8. Meeting legal/regulatory, ethical and sensitive data obligations

I think the paradigm shift in the legal regime pertaining to indigenous communities’ sovereign rights over their natural resources and derivative data is creating opportunities for biodiversity institutions and researchers to rethink their existing “best” practices and professional standards surrounding stewardship of physical specimens as well as governance of data. One aspect of conventional transactions that merits a further review is institutional collection acquisition and accession policies. Today, institutions may be required to stop and question the very assumption that field collected biodiversity specimens and associated data have no strings attached. Furthermore, from the risk management perspective, to protect your institutions from legal liability and ethical challenges, it may be necessary to take an additional step of clearance and due diligence to ensure incoming specimens and associated data meet their (updated) collection policy. This is true especially if the institution’s mission and collection are international in scope including those that originated from “beyond jurisdiction.” A boilerplate language in a deed of transfer form, which intends to accomplish outright and absolute transfer of title to specimens and data, may no longer legally and ethically make sense in situations implicating cross-jurisdictional regulatory complexities. For example, hypothetically if your counterpart’s affiliated tribal community holding sovereign rights over material drafted a MOU including terms that the collector-user may not assign title (i.e. transfer ownership) to a third party under any conditions but may arrange a bailment (i.e., deposition) with a biorepository to facilitate future open access and noncommercial use, is the repository institution willing to work with that counterpart and redraft language of a deed into more like a license to accept the deposition and long-term holding of such specimens and data with strings attached or even willing to revamp the whole collection acquisition and data policy? — Pardon if my view is off the main topics of this discussion thread.

2 Likes

@apodemus This topic is definitely part of the discussion of this thread, and thank you for your thoughts. I agree with you and Colella et al. (2020) who suggested that a paradigm shift from specimen ownership to stewardship is one step needed to adapt to the changing legal landscape. A robust global cyberinfrastructure, such as that advocated by the Extended Specimen Network, will also promote transparency regarding the origins and uses of genetic resources. Ultimately both institutional changes and global integration of data will strengthen international collaborations as both providers and users work together to conserve biodiversity. (Colella, J.P., R.B. Stephens, M.L. Campbell, B.A. Kohli, D.J. Parsons, and B.S. Mclean. 2020. The Open-Specimen Movement . BioScience biaa146: 1–10. doi:10.1093/biosci/biaa146)

2 Likes

At the initiative of Dirk Neumann, we discussed in a group the characteristics and functions that will allow the digital and extended specimen infrastructure to be applicable in the context of access and benefit sharing under the Convention on Biological Diversity (CBD) and its Nagoya Protocol.

We are proposing the following eight guidelines and requirements:
Andrew Bentley, Jutta Buschbom, Libby Ellwood, Alex Hardisty, Chris Lyal, Dirk Neumann, Breda Zimkus

  1. Take care to use language that is CBD conformant.
  2. Show the importance of the DES for the continuing design and implementation of the post-2020 Global Biodiversity Framework, as well as the mobilisation and aggregation of data for its monitoring elements and indicators.
  3. As a general rule, we strive to openly publish as much as possible (all data and metadata) online.
  4. Have in place a powerful, strong and well-thought-out layer of user and data access management and security for ‘sensitive data’.
  5. Encrypt all data and most metadata at the level of an individual specimen or digital object. Provide access via (personal) digital keys.
  6. Link obligations and restrictions regarding use to the digital key.
  7. Implement a transactional system that records every transaction.
  8. Workforce capacity building is very much needed across the whole range of the digital realm, its work areas and workflows.

(for an extended version please follow this link)

We are very interested in your thoughts, experiences, comments and in additional considerations regarding these guidelines and requirements.

@apodemus I wanted to return to your comment and ask you and others how the paradigm shift from ownership to stewardship could be achieved? How can opening up data in the way suggested by digital extended specimens (i.e., placing in the public domain and supporting curation by the community) assist this? How can it be stimulated? When the extended specimen network is decentralized and not under the control of a single organization, what benefits or issues does that create?

Are there stakeholders that we don’t even think about because we aren’t aware that they exist and that the DES is of interest to them? What do you as a stakeholder concretely need from a DES infrastructure for it to support you in achieving your objectives?

Several of the questions asked last week (eg. here and in Topic 11) fit well into a concept and methodology called “System redesign toward creating shared value” (SYRCS), recently described in a post of the i2insight-blog.

Systems redesign in our context is a transition from the more local and disparate publishing of data to an integrated, harmonized global infrastructure focused on FAIR functionality and quality, specifically geared for data re-use and their application to efforts of solving real-world problems.

Following the concept of system redesign toward creating shared value, change happens and/or needs four stages (text adapted from the post by Moein Khazaei, Mohammad Ramezani, Amin Padash and Dorien DeTombe):

  1. emancipation and critical thinking
  2. problem structuring
  3. multi-criteria and quantitative decision-making
  4. creating shared value.

Our current questions seem to fit into stage 1, in which we focus on you as stakeholders and query your motivation (sense of purpose and value), your experiences with and thoughts on power (who is in control and who is needed for success), knowledge (experience and expertise), and legitimacy (ensuring that all those affected are involved).

The approach proposed in the blog post is to use ‘is’ and ‘ought to be’ forms of questions, such as “Who is (ought to be) the beneficiary? That is, whose interests are (should be) served?”.

My personal point of view is that the community-driven development of the digital and extended specimen infrastructure and network is an incredible chance. It also shows a strength of the collections and biodiversity communities: to work together and thus having the experiences needed to design, find solutions for and implement complex, shared infrastructures. We are happy that we already reached a wide range of stakeholders, from the humanities and law to conservation and businesses. Please jump in, join the development process and add your experiences and thoughts.

1 Like

In my personal point of view, a consensus model for biodiversity collection stewardship should take flexible approaches instead of trying to achieve its broadest acceptance and application across the globe under one principle in regard to accountability and sustainability; approaches flexible enough to allow coexistence and balancing of competing views, paying due respect to different value systems and national policies concerning biological resources and their derived intellectual property.

3 Likes

These are valuable suggestions. Within GGBN (http://www.ggbn.org) we proposed a permit (and loan) vocabulary as part of the GGBN Data Standard (https://terms.tdwg.org/wiki/GGBN_Data_Standard) a few years ago to enable sharing this information. Several members have implemented it already. Since GGBN is dedicated to molecular samples the need come up with solutions for implementing the Nagoya Protocol is very high. The goal is to make this vocabulary mandatory for all data providing GGBN partners and also add data quality checks in the harvester for these particular terms. The terms include: controlled vocabulary for permit/document types, status of the permit and a qualifier, url to the document, loaning restrictions, loan dates, disposition etc. As part of the SYNTHESYS+ project we are currently reviewing this vocabulary (focussing on preserved collections, biobanks and living collections). We are also planning to propose a TDWG Task Group on Permits and Loans to broaden the scope and include more people. Our goal is, that such a data standard can be implemented by other platforms such as GBIF, DiSSCo or INSDC too. So I’d say the timing fits perfectly to share the efforts.

2 Likes

With regard to a future loans and permits standard, Gabi and I will organise a workshop within the COST Action MOBILISE (https://www.mobilise-action.eu/). The aim is to seek input from different collections communities (e.g. paleontology, observations, geosciences, biology, anthropology) about the legal requirements they are faced with and that should be taken into consideration in the standard development. The workshop will also deal with the implementation of the standard in digital infrastructures, and it would be perfect if we could discuss possible solutions for the digital/extended specimen concept. The workshop is planned for September 29th and 30th, 3-6 pm UTC on both days. I will send the information via different mailing lists soon, but you are also welcome to contact me directly (e.haeffner{at}bgbm{dot}org).

1 Like

@JuttaBuschbom pointed out to me in an email today that decisions relating to access must be set up to accommodate, even be dominated by many fine-scale users - by which I think we are talking about fine-scale decisions on access to information.

We either can work in a context where we inherently assume everyone/everything is trusted to behave (which can be a mistake) or we work as if we always assume no-one/no-thing can be trusted to behave as we would wish. Each time access is needed a user must repeat the steps to establish trust. Halfway scenarios, where some users are trusted and some are not, are increasingly problematical because of the complex interplay of the objectives/policies of multiple data producers with those of data consumers. It becomes easier to establish new trust each time we need to do so.

Consider the analogy of flying. You need a passport/id and a boarding pass to get through the airport and board a specific flight. Just because you did it once, doesn’t make you trusted the next time. It also doesn’t let you access all areas of the airport nor embark on any flight you like. (I wish!).

This ‘zero-trust’ model is becoming the norm in information systems because it’s easier to manage; especially in distributed/decentralized systems when multiple control points and control needs exist (again, think of airports and aeroplanes). With a common general-purpose mechanisms (passport/id and boarding pass) multiple variations of rules/policies can be enforced in different places and according to different needs. A model based on inherent trust only works for a few privileged users and can’t scale well (think VIP/private jets).

A zero-trust model sits well with the remarks of @apodemus requiring:

My question is: What would our boarding pass look like? How can we be inspired by passenger name, destination, flight number, gate, and seat number?

Thinking of the airport analogy further, we can in fact see a clear distinction between passengers (users of the airport) with their boarding passes, and airport staff with their airport id badges and a different set of access rules. Do we also need two kinds of control?

This does not mean all data/information becomes access controlled. Again, an airport allows staff, passengers, and family members on the concourses, departures and arrivals halls with no or only limited control. We more or less have that today with institutional, GBIF and other data portals. Users provide some limited indication of who they are and that they’ll abide by terms and conditions but then they can access/obtain useful data (but generally only data deemed to be of low sensitivity). However, just ticking a box to agree with terms and conditions is no longer sufficient. A proper, accountable record of subsequent transactions must be kept in cases where meeting legal/regulatory, ethical and/or sensitive data obligations applies.

I suspect that it may be similar to the information we as collection managers and curators request when processing a specimen loan - only for data. Who are you? What institution are you affiliated with? What do you need to use the data for? What products are going to be created? We could provide information similar to a specimen loan agreement that would outline how to cite, how to link, etc. A digital key could then be provided to any data that is sensitive and has been obscured. The biggest stumbling block that I see is that most of the data will be freely available so how do we enforce such a system?

The hope is of course that by making the system linkable and transparent that all such transactions would be visible and traceable by all which will hopefully guarantee compliance.

These are interesting questions to ponder, but I’d be willing to bet that all these check points and restrictions in airports emerged long after there was demonstrable marketability and were each implemented as reactive measures, not proactive rules. And, none were implemented by those providing flight services; that would be perceived as a conflict of interest. Besides, what company would take explicit action to diminish their own marketability? [Aside: https://www.youtube.com/watch?v=Mdvr-4nYs5s].

Except for select few passionate flyers, the flight itself is not the prize, it is and has always been the destination. Is it not premature to implement check stops (airport authority = governance) until we’ve first demonstrated marketability (airline company/passengers = data publishers/users)?

1 Like

We came across an issue last week that I think is germane to the topics in this portion of the discourse. From what we have been told by our legal counsel, if data/images are produced with US Government funding (National Science Foundation in our case) they, by default, are open access and, in theory, could be available for commercial use unless (at least for now) the data management plan associated with that project funding includes a restriction. While our institution can restrict access to the data and images (for example, sensitive species) that are recorded with “our” funds, can we withhold any info/images that were made with government funds?

1 Like

@apodemus @hardistyar , your airport analogy works well for me and I agree with your proposal of a ‘zero-trust’ model.

Thereby, I consider the question of the boarding pass easier than the one of the passport (who are you and this IP really?). The boarding pass I propose is covered by use agreements (licenses, permits, loans, etc.) in combination with transactional transparency/tracking. Here trust and enforcement come into play.

Consider driving a car: nothing stops you from getting into a car and starting to drive it. As participants in public traffic, specifically as pedestrians, we trust that drivers to a high degree (>95%) follow the rules, know how to drive, have a drivers license, aren’t incapacitated to drive, and won’t mow us over. Establishing public trust in traffic and thus the trustworthiness of the traffic/transportation system is encouraged by enforcement. There is no problem in driving a car, until you are stopped by the police and can’t show a valid drivers license.

Within the context of the DES infrastructure, a drivers license equals checking the box that states that you have read and understood the use agreement conditions, will abide by them. You are fine as long as later your actions actually fall within the limits of the agreement defined by the checked box.

The power of the extended infrastructure is that most of the enforcement is provided through public transparency and AI-checks (‘surveillance’; eg. you submit a manuscript to a journal and AI automatically links the PID’s of your samples back and checks if all use agreements are alright). Ideally, only in a small number of cases law enforcement and the legal system need to be involved.

The transactional system provides the functionality to link the PIDs back to their permits, a specimen’s/sequence’s origin, etc. It also enables to retroactively retrace a user’s activities and revise unauthorized changes that they might have made.

Initially , I approached your, @apodemus post from the provider-side and didn’t see it from the perspective of users, as @hardistyar did. As solution to ensuring flexibility, I suggest that providers need to have the availability to attach independent access and use requisites in a very fine-grained way, eg. down to the level of individual fields. Also, as you pointed out @apodemus in a different exchange, providers need to be able to define finely “graded” use agreements. In addition to a wide range of predefined use agreements, there should also be an option to specify a provider-defined agreement.

@gdadade and @ehaeffner Thank you very much for picking up the discussion trajectory that considers the specifics of the practical implementation of use agreements of all types from the beginning of the consultation. Welcome to the forum and sorry for not connecting earlier.

My late reply might be partly a remnant from an outdated automatic reaction that links “permit” etc. directly to “bureaucracy”. I might not be the only one with that association. It is time that we robustly associate use agreements with new, positive and forward-looking contexts and pictures: sustainability, justice, conservation, ethics, and more.

At this point of the extended discussion, I am convinced that a well-founded, well-working and user-friendly integration of agreements will be at the core of what will make the DES work, give it power, and have providers and users accept it.

@abentley, your suggestion of “copying” a set of queries that a user needs to answer, which is already used for physical loans, is excellent. For such a set of queries experiences already exist and it is “time-proven”.

Registration is the suggestion that was brought forward in the discussion forum on DSI policy options, conducted by the Convention on Biological Diversity this April/May, (Topic 2 on “Criteria for assessing policy options” post by Chris Lyal [#2056] and following posts).

As discussed there, a range of possibilities to shape the balance between open access and registration exists. The approach implemented by GBIF is to allow searches and viewing of data (that is widely regarded as not being sensitive) without registration. Only downloads (and access via API) require registration.

In some cases you might need to “blur” some data for the public, e.g. coordinates, although you have all permits to protect the sampled population. This blurring might even be requested by some state authorities for certain protected specied.

Very true. Positive is that the main collection management systems already enable a basic management of these documents and that curators had to deal with this issue long before NP came into force already. New is, that we need to find an efficient way to put this information and data into the digital world, hence we need new data standards and conventions to cover all required information.

1 Like