Registry FAQ's

Frequently Asked Questions

 

1. Why do I have to give an email address to get a code to proceed with the Registry?

The only piece of information sought before consent is an email address, and the use of this information is covered by the Privacy Policy. The email address is employed solely to confirm that the user is in control of the account. This is actually one protection that is employed to reduce the chance that someone is merely contending that they are someone else since it confirms that the user is at least in control of the email account that he or she is using.
 

2. What are the password requirements?

* A length of at least 8 characters.
* At least 1 capital letter.
* At least 1 lowercase letter.
* At least one number (0-9).
 

3. What is the security level of the servers and how is the data encrypted?

All of data in the system is encrypted when in transit and while at rest. We use Secure Sockets Layer encryption of the site, and nationally-recognized cloud services. 

The production systems are hosted in the S3 Elastic Web service of the Amazon Web Services (AWS). Physical access to these data centers is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. For additional information about AWS' security, see http://aws.amazon.com/security.

Private Access' approach to security protocols has been to design, express, and enforce security as bounded architectural attributes, shared technical services, and redundant platform operations that occur as multiple occurrences throughout the service, both procedurally (user prompted) and systemically (automatically), and not merely as single points of occurrence (such as standard user name and password authentication and/or authorization techniques).

The system is encrypted and monitored at each level, uses secured HTTPS internally, as well as externally. The architecture secures data at a data persistence level, by encrypting all transported data between web servers and web browsers, including incorporating cryptographically randomized pseudonyms, secure API calls for all internal and external web services, and the use of decoupled Identity Provider (IdP) and Identity verification (IdV) systems. All internal and external API calls within the PEER registry utilize secure API calls. The API security enforces message authenticity, integrity, and confidentiality.

Survey responses and other de-identified data are held separate from the personally-identifying information and retained on behalf of Genetic Alliance by Traitwise, Inc. Any columns in the Traitwise database table for a PEER participant that could conceivably contain individually identifiable health information is encrypted using an encryption algorithm approved in Annex A of FIPS 140-2. This expressly includes (i) The randomly-generated foreign user id that is provided by Private Access for the participant to whom said data pertains; (ii) the identity of the host for said foreign_user_id; (iii) The "source" from which an answer came (e.g., the embed_id that identifies the website where the iFrame containing the Traitwise survey widget is contained; and (iv) any answers provided by PEER participants in free-text fields, as and when used in the Traitwise survey questionnaire. 

PEER works in conjunction with the consent management systems described below to provide accessibility for individual account profiles via the customized PEER system. The security attributes built into Private Access augment the network, system and platform security designed into AWS' and Traitwise's respective environments. This architecture secures data at a data persistence level, so that: (a) All personally identifiable data (PII) is encrypted using symmetric cryptography algorithms; (b) All data is encrypted within data backups and redundant data services; (c) No PII is logged, nor maintained, within application audit logs as a measure of security; and (d) No personal information is ever emailed or sent in any notifications.
 

4. Who can access my data and how?

Genetic Alliance's PEER (Platform for Engaging Everyone Responsibly) - which provides the basis for the Dyskeratosis Congenita and Telomere Biology Registry - enables individuals to make their own health information available for researchers and support groups, in accordance with each individual's highly granular permissions. Using PEER's access controls, for example, one participant can say that absolutely no one has any rights to access any of their information (including de-identified data and/or identifying information), while another participant can say that all of her information is available to anyone who falls within a category of users who either have IRB approval or who have been approved by a trusted organization. The system assumes that most persons will not be at one extreme or the other, but instead will have different attitudes about how much, and how broadly that she wishes to share information, and that this will be dictated based on the type of information (i.e., de-identified or personally identifying), the levels of trust in the proposed recipient or the process by which they are selected, and the purpose for which the information may be sought. Accordingly, the system provides highly granular and dynamic access controls to empower individuals with this level of oversight, and has a strict Privacy Policy that indicates that the only access to the data will be based on the express wishes of the individual themselves.

The Genetic Alliance BioTrust Ethics Board and various Institutional Review Boards (discussed below) that have reviewed the PEER system have helped to establish a number of categories for access options that individuals may wish to consider. Depending on how individual users employ these tools, they may Grant (Allow), Deny (Decline to allow), or set a control called "Ask Me" that requires that the individual participant be consulted further, and provided with greater details about the intended use and the party seeking such access before deciding whether to allow or deny access. By using the controls, it is possible for individuals to restrict access to their information to a single researcher; just to researchers approved by the Medical Advisory Board of Dyskeratosis Congenita Outreach, Inc.; to researchers approved by the advisory board of other support organizations; to IRB-approved researchers working on a study that addresses one or more of the conditions affecting the individual; or to all researchers with IRB approval. 
 

5. Is there an IRB approval and if so by what board?

Yes. Actually there are several. The overall PEER Platform was reviewed and approved by Western Institutional Review Board (WIRB) in September 2017. The WIRB approval is explicitly referenced in a Prospective Participant Informational Notice that accompanies the confirmation email that is sent to anyone expressing possible interest in the registry. In addition to WIRB, the Genetic Alliance IRB has reviewed the Dyskeratosis Congenita and Telomere Biology Disorder Registry questionnaire instrument and marketing materials, as well as other case-specific details. The BioTrust Ethics Committee of the Genetic Alliance is also actively overseeing this work, and has been instrumental in creating the PEER platform and its approach for empowering individuals to set granular and dynamic access levels. 
 

6. How does one delete their account from the Registry?

One simply needs to click on the "Remove" button associated with a health profile. Alternatively, since the access controls are dynamic in nature, another option that is available to all users at all times is the ability to reduce who is permitted to access information in the registry and/or for what purpose such access may be used.  
 

7. Who are the financial sponsors of the registry?

The Dyskeratosis Congenita and Telomere Biology Disorder Registry was built under a grant from PCORI. Dyskeratosis Congenita Outreach, Inc. is one of nine disease advocacy groups participating in this project, along with UCSF and UC Davis, and Private Access, a technology vendor. Sharon Terry, the CEO of Genetic Alliance serves as the Principal Investigator.
 

8.Where can I find the Privacy policy and security guidelines on the Registry site?

Most of these are available by clicking on the public links to Privacy Policy or Terms of Service located in the bottom right hand corner of the Registry home page and accessible from every page of the system.