The Department of Heath and Human Services is planning to revise what it calls the Common Rule – the regulations overseeing federally funded research involving human subjects. These regulations were last updated in the early 1990s, so the proposed changes try to catch up with the advances in research and in computing since that time.
The proposed changes are in two major categories. The first is a series of revisions to procedures for Institutional Review Boards (IRBs) and the types of research that must undergo various levels of review. The other major category is in data and information protection. With the changes in computing storage and the increasing ease of re-identifying information that was stripped of identifying characteristics, increased data security measures were needed.
In connection with ACM’s Special Interest Group on Computer-Human Interaction (SIGCHI) and the Institute of Electrical and Electronics Engineers – USA (IEEE-USA), USACM submitted comments in response to the proposed rules. Some highlights from the recommendations in our comments:
- Require data security and information protection standards. The relative lack of privacy and security in consumer data systems is part of the reason there have been over half a billion data records breached in over 2,700 publicly reported incidents since 2005. These incidents have included research and medical institutions. Increasing the amount of data stored and accessed will require additional data security and information protection practices. The consequences of a breach of human subjects research information are such that a mandate or some other means of ensuring universal adoption of best practices in data security and information protection is essential.
- Make sure regulations do not unintentionally restrict research on anonymity, security and privacy. Minimizing the re-identification of de-identified data is a worthwhile objective for these regulations. However, such a regulation should not also restrict research on anonymity, privacy or security that would involve de-identifying and/or re-identifying. Consider this a parallel to so-called red team testing of computer systems, where every effort is made to break the system tested to improve it.
- Insist on uniform application of data security and information protection rules. In the course of research, information on human subjects can be transmitted to other parties besides the researchers who were originally subject to these regulations. Transfer to a third party must not reduce the protections accorded to collected information under these regulations.
- Allow for means of updating regulations to reflect research results and changes in best practices.
The last major changes to these regulations were twenty years ago. In a young field like computing, new kinds of research and new subfields can emerge in that time. Should this emerging work bring additional risks to human subjects, there needs to be a way to incorporate new findings into existing regulations without taking the time for a major rulemaking. The same is true for changes in best practice in data security and information protection.
The proposed changes are part of an advanced notice of proposed rulemaking, meaning that there should be another opportunity for the public to comment on new regulations, once the Health and Human Services Department has reviewed the input so far.