Epidemiologist Thomas Sellers thought that he had discovered a treasure trove of data that could help to shed light on the heredity of breast cancer. When he took a post at the University of Minnesota in Minneapolis in 1989, he had heard about archived records of a multi-generation family study of the disease that were mouldering in the basement of the botany department. The study had been completed in 1952, and no one had kept track of the families that had been involved.

Excited by the prospect of data that spanned decades and generations, Sellers sifted through index cards that listed the names of people with breast cancer, and their relatives. He started to track down descendants of the patients to ask about their health and medical histories. “We ended up with four- or five-generation pedigrees,” he says. “It was a really powerful resource.”

Credit: Adapted from Abscent84

But about seven years into his work, Sellers hit a major snag: in 1996, the US government passed the Health Insurance Portability and Accountability Act (HIPAA), a law that, among other things, established strict protections for the health information of individuals. His efforts to contact the relatives had to cease. “We were revealing information about people's cancer history to others who might not be allowed to know,” says Sellers, now director and an executive vice-president of the Moffitt Cancer Center in Tampa, Florida. “It is a study that could not be done today.”

Privacy laws have complicated research that involves people in many fields. Early-career investigators must navigate an ever-changing maze of regulations, but they do not have to face the challenge alone. Institutional review boards and compliance offices of universities and research centres can provide guidance on each step, from obtaining patient consent to handling and storing human tissue and data. Working closely with colleagues who are familiar with the issues — both within and beyond their institution — can also help researchers to get the data that they need without falling foul of the law.

Bewildering patchwork

An important first step in many areas of biomedical research is for scientists to become familiar with the privacy laws that affect their work. In the United States, human-tissue research is governed mainly by two wide-ranging laws: the HIPAA and the Federal Policy for the Protection of Human Subjects, which is also known as the Common Rule. These laws dictate how researchers can obtain and use tissue and how they may store and protect the personal information that they collect.

Regulations vary widely between US states, and some state laws are tighter than federal laws; California, for example, has set a higher standard for medical privacy. And most institutions will also have their own policies and procedures, which can create a bewildering patchwork of requirements, especially for researchers who are part of multi-institution collaborations. “Cancer research in the United States is a fragmented effort,” says Melissa Markey, a lawyer with Hall, Render, Killian, Heath and Lyman in Troy, Michigan, who specializes in technology, privacy and human-subject research. “This is the reason that researchers run screaming from explanations of how these laws fit together, because it is very confusing. It's like Alice in Wonderland.”

Rules and responsibilities also vary from nation to nation. In the United Kingdom, the Data Protection Act controls the use of personal information, and the Human Tissue Act (and its counterpart in Scotland) regulates the use of human organs and tissues. The National Health Service (NHS) helps to direct how personal medical information can be shared. Senior members of staff in the NHS act as 'Caldicott guardians' who work to ensure that those data stay secure. “That seems like a lot of regulations, and it is,” says Stefan Symeonides, a clinical oncologist at the University of Edinburgh. “My advice is to not be daunted. It's a lot of process, but the underlying principle is to enable research and maximize use of data in a safe way.”

In Europe, harmonized laws facilitate the flow of tissues and data between EU member countries and beyond.

Knotty problems

It can be a challenge to navigate the acquisition of health data. Large institutions and academic health-science centres in the United States and the United Kingdom typically employ or retain individuals who have expertise in privacy law and can offer comprehensive support to researchers. Madhu Purewal, a senior legal officer at the University of Texas MD Anderson Cancer Center in Houston, earlier this year helped an investigator to procure patient data from a handful of institutions that had different protocols. She guided the researcher in crafting individualized agreements for each. “As a faculty member, this is not your area of expertise,” she says. “But I can help you figure out what is needed.”

Carlos Caldas, an oncologist at the University of Cambridge, UK, says that he and his colleagues rely heavily on their institutions' clinical-research coordinators and data-security staff to steer them through the regulatory requirements. His advice? “Join places that have a critical mass of expertise.” Caldas also says that large cancer-research facilities tend to have the infrastructure — tissue and tumour banks and encrypted databases — to accept and process samples without putting materials or data at risk.

Joining forces with peers and colleagues is the best way to untangle the knotty problems of privacy.

Launching a research programme at an institution with no affiliation to a hospital can be a trickier matter. The lack of access to patients created cumbersome obstacles for biomedical engineer Michael Fenn, who works on cancer diagnostics. As a new member of faculty in 2013 at the Florida Institute of Technology in Melbourne, Fenn's research stalled when he tried to get patient samples and data from other research centres. The institute had no formal partnerships with cancer hospitals or research institutes, so he was uncertain about whom to contact at those organizations or how to comply with their privacy requirements. “I'm asking them, 'May I have some tissue from a particular type of patient?'” he says. “But the process was so convoluted and I wasn't even sure how to initiate it.”

Fenn smoothed the way by establishing relationships with key researchers, surgeons and pathologists at the centres who helped him to navigate the process of accessing tissue and data. He now advises early-career researchers to establish informal alliances before they even think about getting their first samples. “You'll get the access you need, and the scientists and physicians there will help you to move beyond the bureaucracy,” he says.

Even investigators at large cancer-research centres are likely to encounter bureaucratic knots, particularly when participating in large collaborations that span institutions. “In an era of team science, that can be really difficult,” Sellers says. “There might be 30 institutional review boards involved for one study, each with their own agreements. It takes time, money and effort, and it's not helping to accelerate academic health-related research.”

Individual researchers can be frustrated by restrictions. Katerina Politi, a pathologist at the Yale Cancer Center in New Haven, Connecticut, has obtained consent from patients that allows her to collect their tissue for immediate analysis. But patients must provide further consent if another sample is needed from them. “We can do this biopsy, but if they have another in the future, they have to reconsent,” says Politi. “If you could streamline the consent of patients and acquisition of materials, you might not miss opportunities to learn more about diseases.”

Some institutions are trying to smooth the process. In 2014, oncologist Michael Caligiuri, who directs the Ohio State University Comprehensive Cancer Center in Columbus, in 2014 co-founded the Oncology Research Information Exchange Network, a federation of 11 cancer-research centres across the United States. Member organizations share an institutional review board and follow a uniform protocol for interacting with patients and requesting and collecting tissue and data. Caligiuri says that studies performed within the network can move more quickly and require less paperwork because members can share data and samples from patients.

Ultimately, joining forces with peers and colleagues is the best way to untangle the knotty problems of privacy, say seasoned researchers. “The rules are always changing,” says Sellers. “One needs to be paying attention to the literature and what's coming out there from the government. Find people in your network who are dealing with the same challenges. We're always happy to share our recipes for obtaining the data and consent.”