Skip to main content
PMC home page
NIHPA Author Manuscripts logoLink to NIHPA Author Manuscripts
. Author manuscript; available in PMC: 2013 May 1.
Published in final edited form as: J Empir Res Hum Res Ethics. 2012 Oct;7(4):1–9. doi: 10.1525/jer.2012.7.4.1

Certificates of Confidentiality: Legal Counsels’ Experiences with and Perspectives on Legal Demands for Research Data

Leslie E Wolf 1, Lauren A Dame 2, Mayank J Patel 3, Brett A Williams 4, Jeffrey A Austin 5, Laura M Beskow 6
PMCID: PMC3640418  NIHMSID: NIHMS457863  PMID: 23086043

Abstract

The Certificate of Confidentiality (Certificate) is an important tool for protecting identifiable, sensitive human subjects research data in the United States. However, little is known about the Certificate’s effectiveness in protecting identifiable data. We interviewed 24 legal counsel representing U.S. research institutions about their experiences with legal demands for research data. Our respondents reported few, if any, legal demands over the course of their tenure, but two-thirds had experience with legal demands for data protected by a Certificate. They reported such demands often were resolved without disclosure of identifiable research data, typically without court intervention. While our respondents reported similar success protecting identifiable data in court, they often did not rely on the Certificate to do so.

Keywords: certificate of confidentiality, subpoena of data, First Amendment rights, compelled disclosure, promises of confidentiality

Boston College Researchers, who interviewed members of the Irish Republican Army as part of an oral history project, promised each participant that interviews would be kept confidential until after the participant’s death. They contend that no one would have participated in their project without that promise because of the potential for criminal prosecution by authorities or retaliation—even death—from elements of the IRA for sharing their experiences. However, after the British government sought production of two of the interview transcripts in hopes that the information would aid in the investigation of an unsolved 1972 murder, the researchers discovered the challenges to keeping confidentiality promises in the face of a legal demand, e.g., through subpoena, for data (Jaschik, 2011). Despite their promises to participants, a U.S. District Court judge in Boston ordered the researchers to produce the documents (ibid.). Although the two researchers appealed the court’s decisions, Boston College chose not to appeal because one participant had died, ending the confidentiality protection, and the other reportedly had admitted her involvement in the murder (ibid.; Reuters, 2012; McDonald, 2012). The appellate court has affirmed the lower court’s ruling requiring production (Associated Press, 2012), although the researchers are seeking a rehearing of the decision (UTV News, 2012). Both Boston College and the researchers, separately, have appealed the judge’s subsequent order to produce additional transcripts (Fitzpatrick, 2012).

Researchers commonly make promises of confidentiality like those in the Boston College oral history project. As in that project, such promises are often essential to persuade people to share sensitive information that could be legally, economically, or socially damaging to them, but that is vital to answering medical, public health, or other important research questions. For human subjects research in matters that fall within a mission area of the National Institutes of Health, one important tool for protecting identifiable, sensitive information is the federally issued Certificate of Confidentiality (Certificate). The National Institutes of Health (NIH) have recommended them for a range of research topics (U.S. Department of Health and Human Services Office of Extramural Research, National Institutes of Health, 2011a). The researchers at Boston College did not have a Certificate, and it is not clear whether their study would have even qualified for one, but the dramatic dispute over their research data highlights the kinds of struggles over data that can arise in a wide range of research on sensitive topics, including those for which Certificates are available. Initially authorized in 1970, Certificates are intended to protect against compelled disclosure of identifying information about research participants “in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings” (42 U.S.C. § 241(d) (2011); U.S. Department of Health and Human Services Office of Extramural Research, National Institutes of Health, 2011b). However, little is known about how effective Certificates are in protecting identifiable data. There are few reported cases involving legal demands for research data protected by a Certificate, in part because such disputes often are resolved out of court and those that do require a judicial resolution generally do not lead to published decisions. Given the limited information about Certificates in case law, we interviewed legal counsel representing research institutions across the country about their understanding of Certificates and their experiences with legal demands for research data, with a primary focus on those cases involving a Certificate.

Method

This project is part of a larger study on the use and understanding of Certificates, which included a national survey of IRB Chairs and follow-up interviews with a subset of those Chairs (Beskow et al., 2012). A description of the overall project and resulting papers is available at http://genome.duke.edu/research/society/beskow/. We contacted legal counsel for study participation if: (1) the IRB Chair at their institution responded in our survey that their institution has experienced a legal demand; (2) we, through independent research in legal databases of trial court motions and orders and in general Internet search engines, identified a case at their institution involving a demand for research data protected by a Certificate; or (3) we were referred to them by another counsel who participated in an interview. We also contacted legal counsel at U.S. institutions listed on both the American Association of Medical Colleges’ (AAMC) list of medical schools and the American Public Health Association’s (APHA) list of public health schools, starting with those institutions that had received the most NIH funding and continuing until we reached saturation. Counsel were contacted initially by e-mail, which included an IRB-approved information sheet describing the study. We followed up by e-mail and telephone if we received no response to our initial e-mail.

For counsel who agreed to participate, we (L.E.W. and L.A.D.) conducted interviews by telephone. The interviews were semi-structured and typically lasted between 30–45 minutes. We asked questions about legal office policies regarding confidentiality and legal demands, knowledge about Certificates, experience with legal demands for research data, recommendations for protecting data against demands, and opinions about the importance of demands and the significance of specific interests in responding to demands. Interviews were recorded with participant permission and professionally transcribed for coding and analysis. Three team members (M.J.P., B.A.W., and J.L.A.) independently coded the transcripts using a codebook developed for this project and then met to resolve any discrepancies. Coding and analysis was conducted using ATLAS.ti.

Results

Participants

We interviewed 24 counsel from June 2011–February 2012. These included 8 of 14 participants identified through our IRB survey, 3 of 6 identified through our independent searches (one of these also was identified through our IRB survey), 10 of 16 from the AAMC/APHA list (and not already identified by other means), and 3 referrals. Of the 40 counsel we approached, 3 were not interviewed because of lack of relevant experience, 8 did not respond to our invitation or follow-up contacts, and 5 refused participation (often due to lack of time), for a participation rate of 65%.

Although they had a variety of titles, almost all of the participants were employed as attorneys for the institution, except for two who represented the institution but were not employed directly by it. Almost 90% of participants had five or more years’ experience (range 1.5–26, mean = 10) in their current position.

Role in Policy Development

The vast majority (21/24) of respondents reported having a role in development of research-related policies at their institutions. Many stressed that their involvement constituted only a supporting role, but a handful reported that they are involved, as one respondent explained, “right from the beginning in determining what areas are ripe for policy development.” (P19) This involvement was facilitated by regular contact with their institution’s IRB, including attending IRB meetings or participating on committees with IRB members and other institutional groups, as reported by over half (14/24) of respondents. In contrast, others reported that they are available on an ad hoc basis to respond to legal inquiries as the IRB or others draft research-relevant policies. As one respondent commented, “We don’t create policies ourselves. We look them over and help in terms of whether there might be some regulatory concerns.” (P2)

A similarly large majority (21/24) of counsel indicated they had participated in the development of policies regarding confidentiality protections for research data, although much of their involvement pertained to compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy rules or similar state confidentiality requirements.

Experience with Legal Demands

Most counsel (15/24) indicated that their office or institution did not have a formal policy regarding how to respond to legal demands for data, although most of these said they had informal practices and expected that they would hear of any legal demands. The seven counsel whose offices or institutions did have formal policies all described them as requiring subpoenas to go to their office.

Respondents had a range of experiences with legal demands for research data involving human subjects. Three-quarters of our respondents reported receiving only a few, if any, legal demands over the course of their tenure. However, six respondents reported receiving two or more demands per year. About forty percent (10/24) felt that the frequency of demands has remained constant in recent years, but about one-fifth (5/24) believed that demands have become more frequent, citing the rise in multi-district litigation and greater awareness by plaintiffs’ attorneys of litigation uses for research data as possible factors to explain the increase. The remaining respondents (9/24) had no opinions about changes in frequency of legal demands, typically because they experienced few demands.

Certificate Cases

Nearly two-thirds of counsel (15/24) had experience with legal demands for data protected by a Certificate. Although we sought as much detail about cases as possible, we did not ask respondents to access their case files. Thus, they mostly provided information based on their recollection. In some circumstances, counsel spoke about specific cases they remembered, whereas in others they spoke about their general experience.

In general, counsel indicated that in most cases, identifiable data protected by a Certificate was not disclosed. Eight counsel indicated that their cases involving legal demands for data were resolved without court intervention, typically by simply informing the requester about the Certificate and its protections. “I can think of a couple of occasions where we’ve had a Certificate and we’ve shown [it] and given them a little information about it and they just go away.” (P10) One counsel noted he could often “convince [the requester] that they don’t need data related to the research study.” (P12)

Counsel described several cases that involved court hearings and did not result in data disclosure. For example, counsel mentioned two cases where they relied on other confidentiality protections, not the Certificate, to protect the data. “We really actually thought we had a strong case for protecting the data [on other grounds], and in fact that’s what happened.” (P12) In explaining why they rely on protections other than the Certificate, one counsel stated: “I guess the prevailing thought or position is that we don’t want to challenge [Certificates] in court and set precedent for the court saying they’re not protective.” (P1) In a third example, the case touched only tangentially on the Certificate, and the case was ultimately dismissed without any argument needed about disclosure of data.

However, counsel also discussed several cases that involved disclosure of data covered by a Certificate. In one of the cases mentioned, the participant consented to the disclosure. In another, the requested information was released after negotiating a compromise among all interested parties, including the participant’s family members, because it contained potentially mitigating evidence for a death penalty case involving the participant’s brother. The only case described by counsel where data were released pursuant to a court order involved a child abuse case in which the court determined that, because the state department issuing the subpoena already knew the participants’ identities, the Certificate did not apply.

Counsel described only a few cases that sought research data generally; the majority of cases involved data specific to an individual. As one counsel stated, “the [demands] that touch Certificates of Confidentiality are much closer to people’s lives.” (P3) Indeed, counsel reported that most cases were brought by an individual and involved a civil lawsuit, such as a personal injury case or divorce or custody matters in which the research data might be relevant (e.g., by providing information about health status, mental health status, illegal drug use, or even income information). Only a couple of cases that counsel discussed involved demands from law enforcement; in one case, officers investigating a theft at the facility where the research was conducted sought information about participants who might have been present on the day of the theft, but the institution did not provide the data. In the other, the computers containing the data were seized, but the data were not accessed.

Non-Certificate Cases

A large majority of counsel (20/24) described experiences with legal demands for data from studies without a Certificate. Overall, they described success in protecting identifiable research data, even in the absence of a Certificate. Over half indicated that data were not disclosed in the cases with which they were familiar. Counsel reported that in the cases they described, they had successfully asserted a variety of claims, including First Amendment claims, similar to journalist privilege; arguing that the discovery would chill future research and/or unduly burden the research; or that the privacy invasion was not outweighed by public interest. Counsel at public institutions noted that they had also successfully relied on exceptions for ongoing research contained in state public record request laws.

Our respondents identified several circumstances where disclosure occurred most commonly. These included situations where the data were either already non-identifiable or the court issued a protective order that required removal of identifiers prior to disclosure. Such protective orders can also restrict who may see the data and its use beyond the specific case for which it was subpoenaed. Other circumstances where data were disclosed were when the person to whom the data pertained either consented to the disclosure or had brought a lawsuit that put the data at issue (e.g., brought a claim against the researcher or the institution).

Knowledge about Certificates

We asked respondents to describe, in their own words, how they understood the Certificate’s protection, as well as any exceptions. Many described the Certificate as providing very strong confidentiality protections. For example, one respondent said, “It provides that under no circumstance do you provide information to anybody in any way, shape or form.” (P27) Similarly, another respondent replied, “[the Certificate] is basically a ‘I don’t have to talk to you’ card for subpoenas, for law enforcement investigations, for agency investigations and the like.” (P28) On the other hand, some counsel were less certain of the protections, as illustrated by the following comment: “I don’t think we have enough information. I personally have not seen enough case reports or other kinds of reporting from which I would be able to make a determination about whether the broad statement [about Certificate protections] is overly comprehensive or underly broad.” (P26)

Half described Certificates as protecting against compulsory demands (e.g., subpoenas) (12/24) and just over one-third mentioned protecting identifiable information (9/24), key elements of the Certificate. Three incorrectly said that the Certificate protects all the research data, whereas only three specified that the Certificate does not protect all the data, but rather only identifiable data, “contrary to some people’s assumptions.” (P15)

As for exceptions to a Certificate’s protections, half the counsel (12/24) correctly identified voluntary disclosures, such as reporting of child abuse, or disease reporting, whereas only 7/24 identified participant consent and only 4/24 mentioned government audits. Only one participant identified all three of these exceptions. However, as one participant explained, “I would have to look [the information] up. That’s usually my answer to almost everything.” (P18)

Considerations and Concerns about Protecting Data

We asked respondents to rate “how important do you think the issue of legal demands for research data is for your office,” to which the majority of respondents reported that it was very (50%) or somewhat (21%) important. The following quote reflects the perspective of many of these respondents: “It may not happen all the time, but when it does, it’s critically important. It’s the entire trust in the enterprise.” (P12) The few who responded not very important (26%) and not at all important (4%) commonly explained their response as referring to how often it arises, rather than the importance of the issue overall. As one respondent explained, “In terms of frequency with which it comes up, … I would say ‘not very important.’ In terms of getting it right when it comes up, I would say ‘very important.’” (P19)

We also asked respondents to rate how significant certain factors were to their views of how demands for research data should be handled. As reflected in Table 1, virtually all respondents considered research participants’ interests to be most significant to how demands for research data should be handled. The fact that counsel assigned less significance to researchers’ and institutional interests did not mean that they did not value these interests. It was just that, as one respondent explained, “we would not protect the institution at the expense of any of these other considerations.” (P21) As others explained, in response to a question about minimizing litigation, “we don’t want them in litigation but it’s not our motivating drive here” (P2) and “my primary focus is … the protection of the human subjects.” (P26) One-third of counsel considered minimizing cost as not very or not at all significant. However, one of these raised some practical concerns and questions about the role of the federal government: “One of the really important questions to ask is if it got to a point where there was going to be litigation, where is the government? … Because I believe the institution would stand behind a Certificate … if there was a real challenge … But [limited resources may limit legal offices’ ability to respond] … [I]n an ideal world … it would be very clear that the government would immediately either assist with, or even take over at the request of an institution, a case in order to protect the underlying privacy of the individuals and so forth.” (P12)

Table 1. How Significant Are Certain Factors to Legal Counsel Views of How Demands for Research Data Should Be Handled?*.

Responses
Factors Very
significant		 Somewhat
significant		 Not very
significant		 Not at all
significant
Protecting research participants’ confidentiality 96% 4% 0% 0%
Keeping promises to research participants 100% 0% 0% 0%
Protecting the reputation of the researcher 50% 42% 9% 0%
Protecting the reputation of the institution 57% 39% 5% 0%
Minimizing risks to or litigation involving the researcher 52% 38% 10% 0%
Minimizing risks to or litigation involving the institution 54% 38% 4% 4%
Minimizing costs to the institution 21% 46% 21% 13%
Open in a new tab
*

May not total 100% due to rounding.

Counsel raised numerous issues in response to our question of what concerns, if any, they had about legal demands for research data. Nearly half (11/24) identified concerns about keeping promises of confidentiality. As one noted, “If we’re making promises to subjects that we’re going to keep their data confidential, then we need to keep those promises because if people lose confidence in us, they’re not going to participate in research.” (P25) Another common concern counsel raised (9/24) was about whether Certificates would prove to protect as promised. As one counsel described, “I worry about the extreme cases. And I worry about having one of those cases end up going up on appeal and the limits of a Certificate really being tested in the worst [case in terms of facts].” (P10) One counsel wanted “improved clarity from the federal agency as to [the institution’s] authority to really rely 100 percent on [NIH’s] promise [in issuing the Certificate].” (P18) Another wished “there was a method of protecting the data itself” (P15), not just identities, as her state’s law did. One counsel noted “a vague concern that if [Certificates] are asserted over-broadly, they will be considered a bar to reasonable law enforcement and discovery efforts. And that that could actually serve in the long term to erode the robustness of the Certificate.” (P26)

Seven counsel expressed concerns about legal demands potentially chilling certain types of research, unduly burdening or interfering with research, and being used deliberately to silence some types of research. As one counsel described, “[t]he most significant risk is that external requests could somehow distort how research is being done … . Our primary goal is in insulating the researchers from any of those impacts so that it doesn’t create distorting effects on how they do their work.” (P7) Similarly, another counsel indicated wanting protection to allow “a researcher to do his or her research unimpeded so that they don’t feel like they have to think about, ‘well if I collect this data, am I going to get a subpoena somewhere down the road ’.” (P5) One counsel pointed to the “time and effort and emotion” that is expended in responding to a subpoena. (P3)

As described in more detail elsewhere (Check et al., 2012), six counsel indicated they were concerned about the description of a Certificate’s protections in the consent form. As one described, “many universities face this issue in that the NIH wants informed consent documents to speak fairly strongly and clearly about the amount of confidentiality provided and IRBs often want to hedge it because they are concerned [that] a court interpretation might not be as strong as the NIH would hope.” (P7)

Six counsel expressed concern about the lack of knowledge about Certificates by researchers, legal counsel, and judges. One commented, “Courts don’t seem to be terribly familiar with them currently because they just don’t have much experience with them.” (P26) Additional concerns, expressed by three counsel each, included whether data disclosure will harm researchers’ ability to publish their research, administrative questions about Certificates (e.g., who signs? what is a “project” for purposes of the Certificate?), and inconsistent guidance from the NIH. With respect to the latter, counsel raised concerns about NIH language regarding “voluntary” compliance with state mandatory reporting laws (e.g., for child abuse), when they thought the reporting was obligatory, as well as concerns about what was acceptable consent language (Check et al., 2012).

Recommendations for Protecting Data

We asked counsel what recommendations they had for researchers to best protect their data. Six reaffirmed the value of Certificates in protecting data and encouraged their use. One expressed frustration that her IRB seemed to recommend them infrequently: “I don’t know how to get it onto their radar screen, because in some ways, they don’t really see the consequences on the other end … . They don’t have a role [when a subpoena comes in] … . I think if they had to experience some of the anguish about that, they’d be thinking about it more often.” (P2) Eight respondents expressed the need to educate researchers about all available types of data protections: “I think sometimes researchers are not aware of protections or steps they can take.” (P1). According to one respondent, education is needed to manage researchers’ expectations regarding confidentiality, so they understand they cannot “cloak [their data in] … the Harry Potter cloak of invisibility.” (P3) Another commented that education must extend to all members of the research team who are handling the data, not just principal investigators.

Counsel mentioned several specific steps, in addition to Certificates, that researchers could take to protect their data. These included “security 101” steps, such as encrypting electronic data, limiting the number of copies of data available and the number of people who have access to it, storing electronic data on firewall-protected computers, physically segregating data (e.g., from the medical record), coding and delinking codes at the first available opportunity. Counsel noted that some steps, such as limiting who has access to data, can conflict with academic norms and NIH directives about data sharing. Counsel also described including expectations about data privacy in contracts with collaborators and consent forms as a way of documenting parties’ intentions. Two counsel pointed to state laws that provide additional protections for research data as a whole, not just identifiable data.

Discussion

There are few reported legal cases involving a challenge to a Certificate. The best known is People v. Newman (People v. Newman, 32 N.Y.3d 379 (1973), cert. denied, 414 U.S. 1163 (1974)), in which a witness to a murder told police she had seen the murderer in a methadone treatment and research clinic. The grand jury subpoenaed patient photographs from the clinic, but the court upheld the director’s refusal to produce them because the methadone clinic had a Certificate. While the result in this case was that the Certificate “worked” to protect sensitive information, the court’s legal analysis did not focus in any detail on the nature or scope of a Certificate’s protections, and thus does not provide much guidance for understanding the strength of Certificates. A few years later, another methadone clinic holding a Certificate was required to produce patient records because the patient waived the protection; he wanted the records disclosed to avoid criminal charges for possessing the methadone (People v. Still, 48 A.D.2d 366 (1975)). In a more recent case, a criminal defendant subpoenaed research records in an attempt to discredit a witness against him (North Carolina v. Bradley, 634 S.E.2d 258 (2006)). Although the court ultimately determined that the defendant was not entitled to the records, the court did not address the question of whether the Certificate protected the data. Moreover, some disclosure of identifiable research data did occur (with court-ordered limitations on use) for use in the defendant’s appeal of his conviction (Beskow, Dame, & Costello, 2008;North Carolina v. Bradley, 634 S.E.2d 258 (2006)).

Our interviews with counsel indicate that legal demands for human subjects research data protected by a Certificate may be more common than these three reported appellate cases would suggest. Nevertheless, based on our interviews, it appears that Certificates are not often tested in the trial courts. In many circumstances, our respondents reported they were able to avoid production of identifiable data protected by a Certificate by informing the requester about the Certificate. Whether this disclosure persuades the requester that the data are inaccessible or that gaining access would be more trouble than the data are worth, the result is the same—the confidentiality of the data is preserved. In some other circumstances, counsel were able to persuade the requester that the research data were not relevant or were available from other sources, and, thus, confidentiality of the data—at least as kept in research files—is maintained.

When legal demands for research data have gone to court, the counsel we interviewed were often successful in protecting identifiable data from disclosure, even without a Certificate. Interestingly, no one described a case in which they argued against data production based on the Certificate’s protection and won. Indeed, counsel who described going to court to protect research data typically relied on other arguments, such as state privacy laws or the undue burden of the request on a non-party, even when the study had a Certificate. While our interviews suggested that counsel were frequently able to avoid any production of data, in situations where data have been produced, identifiers typically are removed, pursuant to negotiation or court order. These experiences are reassuring, but they do not address the uncertainty about whether courts will uphold the Certificates’ protections reflected in many counsels’ comments during our interviews.

Based on our objective questions about Certificates, it appears that counsel are not particularly knowledgeable about Certificates’ protections and exceptions. This is not surprising given that three-quarters of the counsel we interviewed saw only a few legal demands for human subjects research data, with or without a Certificate, in their careers. Moreover, as one interviewee indicated, counsel can and should familiarize themselves with the provisions when such demands arise. However, because subpoenas often arrive without warning and require quick responses (9A Fed. Prac. & Proc. Civ. § 2457 (3d ed.) [noting Phalp v. City of Overland Park, 2002 WL 1162449 (D.C. Kansas 2002) held that eleven days’ notice was sufficient for document production]), counsel need access to reliable information about Certificates to help them respond appropriately. The NIH does provide some assistance in this regard. The NIH’s online “Certificates of Confidentiality” kiosk has information about the authorizing statute and references a 1973 case involving Certificates, but the statutory language is not included and the case name and citation is omitted, details that counsel need (U.S. Department of Health & Human Services Office of Extramural Research, National Institutes of Health, 2011c). The kiosk also indicates that the “NIH Legal Advisor is willing to discuss the regulations with the researcher’s attorney” if a legal action is brought to release identifiable information protected by a Certificate. Although some of the counsel we interviewed expressed a desire for NIH to take a more proactive approach when demands are made for information protected by a Certificate, it seems unlikely that it would defend against a subpoena on behalf of an institution. However, it could provide more resources to assist counsel with responding to such demands, including specific information about the limited case law on the subject, sample motions, and supporting documents for seeking to protect the identifiable data.

Providing this background information may help avoid misunderstanding of Certificates, an example of which is evidenced in one court case (Murphy v. Philip Morris Inc., 2000 U.S. Dist. LEXIS 21128). In Murphy, the court’s published opinion described a researcher’s obligation to protect confidentiality by referring to the Certificate statute, as if it were a standard obligation (like that imposed by the Common Rule) (45 C.F.R. § 46.111(a)(7)), rather than a special protection granted in response to an application for a specific study. It appears that the court adopted this argument from the legal briefs prepared by counsel involved in the case.

The counsel we interviewed expressed a strong commitment to protecting research participants at their institutions. They took seriously research demands for identifiable research data, emphasizing the need to keep promises made to participants. In addition, while they clearly valued Certificates as a tool for protecting participants’ confidentiality, they pointed out other ways to protect confidentiality. For example, counsel emphasized the need to implement basic security measures and to ensure all members of the research team understand their obligations, not just the principal investigators. Finally, they pointed to state laws that sometimes provide greater protection than Certificates.

Our study is the first to provide information about counsel experiences with legal demands for human subjects research data, but has limitations that need to be kept in mind. While we targeted some of the largest academic institutions conducting the most medical and public health research, we interviewed a relatively small number of legal counsel. There may be others with more or different experience than the counsel with whom we spoke, although we found that new themes did not emerge in our later interviews. In addition, we relied on counsel recollections for information about cases involving legal demands. Although counsel may have reviewed case files before our interviews, we did not require them to do so nor did we request access to them because case files are generally protected by attorney-client privilege and the attorney work-product doctrine. Some, but not all, case materials may be available in courthouses; however, there is no systematic way to identify or access this information. Accordingly, our interviews provide important information about experiences with legal demands for research data unavailable from other sources that enhance our understanding about the use of Certificates to protect identifiable, sensitive data.

Best Practices

Our findings suggest several practical steps that should be taken to protect sensitive research data. First, protection should begin with project design; researchers should take advantage of all data security measures, including, but by no means limited to, Certificates when appropriate, and ensure that all members of the research team adhere to those measures. IRBs should evaluate the data security plan and training as part of their protocol review. Second, institutions should have policies to ensure prompt responses to subpoenas for research data, including established procedures that researchers should follow if they receive a subpoena directly. In developing these policies, institutions should consider having researchers notify their IRB and, if applicable, their project officer and the Certificate coordinator at the NIH institute issuing their Certificate because of the potential threat to data confidentiality, in addition to appropriate legal counsel. Third, counsel need access to information about legal strategies that have been successful in protecting research data. Because this information is rarely available in reported cases, the shared experiences, such as those collected here, are vital; NIH and professional organizations, such as the National Association of College and University Attorneys and the American Health Lawyers Association, should help to gather and communicate those experiences so that they are available to institutional counsel when they need them.

Research agenda

Our study provides important information about counsel experiences with legal demands for data protected by a Certificate, but additional research is needed to quantify how often such demands occur and characterize how institutions respond to them. Because of the challenges involved in identifying cases and relying on memory, it would be ideal to collect information about each instance in which research data involving human subjects is sought as they arise and the outcome of each demand. Such information could help us understand, for example, how many demands are resolved informally versus how many demands require court intervention, and, in either circumstance, what data, if any, are disclosed. In addition, our study indicates a need for research to better understand how research participants understand Certificates based on the information contained in the consent form and whether changes are needed to that language to enhance prospective participants’ ability to make informed decisions.

Educational Implications

Our study highlights the importance of training for investigators and their team members in data security measures. It also suggests a need for education of counsel, and other stakeholders, such as IRB staff and members, about Certificates’ protections and limitations. While such information may not need to be a part of routine training, accurate, in-depth information must be accessible when needed. The NIH Certificate Kiosk is an important resource is this regard, although, as in indicated in our discussion above, we believe that additional details could make it even more valuable.

Acknowledgments

The project described was supported by Award Number R01HG005087 from the National Human Genome Research Institute (NHGRI). The content is solely the responsibility of the authors and does not necessarily represent the official views of NHGRI or the National Institutes of Health. None of the authors has any conflict, financial or otherwise, to declare.

We would like to thank our expert advisory group for their input through this project: Mark Barnes, JD, LLM, John Falletta, MD, William E. Freeman, JD, Bernard Lo, MD, Jon Merz, MBA, JD, PhD, Lawrence Muhlbaier, PhD, Pearl O’Rourke, MD, Mark Rothstein, JD, Marjorie Speers, PhD, and Jeremy Sugarman, MD. We would also like to thank our colleagues on the project, Kevin Weinfurt, Alexandra Cooper, Emily Namey, and Devon Check, for their input and support.

Authors’ Biographical Sketches

Leslie E. Wolf is Professor of Law at Georgia State University College of Law and the Center for Law, Health & Society. She led the legal component of this NHGRI-funded study on Use and Understanding of Certificates of Confidentiality, which continues her prior empirical work on Certificates and in research ethics generally.

Lauren A. Dame is Associate Director, Genome Ethics, Law & Policy at Duke University’s Institute for Genome Science & Policy, and a Senior Lecturing Fellow at Duke Law School. She has research interests in research ethics and privacy. She participated in the study design and the data collection and analysis, as well as contributing substantively to this paper.

Mayank J. Patel is a 2012 graduate of Georgia State University College of Law. He conducted background legal research, contributed to data analysis, and participated in the writing of this paper.

Brett A. Williams is a 2012 graduate of Georgia State University College of Law. She conducted background legal research, contributed to data analysis, and participated in the writing of this paper.

Jeffrey L. Austin is a 2012 graduate of Georgia State University College of Law. He conducted background legal research, contributed to data analysis, and participated in the writing of this paper.

Laura M. Beskow is Assistant Research Professor at Duke University’s Institute for Genome Science & Policy. She has conducted empirical research on research ethics issues, including extensive work on biobanking and informed consent. She is Principal Investigator for the NHGRI-funded study on Use and Understanding of Certificates of Confidentiality and participated in the study design and data analysis, as well as contributing substantively to this paper.

Contributor Information

Leslie E. Wolf, Georgia State University

Lauren A. Dame, Duke University

Mayank J. Patel, Georgia State University

Brett A. Williams, Georgia State University

Jeffrey A. Austin, Georgia State University

Laura M. Beskow, Duke University

References

  1. 9A Fed. Prac. & Proc. Civ. § 2457 (3d ed.) (noting Phalp v. City of Overland Park, 2002 WL 1162449 (D.C. Kansas 2002) held that eleven days’ notice was sufficient for document production).
  2. 42 U.S.C. § 241(d) (2011).
  3. 45 C.F.R. § 46.111(a)(7).
  4. Associated Press . Court: Interview with IRA car bomber for Boston College oral history project can be released. The Washington Post: Jul 6, 2012. [Google Scholar]
  5. Beskow LM, Check DK, Namey EE, Dame LA, Lin L, Cooper A, Weinfurt KP, Wolf LE. Institutional review boards’ use and understanding of Certificates of Confidentiality. PLoS One. 2012;7(9):e44050. doi: 10.1371/journal.pone.0044050. [DOI] [PMC free article] [PubMed] [Google Scholar]
  6. Beskow LM, Dame L, Costello EJ. Research ethics: Certificates of confidentiality and compelled disclosure of data. Science. 2008;322(5904):1054–1055. doi: 10.1126/science.1164100. [DOI] [PMC free article] [PubMed] [Google Scholar]
  7. Check DK, Wolf LE, Dame LA, Beskow LM. IRB chairs’ views about the effects of Certificates of Confidentiality on consent forms and processes. Submitted for publication. 2012 [Google Scholar]
  8. Fitzpatrick B. Boston College plays waiting game on PSNI ruling for IRA tapes. 2012 IrishCentral.com, April 9. Retrieved from http://www.irishcentral.com/news/Boston-College-plays-waiting-game-on-PSNI-ruling-for-IRA-tapes--146580995.html.
  9. Jaschik S. Oral history, unprotected. Inside Higher Ed. 2011 Jul 5; Retrieved from http://www.insidehighered.com/news/2011/07/05/federal_government_questions_confidentiality_of_oral_history.
  10. McDonald H. U.S. appeal court to rule on IRA interview tapes disclosure. The Guardian. 2012 Apr 4; [Google Scholar]
  11. Murphy v. Philip Morris Inc., 2000 U.S. Dist. LEXIS 21128.
  12. North Carolina v. Bradley, 634 S.E.2d 258 (2006).
  13. People v. Newman, 32 N.Y.3d 379 (1973), cert. denied, 414 U.S. 1163 (1974).
  14. People v. Still, 48 A.D.2d 366 (1975).
  15. Reuters Kerry reaches out on Northern Ireland ‘Troubles’ records. 2012 Jan 27; Retrieved from http://www.reuters.com/article/2012/01/27/us-usa-britain-ira-id USTRE80Q27R20120127.
  16. U.S. Department of Health and Human Services Office of Extramural Research, National Institutes of Health Frequently asked questions: Certificates of Confidentiality. 2011a Jun 20; Retrieved May 7, 2012 from http://grants.nih.gov/grants/policy/coc/faqs.htm.
  17. U.S. Department of Health and Human Services Office of Extramural Research, National Institutes of Health Certificates of Confidentiality: Background information. 2011b Jan 20; Retrieved May 7, 2012 from http://grants.nih.gov/grants/policy/coc/background.htm.
  18. U.S. Department of Health & Human Services Office of Extramural Research, National Institutes of Health Certificates of Confidentiality Kiosk. 2011c Jun 28; Retrieved May 31, 2012 from http://grants.nih.gov/grants/policy/coc/
  19. UTV News Boston College IRA tapes rehearing bid. UTV Live News. 2012 Retrieved from http://www.u.tv/News/Boston-College-IRA-tapes-rehearing-request/fa92beb1-40a5-4adf-ba3f-5146e526af86.

RESOURCES