Safeguarding donors’ personal rights and biobank autonomy in biobank networks: the CRIP privacy regime
- 229 Downloads
Governance, underlying general ICT (Information and Communication Technology) architecture, and workflow of the Central Research Infrastructure for molecular Pathology (CRIP) are discussed as a model enabling biobank networks to form operational “meta biobanks” whilst respecting the donors’ privacy, biobank autonomy and confidentiality, and the researchers’ needs for appropriate biospecimens and information, as well as confidentiality. Tailored to these needs, CRIP efficiently accelerates and facilitates research with human biospecimens and data.
KeywordsBiobanks Governance Infrastructure Networks Privacy
Today biomedical and pharmaceutical research requires the selection and analysis of large numbers of human biospecimens. These must be of high quality and for each sample a substantial amount of clinical data must be available to fulfil the requirements of the underlying study protocol. This of course leads to an attrition of available samples to appropriate samples—never the less a large enough number of appropriate samples must be available in order to fulfil statistical validation requirements. Therefore, sample selection must start out from larger and larger initial collections in order to outweigh the attrition (Waltz 2007) resulting from the selection criteria applied.
Biobanks containing a large number of high quality samples—especially human tissue—are in the process of being set up in order to offer critical and highly sought-after resources for research. Research projects today demand “clinical cohorts” which often can only be provided by the largest biobanks in Europe or by entering into inter-institutional co-operations. Hence, the recommendation from Asslaber and Zatloukal (2007) that transnational, European and global biobank networks need to be established in order to foster scientific progress. Nevertheless, European biobanks are still widely fragmented with regard to technical, ethical, legal, and quality standards (European Science Foundation 2008).
Over the past few years, in the interests of fostering the necessary harmonization and standardization of biobanks, a variety of guidelines and Best Practice papers have been published,1 some of them by biobank networks and associations like ISBER2 and ABN3 and others by intergovernmental organizations like the OECD,4 to name but a few. However, beyond harmonization and networking, it is essential for biobank-based multi-centre projects that an elaborate common infrastructure and attuned workflow permitting access to sufficient amounts of often dispersed clinical data and material in a timely and cost-efficient manner be facilitated. Therefore, biobank networks must also be comprehensively organized and constituted with regard to their management and governance, as well as their access, confidentiality, and privacy regimes.
Thus we propose to introduce the concept of “meta biobanks”, which are currently being constituted e.g. in North America,5,6 and Europe,7,8,9 and which rely on their own ICT architecture and infrastructure, and are in contrast to “biobank networks” which collaborate on a more incidental and voluntary basis. The term “meta biobank” shall apply to biobank infrastructures exclusivelymanagingdata on biospecimens collected from, stored at and shipped from the partners’ institutes10 and serving to acquire research projects for them.
A centralistic versus federated (Yuille et al. 2008) approach is discussed for the European biobanks’ common ICT architecture. The concept of pooling all the data necessary for a detailed search from the participating biobanks in a cumulative central database is hampered particularly by ethical and legal regulations (e.g. the donors’ privacy rights, the principle of data sparing11) and the current lack of databases’ interoperability. Besides, such a centralistic approach would result in “building the haystack higher in order to find more needles” and yield only limited added value. Instead, we propose that researchers define the specific project needs first before searching databases of biobanks and that in-depth (yet anonymized) information on donors and specimens is provided for these highly focused project queries via networked local (clinical) databases only.
In 2007, Asslaber and Zatloukal already described the German-Austrian Central Research Infrastructure for molecular Pathology (CRIP)8, which was launched in October 2006, as “an example for transnational networking between tissue banks in Europe” and “a pilot project to solve technical, legal and ethical problems of transnational collation of human tissues and patient-related data.” CRIP is now an established and validated system.12 Thus, in this paper we describe its workflow, concept, and privacy regime as a use case and blueprint for meta biobanks and biomedical research infrastructures. CRIP was developed by a public–private consortium13 as a common research infrastructure for tissue banks at Institutes of Pathology and university hospital-wide biobanks.
CRIP constitution and workflow
At present, CRIP partners are four university hospitals14 maintaining tissue banks at their five15 Institutes of Pathology. As specified in the Database Contract (see below), CRIP partners regularly transfer data to a central database (“CRIP database”) which is maintained, developed and managed at Fraunhofer IBMT.16 The transferred data is focused on specific disease (as extracted from histopathology reports), for which specimens and data are available for research. The CRIP database covers the entire spectrum of diseases.
development and maintenance of the ICT network and data transfer,
compliance with legal and ethical requirements,
confidentiality of project requests, project content and agreements,
commitment of the Database Partners to follow common SOPs for prospective sample collection,
workflow and terms and
cost recovery and fees.
In addition to the CRIP partners and central management at Fraunhofer IBMT, CRIP’s interdisciplinary Advisory Board17 is constituted as third independent body in the Database Contract.
a semi-automated workflow for extraction of this data from clinical records held by CRIP partners, anonymization, transfer to and regular update of the CRIP database,
- a web-based interactive search tool for the CRIP database allowing for an elaborate project design including
selection of cases for which matching samples (e.g. blood/tissue) are available,
use of specific scientific services provided by the CRIP partners and
independent central ICT and administrative management at Fraunhofer IBMT.
CRIP partners are equipped with software tools (“Inhouse Research Database” or IRDB; see step 1 in Fig. 1) to extract research relevant data from their electronic medical records.
The IRDB imports pseudonymized (see18) data, stores and anonymizes this data subsequently ready to be exported into the CRIP database (step 2). Data is not exported automatically—export must be authorized on each occasion and triggered by CRIP partners who are bound by the Database Contract to provide updates on a regular basis. If a sample donor withdraws his/her consent, the IRDB allows for deletion of the pertinent dataset before the whole data is anonymized and updated in the CRIP database. In other words, to make withdrawal of consent effective, the CRIP partner deletes the withdrawing donor’s dataset in the IRDB and uploads all the respective (updated) IRDB-data to the CRIP database, thereby completely replacing all data previously exported to the CRIP database.
By browsing CRIP (step 3), registered users retrieve statistical information (“pool of cases”, step 4) on the overall number of available cases meeting the criteria and requirements specified in their search query. This specification (in other words the parameters established by this search) characterizes the retrieved pool and is subsequently forwarded to the CRIP partners as the user’s “search profile”. It can also be stored and recalled with the user’s next login to CRIP.
Once users have retrieved a pool of cases, they may require in-depth information on that pool of cases on-line (step 5). For this purpose, the user’s search profile is transferred to the CRIP partners who initially contributed cases to the retrieved pool, and the search is repeated on the CRIP partners’ local IRDBs which mirror the data they previously exported to the CRIP database. Thus, CRIP partners can quickly retrieve and review pertinent cases and samples in their institute enabling them to file a substantiated project proposal.
Compiled proposals from all CRIP partners involved in the user’s pool of cases are delivered to the user within 10 working days (step 6) through CRIP and negotiation of multi-centre project agreements between CRIP partners and users is supported by CRIP management (if requested).
As soon as CRIP users and partners agree upon the cost recovery terms for a project initiated via CRIP, Fraunhofer IBMT is informed of this agreement and entitled to charge pre-agreed remuneration dependant on the total project volume.
acquire or process personal data
acquire or process human material
perform any research involving human beings or human material.
Hence, use/operation of the CRIP database has been deemed not to require approval by an Ethical Review Board (ERB) and/or any permission provided for by data protection legislation.
The CRIP partners’ biobanks must be approved prior to joining CRIP by their local ERBs and data protection commissioners and are operated under (slightly differing) local regimes in accordance with all relevant legal regulations. The partners need to have approval by their ERBs and responsible data protection authorities and provide evidence of these approvals before joining CRIP.
Although data protection legislation does not require permission be issued for the use of this data in the CRIP database, the overall CRIP data protection scheme21 was developed in close collaboration with the Data Protection Commissioner of the State of Berlin (Berliner Beauftragter für Datenschutz und Informationsfreiheit 2006) who acknowledged CRIP as a benchmark. The CRIP data protection scheme also complies with the “generic data protection concept” of the German “Telematikplattform für Medizinische Forschungsnetze” TMF e.V. (Reng et al. 2006).
In the hospital, the patient’s ID is removed and replaced by a pseudonym identifier processed by the IRDB software. Thus, only the hospital’s staff (who are bound by both professional confidentiality and specific confidentiality obligations) can re-establish the connect from sample to donor at a later stage—e.g. when reviewing material for a project request or annotating it with additional clinical data (e.g. on medication and clinical outcome).
Before export from the IRDB to the CRIP database, data is anonymized by the IRDB software. In addition, via the regular updates, all data from a specific CRIP partner is completely replaced and updated. This means that the same dataset is expected to be hosted in the CRIP database under another (randomly generated) number once data has been updated. Hence it is nearly impossible22 to trace back to a donor from the central CRIP database.
As search result, only the number of cases fulfilling the scientist’s search query is displayed. Therefore the CRIP search tool data does not disclose information on single cases or patients, or on single samples, or on contents of a specific biobank. In fact, a user cannot identify the partner biobanks contributing to a pool of cases. The scientist is nevertheless provided with sufficient information enabling decision making on the feasibility of the envisaged project on the basis of data originating from all CRIP partners’ biobanks.
If the user requests in-depth information by submitting a project request (Fig. 1, step 5), it is up to the CRIP partners to choose to participate in the proposed project or not. If they are interested in collaborating with the applying user they disclose their contact details (and possibly also any further proposals for the suggested project) only to the user applying for the project. This enables CRIP partners to keep under control the information which they distribute on their research interests and collected biospecimens. By this process (which also applies to CRIP partners searching the CRIP database), undue disclosure of information to competing biobanks or scientists is securely avoided (“Chinese walls” also exist between CRIP partners). In addition, the freedom of local biobank’s governance remains unaffected (see below).
The CRIP partners operate their local biobanks in accordance with all relevant applicable ethical and legal regulations.
At any given time, a donor’s dataset can be deleted from the IRDB and the central CRIP database should the donor choose to withdraw consent.
Data is anonymized by the IRDB software before being exported from the CRIP partner to the CRIP database.
Data from a certain CRIP partner is completely replaced and updated in the CRIP database with every update.
In the CRIP database, an “ethical filter” is in place preventing project requests from users for pools going below a certain number of cases from being forwarded to a specific CRIP partner. For example, if a CRIP partner’s ERB has decided that project requests for <20 cases must not be dealt with in the interests of privacy protection, a search profile yielding 18 cases will automatically not be forwarded to this partner by CRIP. This mechanism efficiently supports the CRIP partners’ local ERB’s decisions on the minimum number of cases allowed for projects and securely respecting their patients’ privacy.
The CRIP search tool’s software organizes datasets in pools before displaying them to users.
The latter measure in particular realizes what Forsberg et al. (2009) have generally claimed for large-scale biobank- based research: “The pieces are not studied individually for personal benefit, but are put together to create a picture, like medical registers are used to produce statistics and not individual information.”
Confidentiality, governance, and autonomy of partner biobanks
Joining a biobank network or a meta biobank always means an increased work load for the local biobank and clinical staff or may even require additional staff. Often there is no funding available and costs can be recovered only after long period of time if at all. Hence, acquiring a sufficient number of partners for a meta biobank not only requires an obvious benefit in scientific and/or economic outcome of the biobank but several caveats must also be considered:
For reasons of scientific and—if applicable—economic competition, information on envisioned and ongoing scientific work must usually be treated confidentially and of course this also applies to biobanks. However confidentiality may be jeopardized by meta biobanks:
From the detailed information on the content of a biobank one might easily draw—right or wrong- conclusions on its scientific and commercial value. Therefore, the demand to disclose detailed data on biobank contents to a broad scientific community deters many researchers maintaining biorepositories from participating in larger “biobank networks” or “meta biobanks”. This holds true even more for competing biobanks, be it in the scientific or in the industrial field (e.g. two tumor banks with frozen samples of the same tumor entity or two industrial biobanks). One might speculate if this “protectionism” is ethically sound for biobanks established and maintained with altruistic donations and public funds. Notwithstanding this dilemma, biobank managers will shy away from participating in “meta biobanks” as long as they are urged to disclose confidential information on their collections. Therefore the “Chinese walls” built by the CRIP database architecture are an essential prerequisite for the acquisition of further partners and the expansion of the infrastructure.
Local biobanks at different hospitals or institutes are governed in a slightly different manner, a phenomenon tellingly named the “heterogeneous patchwork” of biobank governance by Gottweis (2010): For instance, decisions on sample allocation are taken by the pathologist, by a clinician, by an advisory board or by other committee. Different procedures for this decision making (i.e. different “access rules”) are in place and are often the outcome of a long and difficult debate within hospitals/institutes. Therefore, superimposing a “biobank network” or “meta biobank’s” central rules or material allocation scheme on such local biobanks (as it is often proposed) would neither be accepted nor could it be managed in a timely manner. Instead, the CRIP workflow allows for different internal rules but secures timely delivery of proposals on project requests. This ensures that both the biobank needs of the users and of the CRIP partners are fulfilled.
Research projects can only be initiated successfully if the partners trust and respect each other’s scientific reputation. Therefore, researchers maintaining biobanks must also be allowed to decline a cooperation request without biobank users taking offence. In the CRIP workflow, the user has to take the first step by sending a project request to all CRIP partners who, whilst “hidden in the crowd”, are still entirely free to respond to the request or not and to take an autonomous decision on what kind of research they wish to support and take part in.
This procedure means all limitations individually recorded in the consent form (allowing for example research related to the donor’s disease only) can easily be respected without being generalized for all partner biobanks.
The “meta biobank” CRIP is managed independently and affiliated only with the not-for-profit Fraunhofer IBMT which does not compete with the CRIP partners: IBMT neither maintains a human tissue bank nor has it scientific interests of its own in the projects initiated through CRIP.
The Database Contract is concluded with all CRIP partners to secure equal rights and treatment for all of them. This is the basis for fair and fruitful collaboration of CRIP partners both amongst each other, with the CRIP Advisory Board, and with CRIP management, in order to further develop the CRIP infrastructure and workflow for health-related research.
CRIP partners are institutions governed by public law. They are not-for-profit organisations but are responsible for partial recovery of their research and infrastructure/manipulation costs.
CRIP is overseen and supported by an interdisciplinary “Advisory Board”. The Board acts independently according to its Rules23 which were agreed in 2006 when CRIP was launched. Since then, the Board has crucially helped to elaborate the regime outlined in this publication and will continue to do so. Usually, CRIP partners and invited guests (e.g. from industry or funding agencies) can participate in the Board’s meetings but have no voting power in decision taking on its opinions and statements.
In the long term, the infrastructure shall be operated self-sustainingly and will be further developed by Fraunhofer IBMT as a service to CRIP partners, the overall scientific community and to society.
To build “meta biobanks” without impairing patients’ (donors’) personal rights and local research institutions’ governance, confidentiality and autonomy, data aggregation must strike a balance between information to users, privacy of individuals and the interests of research institutions. We propose that this can be achieved with specifically developed tools in local databases interconnected via a central node. A standardized (narrow) set of parameters must be agreed upon for these tools and databases with users and partners. As demonstrated here within CRIP, such parameters support the dual function of both “publicizing” the clinical resources available for research and directing the researchers’ requests through an intelligent web-based interface to the institution holding these resources. The CRIP concept may be applicable to all kinds of biobank networks for medical research. With “meta biobanks” following this concept, it may be possible for future biomedical research to crucially enable and accelerate human biospecimen- based research projects—on a sound ethical and legal basis, and in an economically efficient form.
For an overview see: http://www.p3gobservatory.org/repository/guidelines.htm. Accessed March 25, 2010.
www.isber.org. Accessed March 25, 2010.
http://www.abrn.net/. Accessed March 25, 2010.
Organization for Economic Co-Operation And Development.
http://biospecimens.cancer.gov. Accessed March 25, 2010.
https://www.ctrnet.ca/. Accessed March 25, 2010.
http://www.dna-network.ac.uk/. Accessed March 25, 2010.
www.crip.fraunhofer.de. Accessed March 25, 2010.
www.bbmri.eu. Accessed March 25, 2010.
The UK DNA banking network, which Yuille et al. (2009) termed a “secondary biobank”, is managing samples and data originated by others (including storage and distribution of aliquots).
German Data Protection Act/Bundesdatenschutzgesetz § 3a.
More technical detailed information on CRIP data formats, database structure and software will be published separately.
Charité Universitätsmedizin Berlin, Klinikum rechts der Isar der TU München and Medizinische Universität Graz, funded by: German Federal Ministry for Education and Research (BMBF), the former German Industrial Association for the Promotion of Human Genome Research (Förderverein Humangenomforschung) and seven pharmaceutical companies (Altana, Bayer, Boehringer Ingelheim, Merck, Sanofi-Aventis, Schering, and Roche).
Charité Universitätsmedizin Berlin, Klinikum rechts der Isar der TU München, Medizinische Universität Graz and Universitätsklinikum Erlangen.
Charité has Institutes of Pathology at Campus Benjamin Franklin and Campus Mitte.
Fraunhofer Institut für Biomedizinische Technik/Institute for Biomedical Engineering, Postdam-Golm, Germany; www.ibmt.fraunhofer.de.
http://www.crip.fraunhofer.de/en/about/advisoryboard Accessed March 29, 2010.
In line with Knoppers and Saginur (2005), the German National Ethics Council (2004), and German legislation (German Data Protection Act/Bundesdatenschutzgesetz § 3 Abs. 6 + 6a), we term data “anonymized”, if the data have been pseudonymized and the user/researcher has no access to the code. Pseudonymized data is “coded” in the nomenclature proposed by Knoppers & Saginur (2005).
A specific case can be backed by one or more samples and types of specimen jointly harvested from an individual patient. A patient (i.e. a donor) can be represented by one or more cases.
For registration procedure see: http://www.crip.fraunhofer.de/htdocs/pdf/Access.pdf.
For details see: http://www.crip.fraunhofer.de/en/ethics_policy/data_protection.
Several concepts of minimizing the risk of donors’ re-identification are currently being discussed and evaluated (e.g. El Emam and Kamal Dakar (2008)). More detailed technical information on the concept implemented with CRIP will be published separately, see 12.
For the Rules’ text see: http://www.crip.fraunhofer.de/htdocs/pdf/Ordnung-1.pdf.
We thank Dr. Peter Hecht for stimulating discussions and critical revision of the manuscript. Work described here was supported by grants 01GR0601 and 01GR0701 of the German Ministry for Education and Research (Bundesministerium für Bildung und Forschung, BMBF).
- Asslaber M, Zatloukal K (2007) Biobanks: transnational, European and global networks. Briefings in Functional Genomics and Proteomics Advance Access published October 4, 2007, pp. 1–9. 10.1093/bfgp/elm023
- Berliner Beauftragter für Datenschutz und Informationsfreiheit (Ed., 2006): Jahresbericht 2006, Brandenburgische Universitätsdruckerei und Verlagsgesellschaft Potsdam mbH, Potsdam, p 129. See also: http://www.datenschutz-berlin.de/attachments/140/Jahresbericht_2006.pdf Accessed March 29, 2010
- Council of Europe (1997) Convetion on Human Rights and Biomedicine. http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=&CM=8&DF=1/23/2007&CL=ENG Accessed April 22, 2010
- European Science Foundation (2008) Science policy briefing: population surveys and biobanking. http://www.esf.org/index.php?eID=tx_ccdamdl_file&p[file]=17582&p[dl]=1&p[pid]=4052&p[site]=%20Science%20Foundation&p[t]=1272376814&hash=d41f243e99a528cd9836c0af194c5e75&l=en Accessed April 20, 2010
- Forsberg JS, Hansson MG, Eriksson S (2009) Changing perspectives in biobank research: from individual rights to concerns about public health regarding the return of results. Eur J Hum Genet. doi: 10.1038/ejhg.2009.87
- Reng CM, Debold P, Specker C, Pommerening K (2006) Generische Lösungen zum Datenschutz für die Forschungsnetze in der Medizin; Medizinisch Wissenschaftliche Verlagsgesellschaft, BerlinGoogle Scholar
- Yuille M, Dixon K, Platt A, Pullum A, Lewis D, Hall A, Ollier W (2009) The UK DNA banking network: a “fair access” biobank. Cell Tissue Bank doi: 10.1007/s10561-009-9150-3