c. Data access

Establishing an access policy for your data is an important aspect of data stewardship. The data access and sharing policy of your study should be tailored to your project and it should take the Data Governance Policy of your UMC into account.

Most UMCs are currently in the process of setting up a Data Governance Policy or Procedure, often in collaboration with their university. This Data Governance Policy may include regulations on internal access to research data and re-use of data, including authorisations. In addition, it may recommend installing one or more Data Access Boards or Committees that plays a role in the permission of sharing data with third parties.

Be sure that:

  • you take the Data Governance Policy or Procedure of your institute into account when writing your data management plan (DMP);
  • the data sharing plan in your DMP is approved by your institute’s Data Access Board, if necessary.

For collaborations with third parties, be sure to draw up a legal agreement that is approved by your institute (i.e., a Research Collaboration Agreement and often a Data Transfer Agreement or Data Sharing Agreement). This agreement should state which party is responsible for the data and it should describe access rights within the collaboration, for instance:

  • in research consortia;
  • in community databases (e.g., reference data);
  • when patient organisations are co-owners;
  • when your data is on an external server or in an external database.

Frequently Asked Questions

Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods. (Source: Do’s and don’ts for Informed Consent for Sharing Data, UU, A. vd Kuil).

Having access policies for your data is an important aspect of data stewardship. Your access policies should establish who is authorised to access the data:

  • who gets access to your data (e.g., researchers, data managers, ICT staff, administrative staff);
  • to which data these people get access;
  • what type of access they get (e.g., read only, edit).

This includes:

  • internal access policies (i.e., for yourself and your colleagues, for instance when you need remote access to your data);
  • external access policies (e.g., in case you are sharing files with others as part of a new research project).

Access policies are part of your data management plan. It is your responsibility to describe them before you start collecting data. In case of a clinical trial, a substantial change in access policies should lead to an amendment of your ethical protocol.

Important aspects are:

  • never allowing access to personal or clinical data to unauthorised people (this includes colleagues from your research group who are not involved in the project);
  • under no circumstances granting access to (in)directly identifiable data via computer accounts shared by multiple persons;
  • not providing more information in a data extraction than needed for a particular analysis;
  • making sure that access to the database is logged properly (i.e., who accesses the system for what purpose and who retrieves which data elements).
  • preferably verifying the identity of the user logging into a database with (in)directly identifiable data by at least one other method than just password security (“2-factor authentication”);
  • preferably use a one-time password generating tag or a message to your phone;

Any access outside the authorisations in the access policies should be considered unauthorised access. You should be able to detect unauthorised access timely, whether from inside or outside. Note that there is a legal obligation to report personal data leaks in most countries.

In cohort studies, contact data of study subjects are usually registered. Access rules should differentiate between those having access to research data and those having access to these contact data. In principle, one person should not have access to both, unless the researcher is also the treating physician. An exception can only be made for smaller projects that have a limited period during which data are created, processed and analysed. In your Data Management Plan, you will have to argue why this exception applies to your research project (i.e., explain why it is necessary for staff members to access both research data and contact data).

In principle, your access policies should be described at the start of your project. One reason for this is that, in many cases, patients have to give informed consent on data sharing before you start collecting data. Yet, there should be sufficient room for change, following from the principle of responsible data sharing, for instance because:

  • new funders may require new access and sharing conditions;
  • your project may lead to unforeseen data, which generate unforeseen requests for those data.

Yes, most UMCs request all personnel that work with data in the care environment to sign a 'geheimhoudingsverklaring' as a standard procedure.