Hi Dr. Park,
We need to be careful with this issue.
Regarding the bioethics division’s response, we need to distinguish the “provision” and the “consumption/analysis” of the data.
The Korean Bioethics act ensures that IRB MUST review “human researches”, not the logistics of the base data.
In this context, a provision of certain OHDSI data, that can be assumed as an anonymized one with respect to recently-amended Korean privacy regulations, DOES NOT require IRB review for the data-providing hospitals. This is a good thing!
However, the consumption of the data is another thing. The research consuming the provided OHDSI data is expected to comply with the existing review practice(i.e., a formal review or a shortened, administrative screening to decide whether an exemption can be applied according to article 16 (2) of the bioethics act.)
For non-Koreans, a little bit more about the context:
Until this authoritative decision, it was unclear that the provision of the OHDSI data needs an IRB review, due to the statute of the bioethics act.
There is an unrelated, but confusing provision in the bioethics act about providing data: article 18 (1), (2). It says,
(1) When a human subject of research gives written consents to providing his/her personal information to a third party pursuant to Article 16 (1), the relevant human subjects researcher may provide his/her personal information to a third party, subject to examination thereof by the competent institutional committee
(2) When a human subjects researcher intends to provide personal information about a human subject of research to a third party under paragraph (1), he/she shall “anonymized” such personal information: Provided, That the foregoing shall not apply where a human subject of research consents to leaving his/her personally identifiable information therein. (quote/unquote is added by me)
This article requires an IRB review and the “anonymization” for the provision of personal information. However, the anonymization, referred to in this article 18, is technically defined in article 2 (19) of the bioethics act. It is different from that of the recently-amended privacy act of 2020. According to the authoritative decision that we’re discussing, article 18 is not applied to the data from OHDSI framework, because it’s too anonymized in the context of recent, clarifying regulation.
The recently-amended privacy act of 2020 clearly distinguishes three types of data: original private information, pseudonymized private information, and anonymized information. According to the definition in the act, the risk of re-identification from the pseudonymized PI is not small. But that from the anonymized PI is negligible(i.e., summation, average, or aggregated statistics.)
The privacy act of 2020 clearly notes that anonymized PI is not private information and it doesn’t have identifying capacity whatsoever. According to the statute, article 18 of the bioethics act is not applied to OHDSI data “provision.”
The operation of the distributed research network based on CDM does not require an IRB review for the provision. However, the consumption of the data from the distributed reseearch network still seems to need an IRB review or a shortened, administrative screening to decide whether an exemption can be applied according to article 16 (2) of the bioethics act.
Please correct me if I’m wrong.
This is really great news! But some people are confused (as seen on your facebook timeline - https://www.facebook.com/freefrombias/posts/10218753058242176 ) as they don’t need ANY IRB stuff for the publication.