It may appear to be little weird question but I guess this is the right platform I was just wondering working in a bioinformatics core how one is supposed to maintain the confidentiality of the data. It is easy that a user approach a bioinformatcian and bioinformatician, perform analysis, discuss project and deliver analysis to user- neat and clean. However when a colleague on the virtue of being senior in the core wants to have access to the data, what should be done? The said colleague has no idea about the project, not involved in discussion and has not analyzed data. The problem is the user has asked to maintain the confidentiality of data and sometime data is from patient samples. Now problem is should one just say not to senior colleague of core? just give away data; in that case if something happen at later stage will not the analyst be in trouble? I am sure several bioinformatican may have faced this situation. Any one would like to share their thoughts or guidance please?

Thanks

As a project manager in a bioinformatics core myself I will try to elaborate on my experience.

First of all when a biologist/client/user approach you for a job or to start a collaboration there is a tacit agreement (sometime written) between both party that you are now part of a project. Compensation for the work left to the discretion of the PI or head of the facility. This can take different form, either monetary or co-author ship or whatever...

The main point here is that you are part of a project with the client.

The level of security and confidentiality with which the data should be treated is project specific. For example, if those data are from patient and contain Protected Health Information (PHI) the confidentiality rules are set by the Institutional Review Board of the research institution (this example is valid for academic research in the US). Another example, you are processing expression data from mouse experiments and have a set of well defined deliverable such gene lists, GSEA analysis, figures etc... In the two examples above the level of security and confidentiality needed is very different but what is identical is the fact that the data do not belong to you. They belong to the PI of the project and your core facility is providing a service.

In the case of the mouse experiment if your colleague want to access those data you should refer him/her to the PI of the project. Similarly for the human data containing PHI the access right are not your to set except if you are the owner of the project.

There should be no feeling that you appear over-protective or paranoiac, if the data belong to someone else it is not your problem to decide to give access or not. Refer the request to the project owner.

I hope this helps. In case of conflict or tricky situation always refer to your supervisors for help.

If I were in your case, I would contact the person with whom I have signed the contract, and explain him the situation. You should not give the data to anyone, unless you have the permission from the person who hired you.

You are not suppose to share the data without approval from your supervisor or the PI associated with the project. AFAIK, as a member of a researcher group handling confidential data you should be approved by Institutional review board (IRB) or Ethics committee. You may inform your senior or whoever ask you for the data access to inform your supervisor and PI and get the required data access approval.

Hi, I believe a clear policy is necessary especially for a core facility. So your question induced me to google in search for some example...

here I found a quite clear scheme. At this site is also presented the more complicated case of confidential or sensible data.

I don't believe that each step of the workflow should be implemented with a formal written or electronic request, but the logic behind data mangement should be the same: every data has an owner and access restrictions and every request should be directed people responsible for the data, not to people involved in the data transfer.