This question pertains to research protocols that require the analysis of existing data for secondary purposes or protocols where new data is being collected in de-identified form. An example of the former is when a protocol requires the analysis of data from a disease registry. An example of the latter is when the study involves the observation of an event or procedure and all data collected during that observation is considered to be de-identified.
In the current version of the Canadian TCPS (Tri-Council Policy Statement), the answer to the above question is no. The TCPS is the document used by Research Ethics Board (REBs) to guide their conduct. It is only a guidance document as REBs in Canada are currently not regulated. However, in practice, REBs do try their best to follow the TCPS.
There are at least two ways that REBs implement the guidance of not having to review de-identified data. Both of these are in use today by Canadian REBs.
In the first approach the REB form has a checkbox question asking the investigator if the data is de-identified. If the investigator checks that box then the REB does not review the protocol and it is automatically approved. The reasoning is that it is de-identified data and therefore there is no requirement to review the protocol. However, the problem with this approach is that the decision as to whether the requested data is de-identified or not is made by the investigator. The investigator has a vested interest in the claim that the data is de-identified. Therefore, the investigator is not the best person to make a subjective self-declaration about identifiability. Also, the decision on whether a particular data set is de-identified or not is not that trivial, and most investigators do not have expertise in the topic of identifiability. Therefore, even if their motives are absolutely pure and there is not a conflicted bone in their being, an investigator would still be challenged to make a self-declaration without a careful and perhaps sophisticated analysis of the data set. In such a case, such self-declaration would be considered suspect.
This first approach is often taken because of resourcing. It provides a way for the REB to reduce its workload by not having to address protocols which are deemed to be lower risk compared to other types of protocols (e.g., those that involve some medical intervention or treatment). However, this can have considerable risks.
In the second approach that is sometimes used, if the investigator makes the self-declaration that the data set is de-identified then the protocol goes through an expedited review by the REB (or sometimes referred to as a delegated review because a sub-committee reviews it on behalf of the full board). If during this expedited review there are questions about whether the data collected/disclosed is truly de-identified, then the protocol may go through a full board review. This second approach is much more sensible and addresses the concerns that are raised with the first approach described above because there remains some oversight. In another article we discuss practical ways for the REB to practically implement a process for deciding whether a data set is de-identified.
A more general issue that is raised, however, by not requiring REB review of protocols dealing with de-identified data is that it provides a mechanism for protocols not to receive proper oversight. Even if a protocol will only require truly de-identified data, there are group harms that are not addressed by the identifiability question. For example, if a protocol deals with a sensitive health issue for an aboriginal group, and there is a real risk that the results may stigmatize that group. Or consider a study of pollution in a particular neighborhood which may have a negative impact on insurance and housing prices for people living in that neighborhood. In both of these cases the protocol may collect or analyze only truly de-identified data. But the protocol should still go through an REB review nonetheless because of the group harm concerns. An institution which adopts the first approach above would essentially provide a loophole for group harms in protocols with de-identified data.
Therefore, the general recommendation for REBs to allow them to manage risks appropriately is to use expedited reviews for protocols that are self-declared to be with de-identified data. The purpose of the expedited review is to provide oversight on these self-declarations and to check for other ethical issues, such as group harms, which may be relevant for the particular protocol even if the data are de-identified.
The
author(s) retain all copyright to this knowledgebase article. Please
include a citation to the web page if you reuse this material. More information is available at our lab web site: http://www.ehealthinformation.ca/.
Categories