a. General considerations

Sharing policies are an important aspect of data stewardship. Your sharing policy should be tailored to your project. You are responsible for describing the data sharing policy for your study.

Your sharing policy is affected by the following questions:

  • Did the study subjects give permission to share or combine their data?
  • Does the consent mention specific conditions for data sharing?
  • How were the data created and how does this affect data sharing (e.g., methodology, protocols and publications)?
  • What type of data will be released?
  • Is there a procedure for data release with, for example, a Data Access Committee (DAC)?
  • What are the conditions of the funders of the data?
  • When data was reused: what were the conditions under which data were released by the original creator of the data?
  • Who would be the recipient of the data?
  • What warranties will the recipient give about responsible use of the data?
  • What are the conditions of the journal to which the data is submitted?

If you will obtain the data as part of a research collaboration, the intellectual property rights and openness of the resulting data should be discussed between the partners before you start collecting data (e.g., who has the first right to valorise the results).

Note that your data sharing policy should not depend on whether your own research confirmed your hypothesis or not. Your research data can still be useful for other researchers.

Frequently Asked Questions

External access most often means the transfer of certain datasets under certain conditions (restricted access). Contact your legal department (JZ) of Technology Transfer Office (TTO) at the start of your study and before sharing data. They can help you create written agreements (Data Transfer Agreements) on when to share what data with whom under what circumstances. Make clear statements on ownership of data in a consortium, especially when the project ends and with commercial partners.

There is no general answer to this question, for reasons explained below. The UMCs encourage responsible data sharing. Funders and publishers are demanding open access more and more often.

In the era of big data, attitudes towards open access to research data are changing. Traditionally academic institutions as well as companies considered their datasets as their property and assumed a right to protect them. Now, the relevance of using all known data within some kind of research perspective might overrule the present existence of fragmented datasets within institutions and companies. However, public access to datasets will evoke all kinds of new problems concerning privacy and the use of data in social contexts that may harm the persons from which the data were derived.

At present, it is still accepted morality that datasets created in biomedical research are subject to rules of privacy (GDPR) and should not be handed over to third parties outside the domain of biomedical research. Nevertheless, the moral reasoning that warrants limiting access is not overwhelmingly strong if some crucial steps are taken to impede that the persons behind the data are identified. Access rules have been developed to prevent misuse or even abuse by people outside the domain of biomedical research. Moral change in this respect can be expected in the years to come.

As a provider of data you may be involved in designation of a Data Access Committee (DAC) for your data. These DACs have procedures to decide whether data can be shared with a third party. An example of this is the European Genome-Phenome Archive, where each archived dataset has its own DAC. Another example of this is the ‘Division of Biomedical Genetics’ (DBG) Data Access Committee at UMC Utrecht.

The question is not whether the data should be anonymous, since any research data should already be anonymised or pseudonymised. However, anonymous data may become identifiable when datasets are combined. As a data steward, you should consider this before sharing data.

The solutions to this issue are:

  • Only use data that are necessary (data minimisation).
  • If possible, bring the external researcher to the data instead of sending the data to the external researcher.
  • Aggregate the data to such a level that they are never identifiable, irrespective of how you combine this data with other data.
  • Give access only within the data infrastructure of the original researcher (UMC, or data processor on behalf of the researchers or UMCs). The new researcher may add data to this infrastructure, but data are only exported when meeting strict, previously determined conditions. This is the system used by CBS (Statistics Netherlands).
  • Create a balanced system of Data Transfer Agreements, corresponding to the type of data that are released, legally obligating the receiver to take responsibility to not re-identify the data. Obligate the receiver to take the necessary security measures regarding the data.

Anonymity is an important condition of biomedical research, making it impossible to identify the person behind the data. However, complete anonymity seems almost impossible in the age of digital information technology. By combining data from different datasets, it is, according to some, only a matter of time until every individual can be identified in a so-called anonymous set. In addition, personal data sometimes needs to be part of a dataset in order to allocate later events to the same person. In that case, you need to take extra measures to secure the privacy of the study subjects to be GDPR-compliant.

This depends on the consent, that was given by the patient. In any case, data sharing cannot lead to 'open medical data', unless the data is truly anonymous. The guiding principle is responsible data sharing and protecting the privacy of study subjects. The primary responsibility and integrity of researchers relate to their work and the obligations they have towards those who gave informed consent.

Research data may only be shared with an external commercial party if the patient has provided informed consent for this. You should not hand over exclusive rights to reuse or publish your research data to commercial publishers or agents without retaining the rights to make the data openly available for reuse. See section about intellectual property rights.

Use the Toolbox to find your UMC’s information about Data Governance and possibly a Data Access Board to support your specific study.