Frequently Asked Questions
1. Why do I have to give an email address to get a code to proceed with the Registry?
2. What are the password requirements?
* A length of at least 8 characters.
* At least 1 capital letter.
* At least 1 lowercase letter.
* At least one number (0-9).
3. What is the security level of the servers and how is the data encrypted?
All of data in the system is encrypted when in transit and while at rest. We use Secure Sockets Layer encryption of the site, and nationally-recognized cloud services.
The production systems are hosted in the S3 Elastic Web service of the Amazon Web Services (AWS). Physical access to these data centers is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. For additional information about AWS' security, see http://aws.amazon.com/security.
Private Access' approach to security protocols has been to design, express, and enforce security as bounded architectural attributes, shared technical services, and redundant platform operations that occur as multiple occurrences throughout the service, both procedurally (user prompted) and systemically (automatically), and not merely as single points of occurrence (such as standard user name and password authentication and/or authorization techniques).
The system is encrypted and monitored at each level, uses secured HTTPS internally, as well as externally. The architecture secures data at a data persistence level, by encrypting all transported data between web servers and web browsers, including incorporating cryptographically randomized pseudonyms, secure API calls for all internal and external web services, and the use of decoupled Identity Provider (IdP) and Identity verification (IdV) systems. All internal and external API calls within the PEER registry utilize secure API calls. The API security enforces message authenticity, integrity, and confidentiality.
Survey responses and other de-identified data are held separate from the personally-identifying information and retained on behalf of Genetic Alliance by Traitwise, Inc. Any columns in the Traitwise database table for a PEER participant that could conceivably contain individually identifiable health information is encrypted using an encryption algorithm approved in Annex A of FIPS 140-2. This expressly includes (i) The randomly-generated foreign user id that is provided by Private Access for the participant to whom said data pertains; (ii) the identity of the host for said foreign_user_id; (iii) The "source" from which an answer came (e.g., the embed_id that identifies the website where the iFrame containing the Traitwise survey widget is contained; and (iv) any answers provided by PEER participants in free-text fields, as and when used in the Traitwise survey questionnaire.
PEER works in conjunction with the consent management systems described below to provide accessibility for individual account profiles via the customized PEER system. The security attributes built into Private Access augment the network, system and platform security designed into AWS' and Traitwise's respective environments. This architecture secures data at a data persistence level, so that: (a) All personally identifiable data (PII) is encrypted using symmetric cryptography algorithms; (b) All data is encrypted within data backups and redundant data services; (c) No PII is logged, nor maintained, within application audit logs as a measure of security; and (d) No personal information is ever emailed or sent in any notifications.
4. Who can access my data and how?
The Genetic Alliance BioTrust Ethics Board and various Institutional Review Boards (discussed below) that have reviewed the PEER system have helped to establish a number of categories for access options that individuals may wish to consider. Depending on how individual users employ these tools, they may Grant (Allow), Deny (Decline to allow), or set a control called "Ask Me" that requires that the individual participant be consulted further, and provided with greater details about the intended use and the party seeking such access before deciding whether to allow or deny access. By using the controls, it is possible for individuals to restrict access to their information to a single researcher; just to researchers approved by the Medical Advisory Board of Dyskeratosis Congenita Outreach, Inc.; to researchers approved by the advisory board of other support organizations; to IRB-approved researchers working on a study that addresses one or more of the conditions affecting the individual; or to all researchers with IRB approval.
5. Is there an IRB approval and if so by what board?
Yes. Actually there are several. The overall PEER Platform was reviewed and approved by Western Institutional Review Board (WIRB) in June 2014. The WIRB approval is explicitly referenced in a Prospective Participant Informational Notice that accompanies the confirmation email that is sent to anyone expressing possible interest in the registry. In addition to WIRB, the Genetic Alliance IRB has reviewed the Dyskeratosis Congenita and Telomere Biology Disorder Registry questionnaire instrument and marketing materials, as well as other case-specific details. The BioTrust Ethics Committee of the Genetic Alliance is also actively overseeing this work, and has been instrumental in creating the PEER platform and its approach for empowering individuals to set granular and dynamic access levels.
6. How does one delete their account from the Registry?
One simply needs to click on the "Remove" button associated with a health profile. Alternatively, since the access controls are dynamic in nature, another option that is available to all users at all times is the ability to reduce who is permitted to access information in the registry and/or for what purpose such access may be used.
7. Who are the financial sponsors of the registry?
The Dyskeratosis Congenita and Telomere Biology Disorder Registry was built under a grant from PCORI. Dyskeratosis Congenita Outreach, Inc. is one of nine disease advocacy groups participating in this project, along with UCSF and UC Davis, and Private Access, a technology vendor. Sharon Terry, the CEO of Genetic Alliance serves as the Principal Investigator.