Author: Deborah G. Johnson, University of Virginia.
In the initial description of the case, none of the behavior of the people involved seems grossly, ethically problematic. When patient records are moved from paper to electronic mode, important changes occur in the accessibility of the data. However, that alone is not problematic as long as steps are taken to protect the accessibility of the data and the identity of the individuals.
As the case proceeds, protecting the identity of the patient/subject records comes into focus as an important issue. Before addressing this issue, however, there is another very subtle issue here. Dr. Edwards is soliciting data to help beta test Medusa. Presumably the data he is soliciting have been collected for research that meets the consent requirement for research with human subjects. However, the subjects agreed to participate in research and did not agree to have their data used to beta test a database management system. The lack of consent here becomes even more important as the case unfolds and we learn that the privacy of individual participants will be exposed to increased risk because the data are being used to test Medusa.
As the case continues, we have a straightforward situation of wrongfully balancing convenience over risks to subjects. Amy has access to the complete patient files, and she should know (and should have been instructed about) the importance of confidentiality of medical/research records. Indeed, the system has an encryption function that allows users to remove the identity of patients. However, the encryption function is cumbersome and slow, and Amy doesn't use it when she demonstrates her progress on the database to members of the lab.
Amy's behavior violates the patients'/subjects' trust in researchers when they agree to participate in research. The central importance of trust to the research endeavor should be clear. If trust in researchers is violated, over time individuals will begin to refuse to participate in research. In fact, this case illustrates a number of factors in achieving trust. For one thing, it illustrates that trust is a function of multiple actors. Achieving trust involves more than a single researcher or team of researchers. All who handle research data must behave properly. The researchers who collected the data allowed them to move out of their hands and be stored in a database that they no longer controlled. To ensure the privacy of their subjects, they should have asked for assurance that the data would be treated confidentially and without revealing identity.
Technology also plays a role, which takes us back to the difference between paper and electronic records. The change from paper to electronic storage of records is what allows and facilitates movement of data from one place to the next. Thus, the technology calls upon us to create appropriate norms of behavior around it - norms that protect the trust of research participants.