Privacy of Data is an Ongoing Concern

This week, just outside of Toronto, an unencrypted USB key was lost that contained the names, government-issued ID numbers and personal health information of more than 80,000 patients who visited a local H1N1 vaccine clinic.

Here's the story from CBC News:
Ont. privacy commissioner orders 'strong encryption' of health records

In December the Durham health authority, which is responsible for a large area east of Toronto, announced it had lost the medical records of thousands people after a nurse misplaced a USB key at Durham region's headquarters in Whitby, Ont. The information on the USB key, also known as a memory stick, was not encrypted. The device contained data collected from more than 83,000 patients during H1N1 flu vaccination clinics in the region between Oct. 23 and Dec. 15.

On Thursday, Ontario privacy commissioner Ann Cavoukian said Durham must ensure the safety of patient records and ordered it "to immediately implement procedures to ensure that any personal health information stored on any mobile devices [laptops, memory sticks, etc] is strongly encrypted." Cavoukian made clear in her report that she expects every health authority in the province — not just Durham — to follow suit.

As Cavoukian notes, personal health information must be kept confidential. This includes (although Cavoukian doesn't explicitly say this) personal health information that is part of research data. The safeguard that she is urging all health authorities to implement (encryption) is something that ethics review boards should be urging researchers to use in order to protect the confidentiality of research data. And this, of course, doesn't just apply to personal health information, but any research data about which a promise has been made to maintain confidentiality. We have become much more sensitive to the careful protection of health information (although this story indicates otherwise!) but there is a great deal of research that has nothing to do with health in which careful consideration must be taken to protecting confidential data or identities, as promised in many processes of consent.

Simply advising researchers to encrypt electronic data isn't enough. Granted, it's better than just protecting your data with a password. But there are more things that researchers who use electronic data must be thinking about.

There are two questions related to electronic data storage and security that ethics review boards must ask researchers to also think about if they haven't already. collection.

The first question is, where are the data being stored? Best case scenario is always to store data locally, i.e. on secure servers that never requires the data to be "moved" anywhere. Many hospitals and academic centres now have these and issue staff passwords and "space" on the servers so that data can be stored locally. Once you transport data electronically even just to a non-local server, you increase the risk of that data being lost, manipulated, leaked or corrupted. This is something that is particularly worth keeping in mind when research projects involve electronic surveys. Many electronic survey tools store data remotely, even outside of the country where the research is being conducted. Case in point: Survey Monkey. Survey Monkey has long been the choice of many researchers to collect information easily using an electronic survey. However, the fact data are stored on servers within the USA and are therefore subject to the USA PATRIOT Act means that many non-USA researchers are now choosing Canadian-based, local survey tools.

The second question is how are the data being stored? If the data are stored on a local server accessible only to the researcher and research team via a password-protected desktop computer in a securely locked office, that's a very good start. The data doesn't have to be "transported" anywhere so it's difficult to lose it and it's reasonably inaccessible to others. If, however, the data is being stored on any kind of portable device such as a laptop or memory key — as data often are — then the data must be encrypted.

It's very easy to now buy a USB key that uses encryption to store data. If you happen to lose it, the data is virtually useless to others. They're much cheaper now and hold large amounts of data.

One final strategy is to always require that researchers store identifiable information separately from other kinds of data. Coding lists, consent forms and raw data should always be stored securely and separately.

Hopefully none of these safeguards is news to most researchers and ethics review board members. They are, for the most part, not burdensome or time-consuming for the researcher. However, clearly, as the above story demonstrates, many are not paying attention to these quite easy-to-implement safeguards, resulting in deleterious effects: loss of trust, breaking promises of confidentiality, and the potential for significant harm.

Journal Editors and Conflicts of Interest

A recent story in the Milwaukee-Wisconsin Journal Sentinel points to what seems like a new kind of potential conflict of interest in medicine. We've published various stories on conflicts of interest in medicine and research before more than once — stories about ghostwriting, asking authors to declare potential conflicts of interest, about med schools tightening up their conflict of interest policies, a story on how personal relationships between drug reps and physicians and most recently, a story the appointment of a Pfizer VP to CIHR's Governing Council. But this time, the story focuses on someone in a different role with a clear conflict of interest — a journal editor.

Thomas Zdeblick, a University of Wisconsin orthopedic surgeon, took over as editor-in-chief of The Journal of Spinal Disorders and Techniques in 2002 while he was working with Medtronic (which he continued to do) in developing, researching and patenting spinal implants. And making millions of dollars in royalties for the patented spinal implants that he then wrote about and published in a number of articles over the last seven years, all published in his own journal.

Here's a link to the story, in the Milwaukee Sentinel: Journal editor gets royalties as articles favor devices

It would be the beginning of a beautiful friendship.

In the years to come, Zdeblick would receive more than $20 million in patent royalties from Medtronic for spinal implants sold by the company. And the medical journal he edited would become a conduit for positive research articles involving Medtronic spinal products, a Journal Sentinel analysis found.

Dozens of studies that mentioned Medtronic products have been published while Zdeblick has been editor. But in issue after issue, readers of the journal were not told that he was receiving millions of dollars in royalty payments from Medtronic at the same time.

Most of the time the articles, including some co-authored by Zdeblick himself about devices for which he gets royalties, had good things to say about the Medtronic products. Only on a small number of occasions did the articles find major problems with Medtronic devices.

It's clear that Zdeblick had a conflict of interest and that he was not forthright with readers about this conflict, both in his role as author and his role as editor — according to the article, his relationship with Medtronic was not disclosed in any articles or editorials. Certainly, journals do and should ask authors to declare any potential conflict of interest. And it's obvious that having a vested financial interest in the success of a device should put up a red flag for anyone assessing the author's ability to be objective about such a device. But that role — assessing the author's objectivity and asking questions about relationships — is really the role of an editor along with an editorial board and assigned reviewers. But according to the Sentinel, Zdeblick never declared his relationship with Medtronic and it seems, until now, no one asked.

While there has been plenty of discussion over potential conflicts of interest for authors and researchers, little attention has been paid to editors of journals who have a great deal of control over what research gets published. The representative for Wolters Kluwer (who publishes the journal) and the rep for Medtronic, both cited in the article, feel that there is no need for concern though. Their reassurance, however, is based on the claim that the journal is "independent and peer reviewed" through "strict processes". Processes which are controlled by the editor-in-chief, who also happens to have co-authored a number of the articles, etc. etc.

Unfortunately, it seems like it's hardly news anymore when a conflict like this is revealed. In this case, while it seems unique as we're highlighting a journal editor instead of say, a researcher or an author, it's the same theme time and time again. Lack of transparency and accountability. No one asking the obvious questions. In this case, one is left wondering about the roles of the editorial board and the reviewers who would have encountered and reviewed article after article, co-authored by the editor-in-chief, about Medtronic spinal implants. It seems like no one had any backbone, until now, to ask questions about this.

As of today, Zdeblick is still listed as editor-in-chief of the journal. We'll keep you updated on this story as it develops.