’, different colours of the overarching F-word, ‘fraud’. Unlike the regular F-word, most researchers assume that there’s not much need to use the research versions. Research fraud is considered comfortably rare, the actions of a few outliers. This is the ‘bad apple’ view of research fraud – that fraudsters are different, and born, not made. These rare individuals produce papers that eventually act as spot fires, damaging their fields, or even burning them to the ground. However, as most researchers are not affected, the research enterprise tends to just shrug its collective shoulders, and carry on.

But, of course, there’s a second explanation for research fraud – the so-called ‘bad barrel’ hypothesis – that research fraud can be provoked by poorly regulated, extreme pressure environments. This is a less comfortable idea, because this implies that regular people might be tempted to cheat if subjected to the right (or wrong) conditions. Such environments could result in more affected papers, about more topics, published in more journals. This would give rise to more fires within the literature, and more scientific casualties. But again, these types of environments are not considered to be common, or widespread.

But what if the pressure to publish becomes more widely and acutely applied? The use of publication quotas has been described in different settings as being associated with an uptick in numbers of questionable publications (Hvistendahl 2013; Djuric 2015; Tian et al. 2016). When publication expectations harden into quotas, more researchers may feel forced to choose between their principles and their (next) positions.

This issue has been recently discussed in the context of China (Hvistendahl 2013; Tian et al. 2016), a population juggernaut with scientific ambitions to match. China’s research output has risen dramatically over recent years, and at the same time, reports of research integrity problems have also filtered into the literature. In biomedicine, these issues again have been linked with publication quotas in both academia and clinical medicine (Tian et al. 2016). A form of contract cheating has been alleged to exist in the form of paper mills, or for-profit organisations that provide research content for publications (Hvistendahl 2013; Liu and Chen 2018). Paper mill services allegedly extend to providing completed manuscripts to which authors or teams can add their names (Hvistendahl 2013; Liu and Chen 2018).

I fell into thinking about paper mills by accident, as a result of comparing five very similar papers that were found to contain serious errors, questioning whether some of the reported experiments could have been performed (Byrne and Labbé 2017). With my colleague Dr Cyril Labbé, we are now knee deep in analysing papers with similar errors (Byrne and Labbé 2017; Labbé et al. 2019), suggesting that a worrying number of papers may have been produced with some kind of undeclared help.

It is said that to catch a thief, you need to learn to think like one. So if I were running a paper mill, and wanted to hide many questionable papers in the biomedical literature, what would I do? The answer would be to publish papers on many low-profile topics, using many authors, across many low-impact journals, over many years.

In terms of available topics, we believe that the paper mills may have struck gold by mining the contents of the human genome (Byrne et al. 2019). Humans carry 40,000 different genes of two main types, the so-called coding and non-coding genes. Most human genes have not been studied in any detail, so they provide many publication opportunities in fields where there are few experts to pay attention.

Human genes can also be linked to cancer, allowing individual genes to be examined in different cancer types, multiplying the number of papers that can be produced for each gene (Byrne and Labbé 2017). Non-coding genes are known to regulate coding genes, so non-coding and coding genes can also be combined, again in different cancer types.

The resulting repetitive manuscripts can be distributed between many research groups, and then diluted across the many journals that publish papers examining gene function in cancer (Byrne et al. 2019). The lack of content experts for these genes, or poor reviewing standards, may help these manuscripts to pass into the literature (Byrne et al. 2019). And as long as these papers are not detected, and demand continues, such manuscripts can be produced over many years. So rather than having a few isolated fires, we could be witnessing a situation where many parts of the biomedical literature are silently, solidly burning.

When dealing with fires, I have learned a few things from years of mandatory fire training. In the event of a laboratory fire, we are taught to ‘remove’, ‘alert’, ‘contain’, and ‘extinguish’. I believe that these approaches are also needed to fight fires in the research literature.

We can start by ‘alerting’ the research and publishing communities to manuscript and publication features of concern. If manuscripts are produced to a pattern, they should show similarities in terms of formatting, experimental techniques, language and/or figure appearance (Byrne and Labbé 2017). Furthermore, if manuscripts are produced in a large numbers, they could appear simplistic, with thin justifications to study individual genes, and almost non-existent links between genes and diseases (Byrne et al. 2019). But most importantly, manuscripts produced en masse will likely contain mistakes, and these may constitute an Achilles heel to enable their detection (Labbé et al. 2019).

Acting on reports of unusual shared features and errors will help to ‘contain’ the numbers and influence of these publications. Detailed, effective screening by publishers and journals may detect more problematic manuscripts before they are published. Dedicated funding would encourage active surveillance of the literature by researchers, leading to more reports of publications of concern. Where these concerns are upheld, individual publications can be contained through published expressions of concern, and/or ‘extinguished’ through retraction.

At the same time, we must identify and ‘remove’ the fuels that drive systematic research fraud. Institutions should remove both unrealistic publication requirements, and monetary incentives to publish. Similarly, research communities and funding bodies need to ask whether neglected fields are being targeted for low value, questionable research. Supporting functional studies of under-studied genes could help to remove this particular type of fuel (Byrne et al. 2019).

And while removing, alerting, containing and extinguishing, we should not shy away from thinking about and using any necessary F-words. Thinking that research fraud shouldn’t be discussed will only help this to continue (Byrne 2019).

The alternative could be using the other F-word in ways that I don’t want to think about.

References

Byrne JA (2019). We need to talk about systematic fraud. Nature. 566: 9.

Byrne JA, Grima N, Capes-Davis A, Labbé C (2019). The possibility of systematic research fraud targeting under-studied human genes: causes, consequences and potential solutions. Biomarker Insights. 14: 1-12.

Byrne JA, Labbé C (2017). Striking similarities between publications from China describing single gene knockdown experiments in human cancer cell lines. Scientometrics. 110: 1471-93.

Djuric D (2015). Penetrating the omerta of predatory publishing: The Romanian connection. Sci Engineer Ethics. 21: 183–202.

Hvistendahl M (2013). China’s publication bazaar. Science. 342: 1035–1039.

Labbé C, Grima N, Gautier T, Favier B, Byrne JA (2019). Semi-automated fact-checking of nucleotide sequence reagents in biomedical research publications: the Seek & Blastn tool. PLOS ONE. 14: e0213266.

Liu X, Chen X (2018). Journal retractions: some unique features of research misconduct in China. J Scholar Pub. 49: 305–319.

Tian M, Su Y, Ru X (2016). Perish or publish in China: Pressures on young Chinese scholars to publish in internationally indexed journals. Publications. 4: 9.

This post may be cited as:
Byrne, J. (18 July 2019) The F-word, or how to fight fires in the research literature. Research Ethics Monthly. Retrieved from: https://ahrecs.com/research-integrity/the-f-word-or-how-to-fight-fires-in-the-research-literature

We respect you… we just don’t need to hear from you any more: Should the consumer and their community participate in research as partners instead of just being subjects?1

 

By
Dr Gary Allen| Senior Policy Officer, Office for Research Griffith University | Ambassador Council the Hopkins Centre|
Ambassador MS Qld | Member Labor Enabled| Senior Consultant AHRECS

Associate Professor Carolyn Ehrlich| the Hopkins Centre| Research fellow at Griffith University

On behalf of the consumer inclusion in ethics research project, The Hopkins Centre, Griffith University

Much has already been said about the significance of the 2018 update to the Australian Code for the Responsible Conduct of Research. The Australian Code describes the national framework for the responsible conception, design, conduct, governance and reporting of research. Collectively this is referred to as research integrity. The Australian Code has changed from a 37-page book of detailed and prescriptive rules to a six-page book of high-level principles and responsibilities.

This is not another piece arguing the pros and cons of the flexibility of principles or the certainty of a single national standard.

Instead, this is a discussion about an important idea, which was present in the 2007 version of the Australian Code, but that was discarded without explanation or acknowledgement in the 2018 update. This important idea relates to consumer and community participation and its extension to consumer and community involvement in research.

At provision 1.13 of the 2007 version of the Australian Code there was a simple statement that Australian research institutions and researchers should encourage and facilitate consumer and community participation in research. The provision was included in the 2007 version as one part of the implementation of the Statement on Consumer and Community Participation in Health and Medical Research (NHMRC and Consumers’ Health Forum of Australia Inc, 2002) and went on to underpin the updated version of that statement, which was released in September 2016.  The absence from the 2018 version of the Australian Code of even a brief reference to consumer/community participation in research is (or SHOULD be) a significant cause for concern.

That brief encouragement provided support for consumer-guided designs, research participants as co-researchers and action research across most disciplines. With a few sentences, it mainstreamed the Statement on Consumer and Community Participation in Health and Medical Research and reinforced the importance of consumers and communities beyond ‘just’ research subjects in medical research.

Examples of that participation include the role of consumers and community members:

  1. On a reference/advisory group (including providing lived-experience with regard to the focus, objectives and deliverables of a project)
  2. As co-researchers
  3. In providing lived-experience into the significance of risks, harms and burdens, and the degree to which the risks are justified by the anticipated benefits (see Pär Segerdah 2019).
  4. In providing valuable insights for service/clinical decisions (see Carlini 2019 for an example).

A real example of this working well is of Cancer Australia which mandates the inclusion of consumers in their funding scheme, both in terms of applicants articulating how consumers are engaged (in the ways outlined above and also as reviewers and members of the review panels that evaluate grants). The inclusion of consumers improves projects immeasurably.  Cooperative cancer trials groups have a consumer advisory panel or committee. It would be unimaginable to do cancer trials without consumer involvement in their design. Such community participation is also evident in the recently approved research strategy at Epworth Health.

The above matters (such as whether a project is addressing a genuine community need and whether the risks of the project are justified by its benefits) can be especially significant for vulnerable individuals, especially persons living with ‘invisible conditions’, whereby people may have symptoms or disabilities that might not be immediately obvious to others, and/or when the ‘subjects’ of research are vulnerable, over-researched, or historically disenfranchised. Rather than protecting them from harm, and without a clear mandate for involving them more fully in the co-design and co-production of research that directly impacts their lives, there is a real risk of unintended consequences whereby these people may become even more disenfranchised, over-researched and vulnerable research ‘subjects’.

It is important to acknowledge that the 2016 Statement remains in place, the National Statement on Ethical Conduct in Human Research (2007 updated 2018) continues to articulate the core values of justice and respect, and the new Chapter 3.1 of the 2018 update of the National Statement on Ethical Conductmentions co-researcher designs. More specifically, paragraphs 1.1(a) and 2.1.5 identify community engagement as an important element in research design and planning. The omission from the Australian Code (2018) is out of step with the National Safety and Quality Health Service Standard which calls (2012 p15) for consumer and community involvement in deliberations about risk.

What is a concern now is that the overarching Australian Code for the Responsible Conduct of Research no longer urges publicly-funded research institutions to encourage consumer and community participation in research beyond them being the subjects of research.  On balance, this appears to be inconsistent with other relevant national research standards issued by the same agencies as the Code.

Those voices and perspectives were around before the 2007 version of the Australian Code and hopefully, they will continue to be into the future. That is true because it is becoming more widely accepted that consumers, such as people living with a chronic disease or disability and their carers, have a valuable perspective and a voice that should be listened to. One way a research project can have impact is by heeding those voices and meeting the needs of those Australians. However, in the 2018 update of the Australian Code, there is no longer an obligation on Australian institutions and researchers to encourage and facilitate consumer and community participation in research.

But will the same amount and scope of consumer and community-engaged research be conducted without that encouragement in the Australian Code?

It seems we are about to find out. We just wished there had been a national discussion about that change first – including targeted engagement with the populations who are now no longer encouraged to collaboratively participate in research, and who will potentially be relegated back to a position of being a subject within researcher designed projects and studies.

One way the current situation could be addressed would be in a good practice guide. The Australian Code (2018) is complemented with good practice guides, which suggest how institutions and researchers should interpret and apply the Australian Code’s principles and responsibilities to their practice. A good practice guide for collaborative research could reinforce the importance of consumer and community participation in research.

REFERENCES

Carlini, J. (18 January 2018) Consumer Co-design for End of Life Care Discharge Project. Research Ethics Monthly. Retrieved from: https://ahrecs.com/human-research-ethics/consumer-co-design-for-end-of-life-care-discharge-project

NHMRC(2007) Australian Code for the Responsible Conduct of Research

NHMRC(2007 updated 2018) National Statement on Ethical Conduct in Human Research

NHMRC (2016) Statement on Consumer and Community Involvement in Health and Medical Research

NHMRC (2018) Australian Code for the Responsible Conduct of Research

NSQHS (2012) National Safety and Quality Health Service Standards

Pär Segerdah (2019) Ask the patients about the benefits and the risks. The Ethics Blog. Retrieved from: https://ethicsblog.crb.uu.se/2019/01/16/ask-the-patients-about-the-benefits-and-the-risks/

ACKNOWLEDGEMENTS

With grateful thanks to the following people for their contributions:

Delena Amsters, QHealth
Mark Israel, AHRECS
Mandy Nielsen, QHealth
Michael Norwood, Griffith University
Maddy Slattery, Griffith University
Colin Thomson AM, AHRECS
Nik Zeps, AHRECS, Epworth Healthcare

This post may be cited as:
Allen, G. & Ehrlich, C. (21 June 2019) We respect you… we just don’t need to hear from you any more: Should the consumer and their community participate in research as partners instead of just being subjects? Research Ethics Monthly. Retrieved from: https://ahrecs.com/research-integrity/we-respect-you-we-just-dont-need-to-hear-from-you-any-more-should-the-consumer-and-their-community-participate-in-research-as-partners-instead-of-just-being-subjects

Update on the new subscribers’ area0

 

We are currently expecting the new service to go live prior to us sending the July 2019 edition of the Research Ethics Monthly.

It is being built by some talented designers and coders we are excited to be working with.

The service will be located at AHRECS.vip, will be far more easily browsed and used, with an annual subscription of $360 (Plus GST and a 2% charge if you pay by credit card).

We will have more about this new service in the next edition.  Email VIP@ahrecs.com if you have any questions.

0