Darren Gaddis (00:03): From CITI Program, I'm Darren Gaddis and this is On Campus. Today, what is data management and why is it important in research, common mistakes to avoid with data management, and modern challenges for data management. I spoke with Mariette Marsh, assistant vice president, Regulatory Affairs & Safety at the University of Arizona. She has oversight of the IRB, IACUC, HIPAA Privacy Program, Quality Program, Embryonic Stem Cell Research Oversight Committee, Radiation Laboratory Safety Services and Occupational Health. With over 20 years of experience in higher education administration, Mariette has a skillset that focuses on research ethics, flexible application of regulatory requirements, and organizational improvement. (00:54): As a reminder, this podcast is for educational purposes only. It is not intended to provide legal advice or guidance. You should consult with your organization's attorneys if you have questions or concerns about relevant laws and regulations discussed in this podcast. Additionally, the views expressed in this podcast are solely those of the presenter and do not represent the views of their employer. (01:16): Hi, Mariette. Thank you for joining me today. Mariette Marsh (01:19): Hi, how are you? Darren Gaddis (01:21): To get us started, what is data management and why is it important within research? Mariette Marsh (01:27): Data management overall is becoming an area of increased oversight and scrutiny by our federal regulators, as well as institution and organizations. Because of all of the data breaches, all of the phishing emails, because of everything that's happened in our technological world, there is increased concern about how we protect data that we collect for research projects, what we do with it and how we share it. So data management requirements are just going to continue to increase as we see this activity make its way in the form of regulation that institutions will have to adhere to. Darren Gaddis (02:04): When it comes to research, is the process of data management necessary to disclose to an IRB board when starting a new project? Mariette Marsh (02:14): The data management process really needs to be thought of at the beginning when you are developing your proposal. That's because several of our federal agencies have come out with data requirements to complete data management plans upon submission of the proposal for funding. And then in addition to that, when you submit an IRB protocol, the IRB is required to ensure privacy and confidentiality of data as appropriate for your specific research project. So IRBs are going to start requesting to see those data management plans as you plan the project, and they, for many years, have already required that you disclose to the IRB how you're protecting it, what you're doing with it, so that the IRB can ensure that the privacy and confidentiality of the information meets the approval criteria for the IRB. Darren Gaddis (03:02): From your experience, what are some common mistakes you have seen researchers make when it comes to data management? Mariette Marsh (03:09): Underestimating the volume of data that they have in terms of storage space, as well as a comprehensive plan to organize and access the data. We know that systems change over time. My VCR recording is ... old recordings no longer can even be played because we don't have a VCR. Well, the same happens with data and data management. Many times, I find that researchers are not thinking forward enough in terms of how they are going to share and store their data. A recommendation is to reach out to your local librarian at your institution. I have found that our librarians a remarkable knowledge and skill to help research teams think about future plans for the data that they collect. (04:04): Another common mistake also, which is getting less and less I think, is that we're not securing our data appropriately. Meaning, encrypting it, both at rest and in transit. And password protected flash drive is no longer an acceptable means to store sensitive information. So making sure you're aware of your institution's data security policies is another area where I see mistakes made. Darren Gaddis (04:31): How can someone ensure their research data is properly secured and managed? Mariette Marsh (04:37): Being familiar with your institution's processes and policies, platforms and secured resources. I know that you must have an information security office or officer, or a data security office. There's likely institutional level policies that exist and that you should, one, be knowledgeable of, two, implement in your research project, and three, ensure that they're used across the board when you're sharing with other researchers. Ensuring that your data is properly secured and managed, it is like learning a different language. So if you are not familiar with what you need to do, you need to be reaching out to the appropriate entity at your institution, or a consultant or another colleague who has experience in this area. Because it is only going to get more requirement, more secure, more access at the same time. There is a balance between the access and the security is where institutions get concerned, specifically IRBs. Darren Gaddis (05:38): With the evolution of blockchain, virtual research, artificial intelligence, and other technological advances, what are some modern challenges when it comes to data management? Mariette Marsh (05:49): I hinted at it a little bit and I think that is the ever-changing type of technology that exists. There are new startup companies, with new platforms, with new sorts of research, access, and use. There's wearables that have additional data. There's all of these advances that, frankly, the regulations aren't keeping up with. Regulations are usually five to 10 to 20 years behind what science is actually doing. So those advances make it difficult for an institution, like mine or yours, where you have pretty probably regimented processes in place about how we assess risk and how we look at data, that we are struggling equally to keep up with the type of changes in technology and advances. So there's some disconnect I think between the regulatory bodies and the regulations and the research practices that are happening. (06:49): Then when you add on to that just the complexity and the skill of hackers and people trying to get access to our systems, not all institutions have the same level of support or the same level of security because there is a huge cost and a huge lift to that. What we are finding is that the challenge is we can't keep up with how fast science is moving in this area, that the regulations will forever be behind, that the institutional offices and programs don't necessarily have the expertise to be able to judge what you're doing appropriately. (07:31): If we're thinking about, let's say human research, well, what are the risks and benefits of artificial intelligence and how does that play out in the long term? We frankly don't know. So we struggle, I think equally as hard. When you have a really wonderful research activity, but yet, you are using this technology, such as virtual research, artificial intelligence, and other advances that we have, be prepared to spend some time, one, educating I think your partners at the institution, as well as being open to engaging in dialogue about other ways or other things that may be equally successful for your research maybe not utilizing the technology. Expect it to be a conversation and probably expect some pushback. And expect some probably basic questions as the institutions and as the individuals gather really their own knowledge about it. Darren Gaddis (08:25): What are some resources typically available on an institution's campus which support proper data management? Mariette Marsh (08:33): I sure hope that wherever your research is done in your institution that you exist at, one, has a policy. I find that the smaller institutions may not have a very robust policy than the larger institutions. But then again, at the larger institutions, I find that they're so disorganized and decentralized, they don't have the policy either. So one, have a policy and be familiar with that policy. Two, as I mentioned, there hopefully is an information security office or officer. If you don't have that, I would reach out to your centralized IT infrastructure and ask where that is. Most institutions should have someone who is looking at their systems from a security perspective, from being hacked and accessed by parties that don't have authorized access. That could be a resource for you if you don't have someone available to you. (09:29): If your institution doesn't have these resources, I certainly would recommend that you seek out a consultant in the community around you or through peers that you have in terms of other best practices. Recommend that we don't just download random programs and just try using those because they may not be approved or authorized by your institution. Especially if you're dealing with something, for example, like protected health information, or even personally identifiable information, PHI or PII. Those are things that we might need to have specific agreements in place with these third party vendors that you might use. (10:07): In research projects, many times again, the researcher has this plan, this research activity. They say, "I'm going to need to store or access or create or use data." They might have a third-party vendor. Those vendors may need to be vetted by your institution. So resources, ultimately, hopefully there's a training, a data security training, a security awareness training that you might have to take. Again, that is all based on institutional policy. Some states have specific state laws regarding requirements for data protections, so there may be a need to reach out to the office of general counsel. They certainly should be able to point you in the right direction. Darren Gaddis (10:49): What else should we know? Mariette Marsh (10:51): Data oversight, as I kind of started out, is just increasingly growing. It's growing because of the changes in the regulations. It's growing because we know that we have the capability to start crunching larger and larger data sets. There's value in combining these data sets so that we can learn more and more about health, about wellness, about social behavioral issues. There's all sorts of reasons why we want to share and use this data. (11:22): Equally so, there's all sorts of reasons why bad actors want to access the data, and want to get into our systems because of the data platforms that we have, and the types of data that we have at our institutions. So you have to be a knowledgeable consumer. Just like anything, you have to read the end user license agreements. You have to do your due diligence when you're researching a vendor that you may want to use for your specific research project. Being a knowledgeable consumer, not only of those sorts of third-party businesses but of your own institutional policies and practices, really are ... will set you on the right foot. Will set your research project, in reaching out early to the various programs and offices to talk to them. If you have a very complicated research project, reaching out early to the IRB, to the privacy office, to the general counsel office, to the information security program, whatever name that might hold at your specific institution will make your research more successful. (12:22): It's all that pre-planning that ultimately will make it easy down the line. Because once you actually have the data and you've put it somewhere, if you want to move it or change it, or have collected it in a way that it's not searchable and usable, then the whole research activity really is kind of a moot point. We would rather have you be successful at the beginning. From where I sit as an administrator of various programs, I'd rather you be successful at the outset. So let's talk early and let's talk often. That's the advice I would have. Darren Gaddis (12:54): Mariette, thank you for joining me today. Mariette Marsh (12:56): Thank you. Darren Gaddis (12:57): Be sure to follow, like, and subscribe to On Campus with the CITI Program to stay in the know. If you enjoy this podcast, you might be interested in CITI Program's other podcasts on tech ethics and on research. You can listen to all of CITI Program's podcasts on Apple Podcast, Spotify, and other streaming services. I also invite you to review our content offerings regularly as we are continually adding new courses and webinars that may be of interest to you. All of our content is available to you anytime through organizational and individual subscriptions. You may also be interested in CITI Program's data management and security for student researchers, an overview webinar. Please visit the CITI Program's website to learn more about all of our offerings.