Research Ethics Board Procedures

📢 BREAKING – China Issues Draft #AI #Ethics Rules for Public Consultation 🚀 Yesterday 22 August, China’s Ministry of Industry and Information Technology (MIIT), along with Ministry of Science and Technology (MOST), CAC and several other national regulators, released the draft Measures for the Administration of Ethics for AI Technological Activities. The consultation will end on 22 Sept. 🤖 The draft Measures apply to all AI R&D and technological services in China that may affect human health and safety, personal reputation, environmental protection, public order, or sustainability, covering businesses across industries, healthcare institutions, research organizations, and academics engaged in AI-related activities. The Measures set out ethical requirements for AI R&D and services, including • Developing technology for the public good • Respecting life, health, and reputation • Upholding justice, fairness, and accountability • Managing risks responsibly • Ensuring compliance with existing laws and regulations Entities are encouraged to establish an Ethics Commission responsible for ethics review. For organizations without an internal body, local authorities will create Ethics Service Centres to provide review services. AI technological activities within scope must undergo ethics review, either by an internal Ethics Commission or a local Ethics Service Centre. Reviews will focus on: • Fairness, risk control, trust, transparency, and explainability • Accountability and liability tracing • Qualifications of personnel involved • Risk–benefit balance and social value of the AI activity Reviews should conclude within 30 days, with outcomes being: approval, rectification and resubmission, or rejection. A simplified review is available for low-risk AI activities, such as those comparable to normal daily scenarios or involving immaterial updates to previously approved projects. MIIT and MOST will publish a list of AI activities requiring expert second review for high-risk activities, such as algorithm models capable of mobilizing public opinions and automated decision-making systems with significant implications for human safety and health. A streamlined review process is available for public emergencies. ❓ What’s Next? 💡 This Ethics Measures reflect China’s pragmatic and agile approach to AI governance. Instead of a sweeping AI law, Chinese regulators are targeting high-risk areas such as #algorithms, #deepfakes, #generativeAI, and AI #labeling. With the Ethics Measures now open for feedback, ethical compliance is expected to be a formal requirement for corporations and institutions operating in China. 🔀 Organizations should closely monitor these developments and adapt their AI strategies and risk management frameworks accordingly. #AI #AIgovernance #China #law #ethics #data #privacy #riskmanagement #regulatory #compliance #enforcement #digitaltrust #digitalgoverance picture credit to Freepik.

Today, National Institute of Standards and Technology (NIST) published its finalized Guidelines for Evaluating ‘Differential Privacy’ Guarantees to De-Identify Data (NIST Special Publication 800-226), a very important publication in the field of privacy-preserving machine learning (PPML). See: https://lnkd.in/gkiv-eCQ The Guidelines aim to assist organizations in making the most of differential privacy, a technology that has been increasingly utilized to protect individual privacy while still allowing for valuable insights to be drawn from large datasets. They cover: I. Introduction to Differential Privacy (DP): - De-Identification and Re-Identification: Discusses how DP helps prevent the identification of individuals from aggregated data sets. - Unique Elements of DP: Explains what sets DP apart from other privacy-enhancing technologies. - Differential Privacy in the U.S. Federal Regulatory Landscape: Reviews how DP interacts with existing U.S. data protection laws. II. Core Concepts of Differential Privacy: - Differential Privacy Guarantee: Describes the foundational promise of DP, which is to provide a quantifiable level of privacy by adding statistical noise to data. - Mathematics and Properties of Differential Privacy: Outlines the mathematical underpinnings and key properties that ensure privacy. - Privacy Parameter ε (Epsilon): Explains the role of the privacy parameter in controlling the level of privacy versus data usability. - Variants and Units of Privacy: Discusses different forms of DP and how privacy is measured and applied to data units. III. Implementation and Practical Considerations: - Differentially Private Algorithms: Covers basic mechanisms like noise addition and their common elements used in creating differentially private data queries. - Utility and Accuracy: Discusses the trade-off between maintaining data usefulness and ensuring privacy. - Bias: Addresses potential biases that can arise in differentially private data processing. - Types of Data Queries: Details how different types of data queries (counting, summation, average, min/max) are handled under DP. IV. Advanced Topics and Deployment: - Machine Learning and Synthetic Data: Explores how DP is applied in ML and the generation of synthetic data. - Unstructured Data: Discusses challenges and strategies for applying DP to unstructured data. - Deploying Differential Privacy: Provides guidance on different models of trust and query handling, as well as potential implementation challenges. - Data Security and Access Control: Offers strategies for securing data and controlling access when implementing DP. V. Auditing and Empirical Measures: - Evaluating Differential Privacy: Details how organizations can audit and measure the effectiveness and real-world impact of DP implementations. Authors: Joseph Near David Darais Naomi Lefkovitz Gary Howarth, PhD

The first legal document I ever worked on was a Non-Disclosure Agreement (NDA). It took me almost 2 hours just to work through it once — not because it was long, but because I was trying to make sense of the legal language and structure. The main challenge? Understanding how the clauses fit together, what they actually meant, and why each one mattered. But once I cracked the structure, I started reading NDAs not as walls of text, but as modular documents built on purpose. Now, I can go through one in 20–30 minutes — efficiently and effectively. Here’s a quick breakdown of the typical structure and key clauses in most NDAs: 🔹 Definitions Sets the scope of terms like “Confidential Information,” “Disclosing Party,” and “Receiving Party.” Precision here determines the entire reach of the agreement. 🔹 Confidentiality Obligations Specifies how the receiving party must treat the disclosed information — non-disclosure, limited use, and care standards. 🔹 Exclusions Identifies categories of information not covered — e.g., information already in the public domain or independently developed. 🔹 Permitted Disclosures Outlines when and to whom confidential information can be disclosed (e.g., affiliates, advisors, or under legal obligation). 🔹 Term and Survival Sets the duration of the NDA and how long confidentiality obligations last — often surviving the termination of the agreement. 🔹 Return or Destruction Obligates the receiving party to return or destroy confidential information upon request or at the end of the relationship. 🔹 Remedies and Governing Law Provides for equitable remedies (like injunctive relief) in case of breach, and establishes the governing law and jurisdiction.

As a lawyer who often dives deep into the world of data privacy, I want to delve into three critical aspects of data protection: A) Data Privacy This fundamental right has become increasingly crucial in our data-driven world. Key features include: -Consent and transparency: Organizations must clearly communicate how they collect, use, and share personal data. This often involves detailed privacy policies and consent mechanisms. -Data minimization: Companies should only collect data that's necessary for their stated purposes. This principle not only reduces risk but also simplifies compliance efforts. -Rights of data subjects: Under regulations like GDPR, individuals have rights such as access, rectification, erasure, and data portability. Organizations need robust processes to handle these requests. -Cross-border data transfers: With the invalidation of Privacy Shield and complexities around Standard Contractual Clauses, ensuring compliant data flows across borders requires careful legal navigation. B) Data Processing Agreements (DPAs) These contracts govern the relationship between data controllers and processors, ensuring regulatory compliance. They should include: -Scope of processing: DPAs must clearly define the types of data being processed and the specific purposes for which processing is allowed. -Subprocessor management: Controllers typically require the right to approve or object to any subprocessors, with processors obligated to flow down DPA requirements. -Data breach protocols: DPAs should specify timeframes for breach notification (often 24-72 hours) and outline the required content of such notifications, -Audit rights: Most DPAs now include provisions for audits and/or acceptance of third-party certifications like SOC II Type II or ISO 27001. C) Data Security These measures include: -Technical measures: This could involve encryption (both at rest and in transit), multi-factor authentication, and regular penetration testing. -Organizational measures: Beyond technical controls, this includes data protection impact assessments (DPIAs), appointing data protection officers where required, and maintaining records of processing activities. -Incident response plans: These should detail roles and responsibilities, communication protocols, and steps for containment, eradication, and recovery. -Regular assessments: This often involves annual security reviews, ongoing vulnerability scans, and updating security measures in response to evolving threats. These aren't just compliance checkboxes – they're the foundation of trust in the digital economy. They're the guardians of our digital identities, enabling the data-driven services we rely on while safeguarding our fundamental rights. Remember, in an era where data is often called the "new oil," knowledge of these concepts is critical for any organization handling personal data. #legaltech #innovation #law #business #learning

Navigating the Research Engagement Process Conducting health research is not just about designing a study and collecting data. Behind the scenes lies a critical process that ensures credibility, compliance, and trust: the research ethics and engagement pathway. As a Research Program Manager, I’ve seen firsthand that without a clear roadmap for ethics approvals and stakeholder engagement, studies risk delays, rejection, or even loss of community trust. Below, I outline the step-by-step process typically required when conducting health research in Kenya, a process that safeguards participants while strengthening research impact. 1️⃣ Obtain Research Ethics Approval Begin by submitting your protocol to a recognised research ethics body. For lab-related studies, this could be the KEMRI SERU Board. ⏳ Timeline: Allow at least 6–8 weeks for review. 2️⃣ Apply for NACOSTI Research Permit With your ethics approval letter, apply to the National Commission for Science, Technology, and Innovation (NACOSTI) for a research permit. ⏳ Timeline: ~2 weeks. 3️⃣ Secure an Institutional Introductory Letter Your institution should issue a formal letter introducing your study and confirming affiliation. 4️⃣ Notify the Ministry of Health Submit your ethics approval, NACOSTI permit, proposal summary, and introductory letter to the relevant Ministry of Health department for national-level clearance. 5️⃣ Engage County Governments Upon Ministry approval, you’ll be directed to approach the counties where your study will take place. Each county has its own research department for review and approval. 6️⃣ Seek Facility-Level Approvals At the health facility level, you may need additional clearance. For example, Kenyatta National Hospital has its own internal ethics review board. 7️⃣ Engage Participants at Facility Level Before recruitment, engage potential participants to explain the study, answer questions, and build trust. This step reinforces ethical principles of respect and informed consent. 8️⃣ Begin Recruitment Only after all approvals and engagements are complete should recruitment and data collection begin. The research engagement process may feel long and layered, but every step serves a purpose: protecting participants, ensuring compliance, and building trust with communities and institutions. It's key to remember that your success will highly depend on navigating power and trust in the engagement process. In my experience, investing time upfront in ethics and engagement leads to smoother implementation, stronger collaborations, and findings that are more likely to inform policy and practice. 👉 To fellow researchers: What’s been your biggest challenge (or lesson learned) in navigating the ethics and engagement process? #ResearchLeadership #EthicsInResearch #StakeholderEngagement #HealthResearch

✳ Bridging Ethics and Operations in AI Systems✳ Governance for AI systems needs to balance operational goals with ethical considerations. #ISO5339 and #ISO24368 provide practical tools for embedding ethics into the development and management of AI systems. ➡Connecting ISO5339 to Ethical Operations  ISO5339 offers detailed guidance for integrating ethical principles into AI workflows. It focuses on creating systems that are responsive to the people and communities they affect. 1. Engaging Stakeholders  Stakeholders impacted by AI systems often bring perspectives that developers may overlook. ISO5339 emphasizes working with users, affected communities, and industry partners to uncover potential risks and ensure systems are designed with real-world impact in mind. 2. Ensuring Transparency  AI systems must be explainable to maintain trust. ISO5339 recommends designing systems that can communicate how decisions are made in a way that non-technical users can understand. This is especially critical in areas where decisions directly affect lives, such as healthcare or hiring. 3. Evaluating Bias  Bias in AI systems often arises from incomplete data or unintended algorithmic behaviors. ISO5339 supports ongoing evaluations to identify and address these issues during development and deployment, reducing the likelihood of harm. ➡Expanding on Ethics with ISO24368  ISO24368 provides a broader view of the societal and ethical challenges of AI, offering additional guidance for long-term accountability and fairness. ✅Fairness: AI systems can unintentionally reinforce existing inequalities. ISO24368 emphasizes assessing decisions to prevent discriminatory impacts and to align outcomes with social expectations.  ✅Transparency: Systems that operate without clarity risk losing user trust. ISO24368 highlights the importance of creating processes where decision-making paths are fully traceable and understandable.  ✅Human Accountability: Decisions made by AI should remain subject to human review. ISO24368 stresses the need for mechanisms that allow organizations to take responsibility for outcomes and override decisions when necessary. ➡Applying These Standards in Practice  Ethical considerations cannot be separated from operational processes. ISO24368 encourages organizations to incorporate ethical reviews and risk assessments at each stage of the AI lifecycle. ISO5339 focuses on embedding these principles during system design, ensuring that ethics is part of both the foundation and the long-term management of AI systems. ➡Lessons from #EthicalMachines  In "Ethical Machines", Reid Blackman, Ph.D. highlights the importance of making ethics practical. He argues for actionable frameworks that ensure AI systems are designed to meet societal expectations and business goals. Blackman’s focus on stakeholder input, decision transparency, and accountability closely aligns with the goals of ISO5339 and ISO24368, providing a clear way forward for organizations.

Please do NOT start research on human subjects unless you have taken into account the ethics part. I beg you, please! 😂 I've encountered multiple cases of my mentees who started a project without the necessary approvals, and when it came to journal publication, they were stuck! Let's see what we need to get started 👇 1. Informed consent Ensures participants fully understand the research, its potential risks and benefits, and their right to withdraw without consequence (you must include this in your submission!) 2. Privacy and confidentiality Safeguarding participant data, including anonymization, encryption, and secure storage (you'll have to describe this in your method section.) 3. Vulnerable populations If research involves children, the elderly, prisoners, or those with cognitive impairments, additional measures protect their rights and well-being. 4. Benefit-risk assessment Potential benefits or risks to participants considering not only physical harm but also psychological and social impacts. 5. Data integrity and transparency Accurate data collection, analysis, and reporting. 6. Researcher bias and conflicts of interest Addressing personal biases and financial conflicts and transparent disclosure and mitigation strategies. 7. Cultural sensitivity Respecting diverse cultural values and beliefs AND, here comes the tough one 👇 8. Institutional review board (IRB) approval An approval letter generated by an IRB is compulsory for every single submission that involves research on human subjects. ___________________ 🔔 This is Dr. Samira Hosseini. Scholars who took my training published +2,000 articles in top-tier journals. Join my inner circle not to miss even one single bit of learning: https://lnkd.in/eVNSihCM

I keep seeing the term “Privacy-by-Design” everywhere. Webinars. Frameworks. ISO guides. Posts. Articles. Finally, after reading countless resources, attending classes, and engaging with domain experts, I decoded a pattern which is now a trending topic in the privacy and AI compliance world. I realized the market isn’t confused about privacy. It’s confused about how to design it. We follow policy, but what we truly need is a system which is a hidden geometry that quietly powers every mature privacy program. 1️⃣ The Compliance Triangle GDPR × ISO 27001 × NIST CSF This is the foundation of Privacy-by-Design where law defines what’s right, controls define how it’s done, and resilience ensures it lasts. ↳ GDPR defines why data must be protected. ↳ ISO 27001 structures how it’s secured. ↳ NIST CSF measures how well it’s sustained. Together, they turn compliance from paperwork into proof.   2️⃣ The Engineering Triangle Minimization × Encryption × Access Control This is the core of Privacy-by-Design ,where principles become protocols. ↳ Minimization limits what you collect. ↳ Encryption shields what you store. ↳ Access Control governs who touches what. When these align, privacy becomes a default setting, not a feature. 3️⃣ The Governance Triangle Policy × People × Proof This is the continuum that keeps privacy alive after launch. ↳ Policy defines intent. ↳ People uphold accountability. ↳ Proof (audits, DPIAs, reports) converts trust into evidence. Governance makes privacy sustainable not seasonal. Together, they create a privacy engine a continuous loop of law → design → assurance. #PrivacyByDesign #GDPR #ISO27001 #NISTCSF #AIGovernance #DataPrivacy #PrivacyEngineering #DigitalTrust #ResponsibleAI Privacy-by-Design isn’t one triangle, it’s a triad of triads. Because It isn’t a policy. It’s an architecture.

IND Clinical Trial Application Approval Process in India (CDSCO) What is an IND Application? An IND (Investigational New Drug) application is submitted to the Central Drugs Standard Control Organization (CDSCO) for obtaining permission to initiate clinical trials of a new drug in humans. Approval Process: Step-by-Step #Step 1: Pre-submission Preparation Conduct preclinical studies and prepare: -Investigator’s Brochure -Clinical trial protocol -CMC (Chemistry, Manufacturing & Controls) data -Safety & efficacy data -Informed consent documents #Optional: Pre-submission meeting with CDSCO for guidance. #Step 2: Submission to CDSCO Submit Form CT-04 (IND) via the SUGAM portal and attach: -All scientific data -Protocol #Step 3: Scientific Review by CDSCO -CDSCO forwards it to the Subject Expert Committee (SEC). -SEC reviews safety, rationale, and protocol. -SEC sends the application to both the Technical Committee and the Apex Committee -The applicant may be asked to clarify their information. #Step 4: Ethics Committee (EC) Approval Submit the trial protocol to a registered Institutional Ethics Committee, and the EC reviews: -Risk-benefit ratio -Informed consent form -Investigator qualifications ⚠ Approval from EC is mandatory before trial initiation. #Step 5: Approval Issued -If CDSCO is satisfied, permission is granted. -This allows the initiation of the clinical trial in India. #Step 6: CTRI Registration -Register the approved trial on the Clinical Trials Registry - India (CTRI). -The trial cannot start until registration is complete. #Step 7: Trial Initiation & Oversight Conduct trial as per Good Clinical Practice (GCP) guidelines and submit: -Serious Adverse Events (SAEs) within timelines -Annual status reports -Protocol amendments (if any) for further approval #RegulatoryAffairs #MedicalWriting #ClinicalReseach #India

📈 📲 The rapid growth of wearable and app derived health data has outpaced our consent infrastructure. A new paper offers one of the clearest attempts to close that gap. A perspective from Stefanie Brückner, Stephen Gilbert, & colleagues, presents a thoughtful framework for responsible use of health app and wearable data in research. As funders and regulators expect stronger transparency and participant centered governance, models like this will be important for future approval pathways and for the long term sustainability of digital research. Many EU-based efforts related to electronic health records are moving toward opt out structures for secondary use. This may work for clinical data collected inside health systems but is not appropriate for data generated through wearables and consumer apps. #PGHD are created voluntarily, outside clinical care, and often on self purchased devices. For this category, the European Data Protection Board has argued that explicit and informed consent is necessary. The framework proposed here is designed for that need. The authors introduce a user driven consent platform that gives individuals a consistent way to decide how their data are shared across apps, clinical systems, and research. As patient generated data become central to public health, clinical trials, and population research globally, this work addresses a foundational gap. Key themes: 🔐 Granular and revocable consent Participants can specify which types of data can be used for personal care or research, update preferences at any time, and rely on pseudonymized identifiers. 📑 Alignment with governance structures Standardized, informed, and revocable consent supports the General Data Protection Regulation and the emerging European Health Data Space, and it provides the clarity global regulators seek in real world evidence. 🔗 Interoperability The platform uses HL7 FHIR and open identity standards, enabling integration with electronic health records and digital health services. This supports international research and ethical data sharing. 🤝 A stronger foundation for trust Transparent governance and clear communication are essential for long term engagement and for high quality datasets. Open Access Paper 🔗 https://www.nature.com/articles/s41746-025-02147-3 At GSD Health Research we are building large scale cohort studies that rely on participant generated data including wearable streams and patient reported outcomes. Our work depends on trust and clarity. This perspective illustrates how consent infrastructure can support ethical real world evidence and accelerate discovery in ways that respect the people who make research possible. Thank you to the full author team for a timely contribution. #digitalhealth #clinicalresearch #realworlddata #datagovernance #PGHD