All of Us Research Program

Data User Code of Conduct

 

This Data User Code of Conduct describes how All of Us Research Program data may and may not be used by Authorized Data Users.

An Authorized Data User is a person who is authorized to access and/or work with Registered or Controlled Tier data from the All of Us Research Program.

To become an Authorized Data User, individuals must:

●    Ensure they are covered by an institutional Data Use and Registration Agreement (DURA), as applicable;

●    Verify their identities;

●    Complete the All of Us Responsible Conduct of Research Training;

●    Read and acknowledge this Data User Code of Conduct; and

●    Complete all other required steps in the Authorized Data User onboarding process.

 

Code of Conduct

As an Authorized Data User of the All of Us Research Program data, I will:

●      Read and adhere to the All of Us Research Program Core Values.

●      Follow all laws and regulations regarding research involving human data and data privacy that are applicable in the area where I am conducting research.

○   In the United States, this includes all applicable federal, state, and local laws.

○   Outside of the United States, other laws will apply.

●      Conduct research that follows all policy requirements, including those not expressly mentioned in this document, and conforms to the ethical principles upheld by the All of Us Research Program.

●      Respect the privacy of research participants at all times.

○   I will NOT use or disclose any information that directly identifies one or more participants.

■      If I become aware of any information that directly identifies one or more participants, I will notify the All of Us Research Program immediately using the appropriate process.

○   I will NOT attempt to re-identify research participants or their relatives.

■      If I unintentionally re-identify participants through the process of my work, I will contact the All of Us Research Program immediately, using the appropriate process.

■      If I become aware of any uses or disclosures of All of Us Research Program data that could endanger the security or privacy of research participants, I will contact the All of Us Research Program immediately using the appropriate process.

●      Read and comply with All of Us policies pertaining to the respectful use of data from individuals or groups who self-identify or are otherwise identified as American Indian and/or Alaska Native.

●      Use the All of Us Research Program data ONLY for the purpose of biomedical or health research.

●      Provide a meaningful and accurate description of my research purpose every time I create an All of Us

Research Program Workspace.

○   Within each Workspace, I will use the All of Us Research Program data only for the research purpose I have provided.

○   If I have a new research purpose, I will create a new Workspace and provide a new research purpose description.

●      Take full responsibility for any external data, files, or software that I import into the All of Us Researcher Workbench and the consequences thereof.

○   I will follow all applicable laws, regulations, and policies regarding access and use for any external data, files, or software that I upload into my Workspace.

○   I will NOT upload data or files containing personally identifiable information (PII), protected health information (PHI), or identifiable private information (IPI).

○   I will NOT use external data, files, or software that I upload into my Workspace for any malicious purpose.

○   If any import of data, files, or software into my Workspace results in unforeseen consequences and/or unintentional violation of these terms, I will notify the All of Us Research Program, using the appropriate process as soon as I become aware.

●      Use a version of the All of Us Research Program database that is current at or after the time my analysis begins.

●      Inform the All of Us Research Program using the Research Misconduct Reporting Form if:

○   I have been penalized in the past for one or more data use violations, data management incidents, legal or regulatory violations pertaining to the conduct of research, or other instances of research misconduct; or

○   Subsequent to becoming an All of Us Authorized Data User, I am penalized by another entity for a data use violation, data management incident, legal or regulatory violation pertaining to the conduct of research, or other instance of research misconduct.

 

As an Authorized Data User of the All of Us Research Program data, I will:

 

●      NOT share my login information with anyone, including another Authorized Data User of the All of Us

Research Program data.

○   I will NOT create any group or shared accounts.

●      NOT use All of Us Research Program data or any external data, files, or software that I upload into the Researcher Workbench for research that is discriminatory or stigmatizing of individuals, groups, families, or communities, in accordance with the All of Us Policy on Stigmatizing Research.

○   I will contact the All of Us Research Program Resource Access Board (RAB) for further guidance on this point as needed.

●      NOT attempt to contact All of Us Research Program participants.

●      NOT take screenshots or attempt in any way to copy, download, or otherwise remove any participant- level data from the All of Us Researcher Workbench.

○   I will NOT publish or otherwise distribute any participant-level data from the All of Us Research Program database.

o  I will NOT publish or otherwise distribute any data or aggregate statistics corresponding to fewer than 20 participants unless expressly permitted under the terms of the All of Us Data and Statistics Dissemination Policy.

●      NOT redistribute or publish any data or statistics with the intent of reproducing the All of Us Research Program database or part of the database outside of the All of Us Researcher Workbench.

●      NOT attempt to link Registered or Controlled Tier All of Us Research Program data at the participant level with data from other sources.

●      NOT use All of Us Research Program data or any part of the Research Hub for marketing purposes.

●      NOT represent that the All of Us Research Program endorses or approves of my research unless such endorsement is expressly provided, in writing, by the All of Us Research Program.

 

Data Disclaimer

The All of Us Research Program does not guarantee the accuracy or availability of the data in the All of Us Research Program database; guarantee the performance of the software in the All of Us Research Program database; or warrant or endorse the research results obtained by using the All of Us database.

 

Terms and Definitions

●      The All of Us Research Program is a national longitudinal research initiative that aims to engage one million or more participants living in the United States. Participants contribute health data and specimens (blood, urine, saliva) to a repository that includes health, behavioral, genomic, and other data. The All of Us Research Program is a key component of the Precision Medicine Initiative, which aspires to leverage advances in genomics and health information technology to accelerate biomedical discoveries.

●      There are three data access tiers within the All of Us Research Program.

○   Public Tier: The resource tier containing only summary statistics and aggregate information that poses negligible risks to the privacy of research participants. The Public Tier can be accessed by anyone; it does not require logging into the All of Us Researcher Workbench.

○   Registered Tier: The resource tier that contains data elements that have a lower risk of unapproved re-identification, and thus carries minimal risk to the privacy of research participants. Registered Tier data can only be accessed by users who log into the All of Us Researcher Workbench. All access will be logged and may be audited for compliance.

○   Controlled Tier: The resource tier that contains data elements that may not, in their own right, readily identify individual participants but that may increase the risk of unapproved re-identification when combined with other data elements. Such data may include participant-level genomic data, clinical notes, and narrative data. Users must be appropriately accredited and granted approval to access the Controlled Tier, and all access will be logged and may be audited for compliance.

●      An Authorized Data User is a person who is authorized to access and/or work with Registered or Controlled Tier data from the All of Us Research Program. Each Authorized Data User must verify their identity, complete the All of Us Responsible Conduct of Research Training, attest to this agreement, and complete all other aspects of the Authorized Data User onboarding process. Authorized Data Users may also need to be covered by an institutional Data Use and Registration Agreement (DURA).

●      The Resource Access Board (RAB) is the board that operationalizes decisions regarding data access. Its responsibilities include overseeing registration procedures for new Authorized Data Users, conducting Workspace audits, responding to Authorized Data User inquiries around potentially stigmatizing research, and reviewing potential violations of the Data User Code of Conduct.

●      The All of Us Researcher Workbench is the cloud-based research platform that the All of Us Research Program has created where individuals can apply for access to the data and, once approved as Authorized Data Users, create project-specific Workspaces in which to access and analyze the data.

●      A Workspace is a user-created analytical sandbox within the All of Us Researcher Workbench platform where users can virtually pull in subsets of data from the All of Us Research Program database and perform analyses. Authorized Data Users must create a new Workspace for each research project using All of Us data and provide a plain language description of the research project, as well as other project information, that will be published publicly in the All of Us Research Projects Directory.

●      Personal Identifying Information (PII) is information that can be used to distinguish or trace the identity of an individual (e.g., name, Social Security number, biometric records, etc.), either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (2 CFR § 200.1).

●      Protected Health Information (PHI) is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (45 CFR § 160.103).

●      Identifiable Private Information (IPI) is private information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information (45 CFR § 46.102).

●      Marketing is communication about a product or service that encourages recipients of the communication to purchase or use the product or service (45 CFR §164.501).