Data Sharing in Nursing: What Researchers Need to Know November 9, 2015 Caitlin Bakker, Research Services Librarian |

(Selected) Data Services at the U Libraries ● data management consultations ● DMPTool and templates ● workshops and customized training for groups AHC IS ● provides secure, on-site data storage ● tools and data analysis through the CTSI Portal OIT ● computing and networking services, including storage options ● security tools and guidance OVPR ● online workshops on research data management and intellectual property

NIH’s Proposed Changes to Data Management Requirements ● Available at Plan.pdf (section on research data begins on page 23) Plan.pdf ● In response to the White House Office of Science and Technology (OSTP) memo from February 2013 ●Federal research funders with $100M in annual funding must develop a strategy that “improves the public’s ability to locate and access digital data resulting from federally funded scientific research.... [The data] should be stored and publicly accessible to search, retrieve, and analyze.” ● Builds on the Data Sharing Policy (2003) and the Public Access Policy (2008) ● Changes will come into effect January 2016

Significant (Proposed) Changes ● All grant applications* will require data management plans which will include: ● Description of the data being collected or produced, mechanisms for securing and storing data, provisions for protecting privacy and intellectual property, etc. ● Researcher’s plans to share their data (emphasis on existing, public repositories) ● Progress reports will be reviewed to ensure compliance with data management plans ● The merits of data management plans will be considered during the peer review process * Excluding grants unlikely to generate data (e.g., training grants)

Not all data should be shared ● Data that is protected by law (HIPAA, FERPA, FISMA) ● IRB restrictions obligate you to secrecy or confidentiality ● When release would seriously jeopardize the privacy of subjects ● Data with potential commercial value (e.g., patentable information) ● Prior to publishing a paper or releasing the results ● When data is proprietary or subject to other agreements (e.g., data retrieved from the Clinical Data Repository)

1.Name 2.All geographic divisions smaller than a state 3. 1.All elements of dates, except the year (includes date of birth, admission date, discharge date, date of death, etc.) 2.All ages over 89 (aggregate category of individuals 90 and older) 4.Phone number 5.Fax number 6. address 7.Social security number 8.Medical record number 9.Health plan number 10.Account numbers 11.Certificate or license numbers 12.Vehicle identification/serial numbers, including license plate numbers 13.Device identification/serial numbers 14.Universal resource locators (URLs) 15.Internet protocol (IP) addresses 16.Biometric identifiers 17.Full face photographs and comparable images 18.Any other unique identifying number, characteristic, or code Privacy & Sensitive Data There are 18+ HIPAA identifiers

Deidentification: The process of removing or obscuring any personally identifiable information to minimize the risk of disclosure of individual participants. One Caveat: “Data can be either useful or perfectly anonymous but never both” 1 1. Ohm P. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review. 2010;57(6):

Privacy & Sensitive Data Direct ● Variables that directly identify an individual (e.g., name, SSN, ) ● Usually collected only when necessary or removed before analysis Indirect ● Variables that in combination could identify an individual (e.g., number of children, a rare medical condition) ● No set list of variables, depends on your data set and what other data sets are available

Prior or During Collection ● Get consent to share and avoid overly restrictive language in the informed consent process ● Some suggestions for language are available here: ment/confientiality/conf-language.html ment/confientiality/conf-language.html ● Don’t “identify” in the data creation process ● When recording audio, do not use names, place of employment, or other information ● Arrange with participants to use pseudonyms ● For audio and video, bleep out names and blur faces or other identifying characteristics

After Data Collection Some Potential Strategies: ● Eliminate the variable entirely from the dataset ● Recoding variables into broader categories ● Top-coding (restricting the upper range of a variable) ● Match unique cases on the indirect identifier, then exchange the values of key variables between the cases ● Be cautious of small subgroups and cases with outliers Best Practice: ● Clearly mark any replacements in the data using brackets, tags, or another consistent method ● Keep a secure copy of the non-anonymized data ● Create a log of all the replacements, aggregations, or removals made in each data file. Store this log file separately from the de- identified data

●ICPSR (Inter-University Consortium for Political and Social Research) - ● includes health and mental health related data resources ● U of M is a member, meaning that affiliated researchers have access to additional data ● Re3data (formerly Databib) - ● Search or browse for data repositories by subject, country, or type of data ● Datacite - ● Searches across multiple data repositories simultaneously ● Still in beta mode ● DRUM (Data Repository for the University of Minnesota) Other Options

●Does the funding agency or journal have a preferred repository? ●What type of data are accepted? ●Who can access the data? ●How is the data licensed? What are the terms and conditions of deposit and of use? ●Does the repository mint a DOI or offer a recommendation for how the data should be cited? ●Is the repository funded by a grant? If so, do they have a business model to sustain it over time (e.g., through fees)? ●Are they actively preserving the data for the long-term? Things to Think About

Questions?