Arcus is a unique data environment that will one day host many research data sets from Children’s Hospital of Philadelphia, all of which will have their own formats and regulatory requirements. As a research data privacy analyst for Arcus, Dianna Reuter, JD’s, goal is to build a house where all of those data sets — whether they’re related to human subjects research, or genomic studies, or come from abroad and are subject to other countries’ privacy laws — can have a home that is accessible but stays secure to protect privacy.
“Privacy has this other layer, this atmosphere above those regulatory requirements, where you have to think about restrictions afforded by the law, but you also have this layer of ethics that goes above it,” said Reuter, who works in CHOP’s Department of Biomedical and Health Informatics.
We sat down with Reuter to find out more about how she is an integral part of the Arcus team wrestling with these ethical questions. As they navigate the busy intersection of data privacy and security, pediatric research, governments’ rules and regulations, and human rights, their goal is to solve them in way that CHOP and the Research Institute can be proud of and upholds their respected reputation for patient privacy.
“Every day is an exercise in thinking about these big picture questions,” Reuter said. “It’s a humbling project with a lot of responsibility behind it. We are trusting researchers to have access to a lot more information in order to make needed advances in child health, and we need them to become mindful stewards of that responsibility.”
What brought you here to CHOP to explore Arcus and its role in research to advance child health and disease?
I have a strong nonprofit background and had decided to go into law school late in my career. During law school, I fell in love with privacy law, which involves how companies and governments may collect and use information and data about people. I was hopeful I would find a role as a privacy attorney that would allow me to combine my nonprofit experience with privacy law at a mission-driven organization committed to the greater good. Fortuitously coming across the opening for the Arcus research data security analyst position was absolute kismet. I was the first outside hire to join the Arcus team in fall 2017.
Why is it important for you to share your legal perspectives during the early development and implementation of Arcus?
Privacy law is changing rapidly, and as a privacy professional who is a lawyer, I’m trained to keep informed of recently decided cases or recently passed legislation and look for all of the company responsibilities required by those regulations and the precedents they set.
In law school, you can take classes on cybersecurity and global privacy laws, but you find out pretty quickly that privacy laws come from “a different place,” and that place is largely human rights treaties that came about in the 20th century. Those treaties tend to be recognized much more formally internationally (where some countries have legislation incorporating them), but we’ve been seeing more and more that international perspectives inform privacy law because technology is borderless. Those stricter perspectives are bleeding into U.S. law and practice as we speak.
In my mind, privacy is bigger than just HIPAA and the Common Rule and the state laws to which we are subject. It involves ethics and thinking proactively and trying to go above and beyond when you can. It’s really important that when our Arcus team thinks about privacy, that we’re not just asking, “OK, what do we need to do to be compliant?” Instead, we focus on: “What can we do to protect this truly valuable right that people have when they walk in our door?” I enjoy that aspect of being a privacy lawyer — in many ways, you’re a human rights attorney.
What do you see as unique and innovative about Arcus data access and management?
Arcus is going to open the door for authorized CHOP scientists to have access to a lot of data within the CHOP environment. The old model of “security through obscurity” is falling away, and Arcus represents that. We also have to impress upon people that as this paradigm shifts, users are going to have to be responsible and follow the workflows that we’ve created.
CHOP Research Institute has a solid foundation in patient privacy. How does that help pave the way for research projects involving Arcus?
CHOP enjoys an excellent reputation at the forefront of patient privacy. In many ways, I view my greatest task as ensuring we can continue to meet the high standard set at CHOP.
In this day and age, you have to have a marketing mind and think proactively about protecting the reputation of the organization because data privacy practices can go “viral” and sometimes be misconstrued. Part of any privacy professional’s job is to think about how data use looks and sounds to an average person who happens to hear about a large organization’s data practices. Oftentimes, an organization can lawfully take on a project and start to use data, but they find themselves in hot water because they didn’t fully consider how it would fall upon the ears of the community.
Because Arcus is greater access to greater information, we need to rise to the level of protecting patient privacy with the integrity that CHOP has established.
How will your goals contribute to Arcus’ success, and how do you plan to accomplish them?
One of my professional goals is to get a very wide breadth of experience in privacy law. As we create blueprints for Arcus, they will take into accord many regulations and rules that are changing at a fast pace, but that’s the fun part! We have to answer questions about genetic data and how we are going to protect it. We have researchers who come from international locations, and they bring data with them. We have to consider what information should be provided to CHOP patients and families so that they know how their data is being used for research.
We’re already hard at work accomplishing this by biting off tiny pieces as we begin to incorporate some of our early research data sets from our first round of pilot projects. We have some data that’s genomic, some that’s international, and some that has contractual limitations. As we carve out the pathways for how to treat each of these data sets, we’re creating a world where much of this research can reside ethically and securely.
Tell me about the patient family feedback you’ve heard so far about Arcus and how it may influence their view of pediatric research.
We had an initial meeting with a Family Partners committee that we convened, and I found it to be an incredible resource. Like anything, there’s a wide range of thoughts and opinions, and all of them matter. Some parents say confidently, “I trust CHOP. I know it’s an academic research institute and that my child’s information is going to be included in research efforts. That’s fine with me, and I’m happy to let the process unfold because I know you’re protecting my child’s privacy.” Others say, “I want to know every single time that my child’s information is being used for research.”
These are the two extreme ends of the spectrum, of course, and somewhere between those two ends is where Arcus has to navigate. We have to think about the parents who don’t want information overload and those who want to know as much as possible. What we’re working on is determining when the unique circumstances of Arcus will require additional protections or information. Arcus is a research resource in which theoretically every patient or study subject appears as a participant.
Quite often when the Arcus team is thinking about a particular practice or algorithm we’re contemplating using, we stop and think: “What would I want if it were my kids’ information in Arcus? How would I want these decisions to turn out?” In many cases, our team members are actually thinking about their own children because they’re CHOP patients.
What is the most important idea that you want researchers who are beginning to explore the benefits of Arcus to remember?
One of the messages I’d like to share with eventual Arcus users is that we understand their desire to make new discoveries. We want to enable science to unfold as easily and effortlessly as possible, yet at the same time, be good stewards of patients’ data. We need our users to join us in that effort.
There’s a saying in privacy and security that it’s people who form the greatest risk to data protection. We’ve all been there, banging our heads against two factor authentication or considering taking a screen shot on our phone so that we can have a handy reference to some data or an image. And the Arcus team gets that we’re in the business of breakthroughs, but we’re also in the business of protecting data and protecting our patients’ privacy. We hope everyone will treat Arcus data like the precious asset that it is.
What excites you most about the Arcus project?
Definitely the wide range of privacy issues I get to grapple with. Some of the hottest topics in privacy law are data security, machine learning, genetic information — and notice, all of these arise in our Arcus work.
In this day and age, a lot of companies are looking to their data and asking, “How can we better harness this?” It’s so amazing to see that CHOP is doing the same, and all for the purposes of better solving the medical mysteries that still confound us. Arcus will be a place where all of this data that is used individually by researchers will be put together to be reused many times over by other CHOP researchers. That immense pool of information probably contains many answers that will rise to the surface.
I love the inscription in the lobby of the Abramson Research Center. It gives me chills: “To wrest from nature the secrets which have perplexed philosophers of all ages, to track to their sources the causes of disease… These are our ambitions.” We know that some of those secrets are going to be sitting in Arcus, waiting for their moment of realization. I’m so honored to be part of this venture.