Supporting Responsible Research and Data Protection

Scientific research is often dependent on access to personal information, whether collected directly from individuals or collected for a real-world use and then accessed for research. For research to be trusted, processing of personal information must be lawful, ethical and subject to privacy and security protections. Supporting responsible research is a priority for FPF:

• Data held by companies is often essential for research, so we develop best practices for access to corporate data and ethical review structures to provide oversight.
• Machine learning techniques can raise issues of research transparency and fairness and bias, so we work on methods to identify and counter bias. 
• De-identification can reduce the risks involved with research, so we work to advance de-identification that supports the utility of data. 
• We work with policymakers to develop legislative protections that support research with strong safeguards.
• We develop and support leadership networks to facilitate privacy-protective data sharing and working partnership opportunities between academic researchers and industry practitioners.
• We work to ensure access and protections for cross border data flows for research. 

Access to Corporate Data & Ethical Review

Data held by companies is useful for researchers striving to discover new scientific insights and expand human knowledge. When corporations open their data stores and responsibly share this data with university researchers, they can support progress in medicine, public health, education, social sciences, computer science, and many other fields.

But access to the data needed is often unavailable due to a range of barriers – including the need to connect with appropriate partners, protect privacy, address commercial concerns, maintain ethical standards, and comply with legal obligations.

Issuing best practices and contract guidelines for companies sharing data with researchers. The Best Practices for Sharing Data with Academic Researchers were developed by the FPF Corporate Academic Data Stewardship Research Alliance, a group of more than two dozen companies and organizations. The best practices favor academic independence and freedom over tightly controlled research, and encourage broad publication and dissemination of research results, while protecting the privacy of individual research subjects. Specific best practices include having a written data sharing agreement, practicing data minimization, and developing a common understanding of relevant de-identification techniques, among many others. In addition, FPF published Contract Guidelines for Data Sharing Agreements Between Companies and Academic Researchers. The guidelines cover best practices and sample language that can be used in contracts with companies that supply data to researchers for academic or scientific research purposes. FPF’s Corporate Academic Data Stewardship Research Alliance and these resources, including FPF’s report, Understanding Corporate Data Sharing Decisions, were supported by the Alfred P. Sloan Foundation.

Establishing the Ethical Data Use Committee (EDUC). Through the generous support of the Schmidt Futures Foundation, FPF is preparing to launch an independent ethical review panel to evaluate the risks and benefits of organizations’ data sharing projects with academic researchers. The Ethical Data Use Committee will conduct prospective reviews of research projects using data not explicitly gathered for research purposes, such as data shared by companies to academic researchers. The EDUC is designed to work in compliment with the remainder of the research review process. The purpose of the EDUC review is to offer organizations recommendations to improve the privacy, security, and ethical profile of the research data that is not subject to review by other components of the research review infrastructure such as Institutional Review Boards or Institutional Biosafety Committees. 

This work builds on FPF’s project, Beyond IRBs: Designing Ethical Review Processes for Big Data Research, supported by the Alfred P. Sloan Foundation and U.S. National Science Foundation, which brought together government, industry, civil society, and researchers in law, ethics, and computer science to consider ethical review mechanisms for data collected in corporate, non-profit, and other non-academic settings.

Building Communities of Practice

Honoring effective data-sharing partnerships for research and sharing best practices. The FPF Award for Research Data Stewardship is a first-of-its-kind award recognizing a research partnership between a company that has shared data with an academic institution in a responsible, privacy protective manner. The 2020 award-winning partnership was between University for California, Irvine, Professor of Cognitive Science Dr. Mark Steyvers and Lumos Labs. In an FPF virtual event on September 22, 2020, Professor Steyvers and Bob Schafer, General Manager at Lumosity, discussed their award-winning collaboration and lessons learned for future data sharing partnerships between companies and academic researchers. The annual FPF Award for Research Data Stewardship is supported by the Alfred P. Sloan Foundation.

FPF has continued this award and is currently working on reviewing submissions and looks forward to announcing a 2021 winner in the early summer months.

Bringing the best academic privacy research into practice. Through its Applied Privacy Research Coordination Network, a project supported by the U.S. National Science Foundation, FPF introduces academic researchers to industry practitioners to develop working partnership opportunities and share best practices. This project builds on FPF’s first NSF-supported Research Coordination Network established to foster industry-academic collaboration on priority research issues identified in the National Privacy Research Strategy (NPRS) and inform the public debate on privacy. These projects have provided ongoing support to FPF’s Privacy Papers for Policymakers program which brings academic expertise to members of Congress and leaders of executive agencies and their staffs to better inform policy approaches to data protection issues.

Providing governments and researchers tools and guidance for evidence-based policymaking. Integrated Data Systems (IDS) use data that government agencies routinely collect in the course of delivering public services to shape local policy and practice. FPF and Actionable Intelligence for Social Policy (AISP) created the Nothing to Hide: Tools for Talking (and Listening) About Data Privacy for Integrated Data Systems toolkit to provide stakeholders with tools to lead privacy-sensitive, inclusive government IDS efforts. In addition, FPF worked with the Administrative Data Research Facilities Network (ADRF) to develop a guide for researchers and practitioners who want to share administrative data for evidence-based policy and social science research. FPF’s paper Privacy Protective Research: Facilitating Ethically Responsible Access to Administrative Data published in The Annals of Political and Social Science, Vol 675 (2018) outlines the infrastructures that will need to be built to make sure data providers and empirical researchers can best serve national policy needs. FPF’s work on administrative data research was made possible by the support of the Alfred P. Sloan Foundation.

Exploring Legal Structures and Policies to Support Processing Personal Data for Research

Hosting expert discussions about processing personal data for research under the GDPR. The topic of the Brussels Privacy Symposium 2020, organized by FPF and the Brussels Privacy Hub of Vrije Universiteit Brussel (VUB), was “Research and the Protection of Personal Data Under the GDPR.” The symposium, which brought together a mix of industry practitioners, academic researchers, policymakers, and international data protection regulators, focused on striking a balance during the Covid-19 pandemic between the utility of research, on one hand, and the rights to privacy and data protection on the other. Panelists discussed strategies to mitigate risks to data protection in scientific research, including vulnerabilities related to AI and machine learning systems; consent structures; and the role of international frameworks and cross-border data flows. In a closing keynote, European Data Protection Supervisor Wojciech Wiewiórowski discussed the need to intensify the dialogue between Data Protection Authorities and ethical review boards to develop a common understanding of what qualifies as scientific research, and on codes of conduct for it. 

Examining country-level legal frameworks for secondary uses of healthcare data. On January 19-20, 2021, the Israel Tech Policy Institute (ITPI), an FPF affiliate based in Israel, co-hosted a virtual workshop in collaboration with the Organization for Economic Cooperation and Development (OECD) and the Israel Ministry of Health (IMoH), titled “Supporting Health Innovation with Fair Information Practice Principles.” The workshop furthered international dialogue on issues critical for the successful use of health data for the benefit of the public, focusing on the implementation of privacy protection principles and the challenges that arise in the process. The discussion included lessons learned during Covid-19. It provided an opportunity for delegates of the OECD Health group (HCQO) and the OECD Data Governance and Privacy in the Digital Economy group (DGP), together with experts in these fields, to discuss progress made toward implementing the 2017 OECD Recommendation on Health Data Governance, and to contribute to the ongoing review of the 2013 OECD Privacy Guidelines. Specific topics discussed included: 

• Significant national health data governance reforms implemented recently by four countries, which lead legal and operational reforms to strengthen health data governance. These examples were viewed in the context of the WHO Global Strategy on Digital Health.
• Safeguards for health data sharing to promote innovation while protecting people’s privacy. These may include: 1) ethical review board oversight; 2) de-identification; 3) administrative, technical, and contractual safeguards; and 4) safeguards around cross border data flows. 
• Privacy by Design and state-of-the-art solutions for safeguarding digital health data against unauthorised access and use. The mechanisms available are context-dependent and present unique benefits and limitations.
• Individual & community perspectives on using health data for research. Some focus on alternative legal bases, other than consent, for the secondary use of patient data for research, and the imperative to respect the individual’s interest alongside that of the community and society. 

The workshop was attended by delegates from approximately 40 governments from all over the world, as well as industry and academia participants.  

In conjunction with the OECD event, FPF and the Israel Tech Policy Institute have conducted a study (to be published soon) on the laws underpinning secondary uses of healthcare data for research purposes in eight countries: Australia, England, Finland, France, India, Ireland, Israel, and the U.S. We found large commonalities across legal systems and regimes, permitting secondary use of healthcare data for research purposes under certain conditions, such as review by ethical boards, proper de-identification, and other administrative, technical, and contractual safeguards. Still, differences and ambiguities remain around specific situations such as the use of ‘Consent’ or other legal bases allowing data processing, the level of anonymization and de-identification employed and how it is regarded in different countries, and a variety of approaches to transborder data flows and data localization requirements.

Guidance to government, companies and civil society on responsible data sharing in a public health crisis. FPF launched its Privacy & Pandemics series immediately after the COVID-19 pandemic began to provide information and guidance to governments, companies, academics and civil society on responsible data sharing to support public health. As a featured part of the series, FPF’s Corporate Data Sharing Workshop on March 26, 2020 convened ethicists, academic researchers, government officials and corporate leaders to discuss best practices and policy recommendations for responsible data sharing. FPF’s international tech & data conference in October 2020, presented in collaboration with the US National Science Foundation, Duke Sanford School of Public Policy, SFI ADAPT Research Centre, Dublin City University, and Intel Corporation, produced a roadmap for research, practice improvements, and development of privacy-preserving products and services to further inform responses to COVID-19 and prepare for future pandemics and crises.

Summarizing U.S. federal and state laws that apply to health data research. As a resource for policymakers, researchers, and ethicists, FPF canvassed federal and state laws and regulations regarding health data research. Regulations like the Common Rule include a wide range of protections, but only apply to certain situations, while other safeguards are triggered by high-stakes research or particularly sensitive categories of data or vulnerable research subjects.

Educating policymakers on the value of data for research and strategies for oversight. FPF has shared model bill language with lawmakers developing comprehensive privacy laws in California, Washington, and Virginia to encourage them to both protect data-driven research and create oversight by requiring it to be approved, monitored, and governed by an independent oversight entity.

Exploring how the GDPR can work for health scientific research. On October 22, 2018, FPF, together with the European Federation of Pharmaceutical Industries and Associations (EFPIA), and the Centre for Information Policy Leadership (CIPL) hosted a workshop in Brussels, “Can GDPR Work for Health Scientific Research?,” to discuss the processing of personal data for health scientific research purposes under the European Union’s General Data Protection Regulation (GDPR). The workshop identified several challenges that researchers are facing when trying to comply with the GDPR, such as identifying the appropriate lawful ground for processing personal data for clinical trials and for secondary use of health data for health scientific research purposes, the relationship between the EU Clinical Trials Regulation and the GDPR, or the lack of clarity surrounding institutional responsibility and the role of ethical committees. 

Providing guidance to US based higher education institutions on how to align their research and educational activities to the GDPR. In May 2020, FPF released, “The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions.” The report includes a 10-step checklist with instructions for executing an effective GDPR compliance program. Many of the case-studies and examples used in the report focus on academic research. It is designed to assist both organizations with established compliance programs seeking to update or refresh their understanding of their obligations under GDPR, as well as those that are still in the process of creating or sustaining a compliance structure and seeking more in-depth guidance.

Advancing tools to support responsible research in artificial intelligence. Tofacilitate discussions around bias in artificial intelligence, FPF produced a framework to identify, articulate, and categorize the types of harm that may result from automated decision-making, see Unfairness by Algorithm: Distilling the Harms of Automated Decision-Making (December 2017). FPF has recently provided resources and guidance to state policymakers on this topic.

Sharing methods and techniques for de-identification. FPF is recognized for its signature expertise in de-identification, publishing A Visual Guide to De-Identification (April 2016), as well as law review articles like Shades of Gray: Seeing the Full Spectrum of Practical Data De-identification, 56 Santa Clara L. Rev.593 (2016).

Facilitating ethically responsible access to administrative data for privacy protective research. A paper titled Privacy Protective Research: Facilitating Ethically Responsible Access to Administrative Data was featured at a Bill and Melinda Gates Foundation funded workshop along with other white papers written by researchers and practitioners that help inform the development of a roadmap identifying what data infrastructures need to be built to ensure that data providers and empirical researchers can best serve national policy needs. The paper – by FPF CEO Jules Polonetsky, FPF Senior Fellow Omer Tene, and Alfred P. Sloan Foundation Vice President and Program Director Daniel Goroff – provides strategies for organizations to minimize risks of re-identification and privacy violations for individual data subjects.