Establishing an access policy for your data is an important aspect of data stewardship. The data access and sharing policy of your study should be tailored to your project and it should take the Data Governance Policy of your UMC into account.
Most UMCs are currently in the process of setting up a Data Governance Policy or Procedure, often in collaboration with their university. This Data Governance Policy may include regulations on internal access to research data and re-use of data, including authorisations. In addition, it may recommend installing one or more Data Access Boards or Committees that plays a role in the permission of sharing data with third parties.
Be sure that:
For collaborations with third parties, be sure to draw up a legal agreement that is approved by your institute (i.e., a Research Collaboration Agreement and often a Data Transfer Agreement or Data Sharing Agreement). This agreement should state which party is responsible for the data and it should describe access rights within the collaboration, for instance:
Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods. (Source: Do’s and don’ts for Informed Consent for Sharing Data, UU, A. vd Kuil).
Having access policies for your data is an important aspect of data stewardship. Your access policies should establish who is authorised to access the data:
Access policies are part of your data management plan. It is your responsibility to describe them before you start collecting data. In case of a clinical trial, a substantial change in access policies should lead to an amendment of your ethical protocol.
Important aspects are:
Any access outside the authorisations in the access policies should be considered unauthorised access. You should be able to detect unauthorised access timely, whether from inside or outside. Note that there is a legal obligation to report personal data leaks in most countries.
In cohort studies, contact data of study subjects are usually registered. Access rules should differentiate between those having access to research data and those having access to these contact data. In principle, one person should not have access to both, unless the researcher is also the treating physician. An exception can only be made for smaller projects that have a limited period during which data are created, processed and analysed. In your Data Management Plan, you will have to argue why this exception applies to your research project (i.e., explain why it is necessary for staff members to access both research data and contact data).
In principle, your access policies should be described at the start of your project. One reason for this is that, in many cases, patients have to give informed consent on data sharing before you start collecting data. Yet, there should be sufficient room for change, following from the principle of responsible data sharing, for instance because:
Yes, most UMCs request all personnel that work with data in the care environment to sign a 'geheimhoudingsverklaring' as a standard procedure.