This page documents and tracks the progress of a July, 2016 inquiry to the National Institutes of Health (NIH), asking NIH
to disclose documents relating to the handling and protection of (supposedly) confidential
mental health survey data at the
Massachusetts Institute of Technology (MIT).
Background
In April, 2015, top officials at MIT
solicited
its 10,700 students to take a mental health survey with
extremely sensitive
mental health and medical questions, in the name of improving services
to those students. MIT
promised
that the collected data, for its use, would be anonymous, i.e., MIT would not know
any particular student's particular responses. MIT later
deleted
this document promising anonymity near the time questions were raised about
use of the data.
Subsequently, in June, 2016, MIT President L. Rafael Reif and three
other top officials
made
statements
about drug use at a specific MIT residence suggesting use of the data non-anonymously,
with these statements then being used for
punitive actions taken by the University. MIT has refused to respond
to widespread questions about what data was used and how.
Because MIT appears to have obtained the non-anonymous data contrary to its
promise not to do so, it raises the question of whether MIT has sought
the customary protections under the Public Health Service Act,
42 U.S.C. 241(d), Section 301(d).
These protections take the form of NIH-issued "Certificates of Confidentiality" that
allow the holder of the data (here, MIT) to resist disclosure to law enforcement,
litigants, insurance companies, etc.
This inquiry to NIH is intended to discover what protections are and are not
in place, so that: students with a latent liability for disclosure can be aware of it;
that students asked to take a future survey can be completely informed about
data practices at MIT before consenting to take such a survey; and for
evaluation of MIT as a university prospective students would want to attend.
Summary of Activity
Based on the
full response.
from NIH, below is this history of Certificate of Confidentiality (CoC) relating to Healthy Minds Study, including applications for issuances and extensions and grants thereof for the period from September 30, 2005 through December 31, 2017. CoCs were:
- Issued for the period January 8, 2006 through December 31, 2007
- Extended for the period September 25, 2007 through December 31, 2010
- Extended for the period February 24, 2010 through June 30, 2013
- Extended for the period March 15, 2013 through December 31, 2017
There are a few anomalies:
- The March 2013 extension included no update on the Institutional Official, even as Nowack had retired at end of 2012.
- In the original application, under "Q9, Protection of subjects' identities" it states: "... in the final analytic data file, no identifiable information will be included." However there are questions as to whether that was adhered to.
- Survey work appears to have been scheduled for October to December 2005 without the CoC, which only became effective in January, 2006
Event Date |
Event Type |
Sender |
Recipient |
45-CFF-46 Assurers |
Other parties |
CoC ID |
CoC Effective Date |
CoC Expiry Date |
CoC Scope |
Issuing Signatory |
Notes |
September 30, 2005 |
Application for CoC, HMS |
Daniel Eisenberg (U-M) |
Olga Boikess (NIH) |
Daniel Eisenberg (U-M), Judith A. Nowack (U-M) |
Survey Sciences Group, LLC (data collectors) |
|
October 1, 2005 |
October 1, 2008 |
|
|
Q9, Protection of subjects' identities: "... in the final analytic data file, no identifiable information will be included." |
January 8, 2006 |
CoC Issue |
Olga Boikess (NIH) |
Daniel Eisenberg (U-M) |
Daniel Eisenberg (U-M), Judith A. Nowack (U-M) |
Survey Sciences Group, LLC (data collectors) |
MH-06-003 |
January 8, 2006 |
December 31, 2007 |
|
William T. Fitzsimmons (NIH) |
The CoC was issued and effective January 8, 2006 even as the application stated survey work would begin three months earlier on October 1, 2005 |
August 29, 2007 |
Application for amendment of CoC |
Daniel Eisenberg (U-M) |
Olga Boikess (NIH) |
Daniel Eisenberg (U-M), Judith A. Nowack (U-M) |
U-M, California State-Chico, Emory University, University of Illinois at Chicago, Illinois at Springfield, Illinois at Champaign-Urbana, New Mexico State, North Carolina-Chapel Hill, North Carolina-Greensboro, Penn State, Tufts, Yeshiva University. (12) |
|
September 15, 2007 |
|
Multi-site (12) |
|
Q9, Protection of subjects' identities: "... in the final analytic data file, no identifiable information will be included." |
September 25, 2007 |
Grant of amended CoC |
Olga Boikess (NIH) |
Daniel Eisenberg (U-M) |
(unchanged) |
(unchanged) |
MH-06-003A |
September 25, 2007 |
March 31, 2010 |
Multi-site |
Patrick Shirdon (NIH) |
The CoC was issued and effective September 25, 2007, as the application stated survey work would begin earlier on September 15, 2007 |
February 12, 2010 |
Application for extension of CoC |
Daniel Eisenberg (U-M) |
Olga Boikess (NIH) |
(unchanged) |
(unchanged) |
MH-06-003A |
March 31, 2010 |
July 1, 2012 |
(unchanged) |
|
|
February 24, 2010 |
Grant of extended CoC |
Olga Boikess (NIH) |
Daniel Eisenberg (U-M) |
(unchanged) |
(unchanged) |
MH-06-003A |
March 31, 2010 |
June 30, 2013 |
Multi-site |
Patrick Shirdon (NIH) |
|
March 3, 2013 |
Application for extension of CoC |
Sarah Ketchen Lipson |
Olga Boikess (NIH) |
(unchanged) |
(unchanged) |
MH-06-003A |
March 31, 2010 |
June 30, 2016 |
(unchanged) |
|
|
March 5, 2013 |
Grant of extended CoC |
Philip Sung-En Wang (NIH) |
Daniel Eisenberg (U-M) |
(unchanged) |
(unchanged) |
MH-06-003A |
March 31, 2010 |
December 31, 2017 |
(unchanged) |
Philip Sung-En Wang (NIH) |
|
October 11, 2016 |
Grant of CoC |
Euegene Kane III (NIH) |
Daniel Eisenberg (U-M) |
Daniel Eisenberg (U-M), James A. Ashton-Miller (U-M) on Sep. 14, 2016 |
|
CC-MH-16-252 (HMS, CCMH Version) |
October 11, 2016 |
December 31, 2020 |
|
Nitin Gogtay |
"Participating institutions will receive a de-identified data set and will not be given access to individually identifiable survey data." "Some schools may request additional analysis on how measures from the survey correlate with academic outcomes. In this case, we will link your survey data to your academic records (cumulative and semester GPA, enrollment status, and degrees obtained), and analyze the merged data set without any identifying information, solely for the purpose of this research analysis." |
Timeline of Inquiry
Updates below are in chronological order:
- The inquiry was launched on July 11, 2016 with
this letter which was received at NIH on July 14, 2016.
By law, some response is due to be made in 20 business days from receipt, which would be
by August 11, 2016
in this case. If no response has been received by August 18, 2016 a followup inquiry, citing
nonresponse will be made.
- A request for status
was sent to NIH on July 25, 2016 and received at NIH on July 28, 2016.
- After no response was received by August 22, 2016, a notice of intent to appeal denial
was sent to NIH on that date and received at NIH on August 23, 2016.
- On August 23, 2016, NIH finally
responded for the first time, by Email,
acknowledging receipt, and informing that
the original acknowledgment had been sent back on July 28, 2016
to an incorrect Email address (at .ORG not .COM)
as well as indicating NIH had an incorrect U.S. Mail address on file (in Alabama, not New Jersey).
These errors appear totally random in nature, and despite the fact that the same, correct contact
information had been sent three times prior.
- On August 23, 2016, acknowledgment of the NIH error was sent and the
request reiterated,
as well as the correct contact information
sent again to NIH,
noting that it was correct in the prior three mailings.
- On September 23, 2016, another
letter
was sent to NIH, with updated payment information,
including an increase in authorized expense, doubling it in amount,
as well as confirmed, correct contact information which had
been randomly garbled by NIH earlier. Status of the request
was also asked for.
- After no response was received by October 26, 2016, a final notice of intent to appeal denial
was sent to NIH on that date and received at NIH on October 28, 2016. This notice advised of intent to appeal after November 15, 2016.
- On November 15, 2016, NIH issued a "partial response" to the request with
34 pages of documents. The response indicated that the identity of the MIT official in the request was not being searched for accurately, and that the updated payment terms were ignored. Promptly on that same date, Email was sent to NIH on November 15 about these issues.
- On November 21, 2016, another letter was sent, requesting confirmation of the search criteria, specifically the MIT official, and re-iterating the search criteria and payment terms. This was
received at NIH on November 23, 2016.
- On November 22, 2016, NIH responded via Email with confirmation of the search criteria but not the payment terms.
- On December 6, 2016, NIH issued a final response to the request with
14 pages of additional documents. The full response to the FOIA request #45289 is
here.
More About Certificates of Confidentiality
Normally, sensitive survey data is legally protected against unwanted disclosure to law enforcement, insurance companies litigating claims, plaintiffs or defendants in a lawsuit, etc. by federal law, specifically the
Public Health Service Act, 42 U.S.C. 241(d),
Section 301(d)
This law allows researchers to apply to the National Institutes of Health (NIH) for a "Certificate of Confidentiality" exempting them from being compelled to disclose the data to anyone. But in order for respondents to receive protection, the survey researchers must apply, be issued the Certificate, and
live up to
assurances made
when applying. Among the assurances are compliance with federal regulations,
specifically
45 CFR Part 46, and
more specifically its sections 46.111(a)(7) and 46.116(a)(5) which provide for ensuring
confidentiality.
In addition, applicants are also required to ensure data are not disclosed to unauthorized
people. See "caveat" at bottom of
this page.
Obviously, legal protections against unwanted disclosure are not very useful if the data
may be otherwise disclosed on an unauthorized basis to those not even overtly seeking it. Therefore the NIH requires
assurance of this as well per above "caveat."
It is possible for an institution to obtain
disclosure protection by way of being a participant site in a larger study managed by a single, lead institution, who applies for a "blanket" Certificate of Confidentiality that covers participating
partner institutions. However, even in this case, the same
assurances
made by the lead institution are still required also to be made by each participating
partner, and the lead institution is required to obtain them and keep them on file:
see Sec. "C", Question "I am planning a multi-site ..." on
this page. This ensures that no
institution can avoid any burden of data protection simply by being a participant in a
larger, multi-site activity.
Further, per above, the lead institution is required to
have agreements in place that ensure participants are cooperating.
About this site