By SHANNON O. WELLS
Sharing research-generated data is an integral part of a university’s role, but without security-oriented parameters in place, hard-won information can be misused, misappropriated or stolen outright.
To address these and related concerns, the Senate Research Committee is considering an interim Data Management Policy while fulfilling new and evolving federal mandates on data management. Bill Yates, vice chancellor for research protections, outlined the interim policy on Sept. 15 at the committee’s inaugural meeting of the 2023-24 academic year.
Former Pitt Chancellor Patrick Gallagher sought to have a new policy, Yates explained, “because of these upcoming new rules” — the 2022 Chips and Science Act and the National Security Presidential Memorandum 33 — which indicate “we’re going to have to do more in terms of research security and data security,” he said.
Pitt responded to U.S. government draft rules issued earlier this year, but federal funding agencies and others started requiring universities to retain data to validate research outputs even earlier.
“There have been rules in place for many years,” Yates said, referencing the Bayh-Dole Act, a federal law enacted in 1980 that allows universities and nonprofit agencies to own, patent and commercialize intellectual property (IP) research generated through federal dollars, within their organizations. “But it also gives us the impetus — and actually the requirement — to commercialize those findings.
“So if we get an NIH grant, and somebody comes up with a great discovery, it’s Pitt’s,” Yates explained. “But we actually have the onus to make that available to the world. So that’s a requirement that comes out of federal law.”
Based on existing governance structure, Pitt’s own research integrity assessments have sometimes revealed that researchers can’t produce their data when asked to validate their research outputs. “A common story we hear is a graduate student had the data on their computer, and they took it with them when they left,” Yates said. “So they didn’t leave the data behind, even for a federally funded project, which is a problem.”
With investigators rarely writing a Data Use Agreement upon their departure, they potentially “are taking the discoveries through research done at Pitt and commercializing them, potentially elsewhere, which is a real problem,” he said. With Pitt responsible for commercializing work resulting from federal funding, “if we take our IP and give it to somebody else, it’s a real problem and also a liability.”
If a sharing agreement is not in place, particularly for pre-publication data, “somebody else can actually steal your data and actually publish it without giving you the attribution that you need, that you deserve, so that’s a problem,” Yates said. “Data sharing is good, but often if you’re going to give your data to somebody else, you need to have an agreement about how they use it.”
Security steward
The Gallagher-chartered Interim Data Management Policy expands on research data-focused memos that Mark Nordenberg, Gallagher’s predecessor as chancellor, wrote in 2009. The memos stipulated that research data generated at Pitt are owned by the University, data must be retained in accordance with regulatory requirements, and primary data must be retained at the University.
“So the University needs to be the steward of the data to meet all the security requirements (and) to commercialize the data, if needed, and to address any allegations of research integrity violations,” Yates explained. “The Nordenberg memo said usually you’re going to need an agreement to get your data to somebody else.”
Fortunately, Yates noted, the ”main tenets” of data governance policies from other universities are “very similar. So what we’re proposing to do is what everybody else is saying that people have to do with their institutions.”
The interim policy establishes data generated by working Pitt faculty or trainees, graduate students, or postdocs, Yates said, belong to the University. Undergraduate students, however, own data they generate, except if University resources “are used substantially in the generation of that data,” Yates said.
“So if you’re paying an undergraduate student to work in your lab or to do your NIH-funded work, of course, that data belongs to the University. But if the student is doing theoretical physics on their own computer in their dorm room, and they come up with a great discovery, that’s theirs, not the University’s,” he added.
Appropriate storage and sharing
All of this is predicated on appropriate management of research data in accordance with regulations and funding-agency mandates. The interim policy, therefore, calls for primary investigators to develop data-management plans.
“There’s no stipulation on how formal it has to be, how rigorous it has to be, but we’re requiring that the PI have some plan to manage data,” Yates said, “and that they tell people that work in the lab about that plan.
“We don’t want the story that the graduate students had the data on their personal computer, and they took it with them,” he added. “That’s just not acceptable at this point.”
In addition, records need to be appropriately stored in University-owned resources or facilities. “If you have a (separate) server in your lab, the University can’t attest that that server is appropriately managed, that the security provisions are appropriate,” Yates said. “That’s why you need to put your data on a One Drive or a University-owned and secured resource.”
Personal devices can be used for research data, but not as a long-term repository. However, access must be limited to those with a demonstrated need. “Some records are very sensitive — human subject records, for example,” Yates said. “So although there are mandates for data sharing, we also need to limit access to records as well for security and privacy reasons.”
Similarly, transferring data to someone else must be done judiciously, and may require a data-use agreement to stipulate how that data is used. “So, if they find something wonderful out of your data that you hadn’t seen before, you probably want credit for it, right?” Yates noted. “That’s why data-use agreements are useful in these cases.”
The interim policy also codifies a longstanding Pitt custom allowing those leaving the University to take copies of research records, provided originals are left behind. Researchers also must retain their data for an appropriate period of time after completing a project.
“The rule of thumb is seven years,” Yates said, although funding- and regulatory-agency requirements may vary. “An extreme example is if you’re collecting clinical data on a minor, then you have to retain that data until they’re 23 years old.
“If you’re collecting data on a newborn, as clinical data, you will have a very long data-retention time, and that’s just how federal law dictates that you store the data.”
Bare bones to permanent
While the interim policy draws from the earlier Nordenberg memo, it modernizes its focus from paper to electronic records. “This is going to align us with the new research security regulations,” Yates said, “And it also empowers Pitt to ask people to do the right thing, which is important.”
Pitt requires that an interim policy must be followed by a permanent policy, Yates noted. “There will be another policy committee coming along (to write) a longer potential policy with more details in it. This interim policy is meant to be the bare bones at this point.”
Citing the direction of entities like the National Institutes of Health, Rob Rutenbar, senior vice chancellor of research, said regulation requirements are most certainly on the uptick.
“So wherever you think the campuses are now in terms of their awareness of, and vigilance on, data management plans, I guarantee you it’s going to be tighter in the next couple of years,” he said.
On to Senate Council
A lot of the required changes, Rutenbar emphasized, are in the spirit of helping researchers with longstanding questions about data retention and management.
“Because the answer that everybody hates is when someone says, ‘Where’s the data from that project you finished last year?’ and someone else says, ‘I think it’s on the shelf in the closet.’ That’s a terrible answer. That’s a common answer. I think we can do that one better,” he said.
Responding to Senate Council President Robin Kear’s question about Pitt’s current processes, Yates said while he thinks the University does “a reasonable job” with data retention, a couple of research-integrity allegations have required the department to investigate and “basically see if the data were valid. And we were told that the graduate students took the data with them,” he said. “So, occasionally there are problems now in that realm.”
Faculty, he added, generally do not get a data agreement when they leave. “And that is a big issue,” Yates added. “Because if there is a research-integrity concern raised to us, we really need to be able to deal with it.”
Noting this is “more substantial than other interim policies I’ve seen,” Kear asked Yates and his colleagues to present a preview of the interim policy at the next Senate Council meeting, on Oct. 12.
“Because I think people need to know about it,” she said, “and they need to know what’s happening and that this is interim and that we’ll have a full policy after this — and to be able to answer any questions.”
Noting the rapidly changing environment in research on a university as well as federal level, Rutenbar said he looks forward to sharing the interim policy with a wider audience.
“We’re modernizing some old infrastructure here, and we’re also reacting to this,” he said of the changes. “It’s like, ‘OK, that’s fine. That’s kind of what we do.’ But this is why we’re here. So we’re happy to do this in front of the Senate Council.”
Shannon O. Wells is a writer for the University Times. Reach him at shannonw@pitt.edu.
Have a story idea or news to share? Share it with the University Times.