Tag: Data Protection

CITI Informed Consent SBE FAQ

 This page will answer the most popular questions of the CITI Informed Consent SBE.

There is general consensus on the importance of informed consent in research for treating individuals with respect, autonomy, and the right to decide.

Photo by Matthias Zomer on Pexels.com

However, obtaining and documenting consent can be a complex process, with certain challenges like potential subjects not being literate in the language of the study or the need to deceive to obtain valid data.

The federal regulations provide flexibility for cases with minimal risk of harm, allowing waivers or alterations to the requirements for consent and documentation processes.

The Process

Informed consent is a process that begins with recruitment and screening and continues throughout the subject’s involvement in the research. It involves providing specific information about the study in an understandable way, answering questions to ensure understanding, giving subjects time to consider their decision, and obtaining voluntary agreement to enter the study (subjects may withdraw or decline to answer at any time).

Popular Questions

Question 1: A therapist at a free university clinic treats elementary school children with behavior problems who are referred by a social service agency. She is also a doctoral candidate who proposes using data she has and will collect about the children for a case-based research project. Which of the following statements about parental permission is correct?

Answer: The parents of the children might feel pressure to give permission to the therapist to use their children’s data so that she will continue to provide services to their children. [Quizzma]

In this case, the researcher must make sure to provide additional information about the research to balance out any potential benefit of participation against any risks or harms. The parent should also be informed that there is an option for their child not to participate in the study, and all reasonable efforts should be made to ensure that the parent’s permission is voluntary.

Question 2: A criterion for waiving informed consent is that, when appropriate, subjects are provided additional pertinent information after the study. In which of the following studies would it not be appropriate to provide subjects with information about missing elements of consent?

Answer: A study in which subjects were assigned to study activities based on an undesirable or unflattering physical characteristic as assessed by members of the research team.

In this case, providing additional information after the study would potentially cause greater harm than good and is likely inappropriate. The research team should ensure that subjects are fully informed of all elements of the consent process prior to the study.

Question 3: A researcher leaves a research file in her car while she attends a concert, and her car is stolen. The file contains charts of aggregated numerical data from a research study with human subjects but no other documents. The consent form said that no identifying information would be retained, and the researcher adhered to that component. Which of the following statements best characterizes what occurred?

Answer: There was neither a violation of privacy nor a breach of confidentiality.

In this case, since no identifying information was retained and all data was stored in an aggregated form, there is likely no violation of privacy or breach of confidentiality. However, the researcher should still take appropriate steps to investigate the theft and file a police report if necessary.

Question 4: When a focus group deals with a potentially sensitive topic, which of the following statements about providing confidentiality to focus group participants is correct?

Answer: The researcher cannot control what participants repeat about others outside the group.

In this case, the researcher should make clear to participants that confidentiality is expected and enforced within the focus group.

The researcher should also do their best to ensure that all information shared remains confidential by setting ground rules for discussion and by limiting access to the recordings or transcripts of the group discussion. However, it is ultimately up to each participant to keep any shared information confidential outside of the focus group setting.

Overall, informed consent is an important process in research involving human subjects and must be adhered to carefully. It involves providing relevant information about the study clearly and accurately, answering questions as needed, giving sufficient time for consideration of participation, and obtaining voluntary agreement from participants.

In order to ensure that informed consent is obtained appropriately, researchers must be familiar with the principles of informed consent and their legal obligations.

Question 5: A general requirement for informed consent is that no informed consent may include any exculpatory language. Exculpatory language is that which waives or appears to waive any of the subject’s legal rights or releases or appears to release those conducting the research from liability for negligence. Which of the following statements in a consent form is an example of exculpatory language?

Answer: Participation in the research is voluntary, but if you choose to participate, you waive the right to legal redress for any research-related injuries.

This statement is an example of exculpatory language as it releases those conducting the research from any liability for negligence. Informed consent forms should not contain any exculpatory language and must be reviewed and approved by an Institutional Review Board. In addition, informed consent forms should clearly state that participation in research activities is voluntary, without coercion or undue influence. It is important to ensure that all potential risks and safeguards associated with the study are outlined clearly in the informed consent form before a participant agrees to participate in a research study.

The CITI Informed Consent SBE provides useful guidance on informed consent processes in research. Questions like these can help researchers understand their obligations regarding informed consent and ensure that they carry out their research ethically and humanely. Ultimately, informed consent helps protect the rights of participants while allowing for meaningful science that responds to real-world challenges.

In conclusion, CITI offers a comprehensive FAQ section on informed consent which can help researchers understand their legal obligations when obtaining informed consent from participants in a research study. The FAQs provide detailed answers to common questions about informed consent that researchers should consider when designing their research.

Familiarity with the principles of informed consent and understanding one’s legal obligations is critical to ensuring that research is conducted ethically and responsibly. By following best practices, researchers can ensure a responsible research process while protecting the rights of participants.

Internet Theft: Can the government be considered as a white collar criminal?

With the constant rise in digitalization, the computer stores information in binary data form and deeply on the data form which is a way that the device tracks a lot of information in an effective way. Subsequently, with the invention of personal computers and microprocessors the idea of using computers for exclusive use of an individual rose. The process was not only affordable but also made management and storage of information easier. But this evolution has also led to increased interactions and sharing of private data using computer, ultimately leading to illegal activities known as cybercrimes. Identity theft is one such crime. Identity theft refers to a crime when a person fraudulently obtains information of another person and later uses it for economic or personal gain.  The theft happens in a two-step process. Firstly, the personal information gets stolen. Later, the information gets used to impersonate the victim and commit the fraud.  Identity theft has already made its place among the fastest growing sector in not only the developed countries but also the developing countries. The primary reason for US being affected stands firm to the fact that all the personal information is linked to a single social security number. The number allows an individual to avail all government schemes and records related to the individual whose social security number it is. This allows very little safeguarding to the individuals whose number gets leaked. Landing on Indian records, there has been an 11% increase in identity theft and ransom ware, followed by phishing attacks increase to 9%.  India also been ranked amongst top 5 countries to be affected by cybercrimes in 2013.  Problematically, there is a very low conviction rate despite the high levels of cybercrime.

There are provisions in Indian Penal Code, 1860 which governed the crimes of forgery and fraud but it was later amended by the Information technology Act, 2008 as it also included the electronic record, ultimately widening the ambit of such computer data related crimes. Provisions such as section 464 criminalizing forgery, Section 465 criminalizing making of false documents, section 468 criminalizing forgery for purpose of cheating, Section 469 criminalizing forgery for purpose of harming reputation, Section 469 criminalizing the use of a genuine document as forged and section 474 of having possession of a document with intention of using the genuine document as forged were coupled with IT Act. Section 420 could be used in circumstances when the Act requires including unique identification information of any individual. 

In the present scenario, the IT Act, 2000 is the main legislation governing cybercrimes in India. The objective of the Act, however, was to mainly recognize e-commerce and that’s why it did not define cybercrime. Before the 2008 amendment, the Act could impose civil liability for unauthorized access to computer or network which would have facilitated an illegal act under section 43 by way of compensation under the pecuniary limit of one crore. Also, Section 66 criminalized hacking which would result to destruction, deletion or alteration of any resource in the computer. 

The Amendment of 2008 introduced the term ‘Identity Theft’.  Section 66C of the Act governs the crime and provides punishment for the same.

The ‘sensitive personal data’ however required stronger laws to be formulated which could ensure the protection of private data. The ambit of the term has been defined by IT rules, 2011. It involves the data related to one’s password, financial information, sexual orientation, biometric information, medical records. Such a clause would be exceptional to the State or central government for monitoring, surveillance or interception. The same was provided under Section 69 of the Act. 

Data Protection Bill 2019 and Cyber-Crime are often used together these days. Not scholarly but indeed since the bill does come with serious implications for all technological and digital service provider companies and has already generated controversies. Despite India’s attempts to create a complex legal framework with the objective of protecting data but it comes with shortcomings which are inevitable. On a bare reading, there are three serious flaws with the current draft.

Firstly, the section of data localization requires data fiduciaries to store atleast one copy of personal data on a data centre or server which is located in India. However, the centre holds the upper hand to exempt categories falling under the personal data. Also the centre can declare certain datas as critical and require them to be stored in India. In the present, this would allow all the social sites also known as foreign internet services to physically able a user data in the country. This would allow law enforcement easy access to this data, which brings to the second issue.

The law enforcement access to data section would allow processing of data considered personal by an individual in the hands of centre and in the interest of security and public welfare, the state can utilize the information which would not be illegal as it would be according to procedure established by law. Now, this access stands as a threat to the right to privacy that exists in India. If combined with the section of data localization, the government shall have access to information about users in social media.

However, this legal framework for surveillance by the government is governed by the judgment in PUCL v Union of India in which the Apex Court stated rules to concentrate the power to order and review surveillance in the executive body which doesnot require court orders or supposedly, any third party review. The measure intended to act as a stopgap measure by the SC and if any subject falls short of international human rights then there will be very little to safeguard the citizens.

The last section is about the regulatory structure created. The Centre has control significantly over the controls. The bill further gives powers to data protection authority to appoint its members by merely the recommendation of an outside committee. For a person to be an effective regulator of an institution, one must have sufficient time to learn and the bill providing only five years of term seems ineffective.

The term white collar crime has grown to define the fraudulent crimes of business and government professionals over time. The characterization of such a crime is violation of trust, concealment of information, deceit through information and categorically not dependent on any kind of force or violence imposed. White collar crimes end up having huge impacts on the society. There have been various scams in the country like the Havala scam, 2g scam, fodder scam, banking scam and many more. This does not necessarily indicate towards the entire involvement to be criminal but it merely requires one financial fraud in greed of money or power to commit such an act. Cybercrime stands as one of the biggest causes to these types of crime in the country. It is the information that single handedly threatens a person’s security and financial status.

Since the actions of Government have direct impact on the society, it is easily identifiable that when a white-collar group is discussed, the Government is a part of it.

Now, bringing the recent proposed bill and the white-collar crime concept together, the question stands whether the bill in the name of data protection is actually for protection or is merely a tool of mass surveillance by the Government.

The SC in its judgment of right to privacy in K.S Puttuswamy case declared the right as a part of Article 21 guaranteed under the Constitution. The judgment clearly stated that the right is a natural right and is a measure to protect an individual from the scrutiny of the State. Thus, any action by the State would undoubtedly result in violation of such a right and would be subject to judicial review. But the right clarified to have reasonable restrictions which empower the State to impose restrictions in accordance with a law in the interest of State’s need and also the means should be in proportion to the objectives of law.

Even if not called the worst but if the bill is passed, it would bring in major implications especially in areas of national security, foreign investment as well as international trade.

Data Protection

Recently got a chance to attend webinar where Former Justice B.N Srikrishna talking about data protection luckily got great insights and delighted to share with you guys hope it’s helps you to understand everything about Data Protection.

India is not a party to any convention on protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognise the right to privacy.

India has also not yet enacted specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.

The Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43A of the IT Act. A clarification to the above Rules was issued on 24 August 2011 (the “Clarification”).

The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have some similarities with the GDPR and the Data Protection Directive.India has introduced a biometric based unique identification number for residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder.

Entities in regulated sectors such as financial services and telecom sector are subject to obligations of confidentiality under sectoral laws which require them to keep customer personal information confidential and use them for prescribed purposes or only in the manner agreed with the customer.

To better balance privacy and innovation, India’s data protection legislation must be narrowly focused and designed to protect individuals and society against any injury resulting from data processing.In December 2019, the government introduced the Personal Data Protection Bill, 2019, in parliament, which would create the first cross-sectoral legal framework for data protection in India.

A framework for protecting personal data has to be designed on a more precise understanding of the role of privacy in society and of the harms that emanate from violations of individual privacy.The notion of informational privacy has become salient in the past decade.

India has privacy jurisprudence going back several decades. Most of it focuses on privacy in the context of harms caused due to a violation of privacy. This jurisprudence changed in 2017, when the Supreme Court in Justice K.S. Puttaswamy v. Union of India held that the Indian Constitution included a fundamental right to privacy. While deciding the case, though the court listed a long line of jurisprudence, the central deficiency in the existing jurisprudence in the court’s opinion was the lack of a “doctrinal formulation” that could help decide whether privacy is constitutionally protected.

The Personal Data Protection Bill, 2019, follows a long line of privacy jurisprudence in India that has been influenced by global developments as well as the country’s own constitutional jurisprudence.

Though the constitution does not explicitly mention a right to privacy, Indian courts have held that a right to privacy exists under the right to life guaranteed under Article 21.5 However, there was always some ambiguity regarding the exact nature of the constitutional protection of privacy due to the long-standing judgment of the Supreme Court in Kharak Singh v. State of Uttar Pradesh, where the court held that a right to privacy did not exist under the constitution.

The Bill governs the processing of personal data by:

(i) government,

(ii) companies incorporated in India,

(iii) foreign companies dealing with personal data of individuals in India.

Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.

The Bill sets up a Data Protection Authority which may:

(i) take steps to protect interests of individuals,

(ii) prevent misuse of personal data,

(iii) ensure compliance with the Bill.

It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.

Offences under the Bill include:

(i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher,

(ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.