On January 6, 2016, members of the Privacy Tools for Sharing Research Data project submitted comments in response to the September 2015 notice of proposed rulemaking to revise the Federal Policy for the Protection of Human Subjects. This proposed rulemaking is the most significant attempt to overhaul the federal regulations governing the conduct of clinical research involving human subjects since the regulations, known as the Common Rule, were promulgated in 1991.
With the ability to collect and analyze massive quantities of data related to human characteristics, behaviors, and interactions, researchers are increasingly able to explore phenomena in finer detail and with greater confidence. A major challenge for realizing the full potential of these recent advances will be protecting the privacy of human subjects. Drawing from their research findings and a forthcoming article articulating a modern approach to privacy analysis, the authors offer recommendations for updating the Common Rule to reflect recent developments in the scientific understanding of privacy. The suggested revisions ultimately aim to enable wider collection, use, and sharing of research data while providing stronger privacy protection for human subjects. (The full comments can be viewed and downloaded from Regulations.gov.)
Specific recommendations include:
Incorporating clear and consistent definitions for privacy, confidentiality, and security.
Providing similar levels of protection to research activities that pose similar risks.
Relying on standards and requirements that recognize the limitations of traditional de-identification techniques, the inadequacy of binary conceptions of “identifiable” and “publicly-available” information, and the significance of inference risks to privacy.
Creating a new privacy standard based not on a binary identifiability standard, but on the extent to which attributes that may be revealed or inferred depend on an individual’s data and the potential harm that may result.
Requiring investigators to conduct systematic privacy analyses and calibrate their use of privacy and security controls to the specific intended uses and privacy risks at every stage of the information lifecycle.
Addressing informational risks using a combination of privacy and security controls rather than relying on a single control such as consent or de-identification and adopting tiered access models where appropriate.
Forming an advisory committee of data privacy experts to help the Secretary of Health and Human Services develop guidance on applying privacy and security controls that are closely matched to the intended uses and privacy risks in specific research activities.
The authors argue that addressing these issues will help lead researchers towards state-of-the-art privacy practices and advance the exciting research opportunities enabled by new data sources and technologies for collecting, analyzing, and sharing data about individuals.
The comments were prepared by Alexandra Wood (Berkman Center), Edo Airoldi (Harvard University), Micah Altman (MIT Libraries & Brooking Institution), Yves-Alexandre de Montjoye (Harvard University & MIT), Urs Gasser (Berkman Center & Harvard Law School), David O’Brien (Berkman Center), and Salil Vadhan (Harvard University).
About the Privacy Tools Project
Funded by the National Science Foundation and the Alfred P. Sloan Foundation, the Privacy Tools for Sharing Research Data project is a collaboration between researchers at the Center for Research on Computation and Society, the Berkman Center for Internet & Society, the Institute for Quantitative Social Science, and the Data Privacy Lab at Harvard University, as well as the Program on Information Science at MIT Libraries.
This broad, multidisciplinary project brings together expertise in computer science, statistics, social science, law, policy, and data management to build tools to enable the collection, analysis, and sharing of social science research data while protecting the privacy of individual subjects. This research seek to translate the promise of robust, formal measures for privacy and data utility from the theoretical computer science literature into a set of integrated practical tools and methods for privacy-protective data sharing.
Executive Director and Harvard Law School Professor of Practice Urs Gasser leads the Berkman Center’s role in this exciting initiative, which brings the Center’s institutional knowledge and practical experience to help tackle the legal and policy-based issues in the larger project.