Instructions for Sage Project Leads
v1.0 (September 2020)
Only human data that does not contain PHI/PPI or sensitive data is eligible for anonymous viewing and/or download. Before you start, consider the risks carefully.
Definitions:
Protected health information (PHI): also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Personally identifiable Information (PII): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.)
Sensitive information: Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. “de-identified” data (maintained in a way that does not allow association with a specific person) is not considered sensitive.
Synapse: a platform developed by Sage Bionetworks to support scientific collaborations centered around shared biomedical data: www.synapse.org
Process:
Please follow these steps to:
Flag human data that does not contain with No PHI/PII/sensitive information and
Request Public Release of flagged content for anonymous download
(1) Flagging data not containing PHI/PII
Step 1: Review the data/content to ensure it does not contain PHI/PII/or Sensitive human information.
Step 2: Submit a JIRA request to your department head* (or an LT member) asking to verify the flagged content. Include the content Synapse ID and a rationale for the request.
Step 3: Your Sage department head* confirms that the flagged content does not contain PHI/PII/sensitive human information, nor poses a risk of re-identification, harm, or discrimination to the research participant/community, and approves (or rejects) the request (on JIRA). Records of verification are routed to the Engineering team.
Step 4: Synapse runs a script to include the flag in the dataset’s annotation or as a property of the entity.
Note that flags should be re-verified any time the dataset is modified. Flags can be removed by the dataset’s original uploader or curator, or by the department head.
(records are kept on JIRA and are auditable by the Governance team.)
(2) Making data downloadable anonymously
Step 1: Confirm that the human content does not pose risks of re-identification, harm or discrimination to the data subject.
Step 2: Contact the Contract team and verify that there are no constraints to the release of the content on the Web (review of legal contracts, MoU, etc.,).
Step 3: Project lead with admin permission on a project can enable content (Flagged Human data and non-human data) to be downloadable anonymously by marking an entity as “OPEN-DATA” and changing the sharing settings to “Downloadable on the web”. The first step is done using this service. An example of calling the service using cUrl is:
| Code Block | ||
|---|---|---|
| ||
curl -i --header "sessionToken:<session_token_santitized>" --request PUT https://repo-prod.prod.sagebase.org/repo/v1/entity/<entity_id>/datatype?type=OPEN_DATA |
where you must replace <session_token_sanitized> with your current session token and <entity_id> with the synxxxx id of the item to be white listed. Please ensure the response status is in the 2xx range.
Examples of Jira tickets used to track the whitelisting for PCAWG, AMP-AD/NF “PORTALS-210” and for CSBC “PORTALS-397". These tickets link out to several different tickets where the approval was tracked:
* If Department head is not available, the Sage Governance Lead can also approve these requests.
Do’s and Don’ts
Do: verify the data content carefully- Releasing data incorrectly is a serious data breach.
Do: reach out to Sage Governance with any questions or concerns
Don’t: side-step this process. You are responsible for handling the data.