...
The Sage Bionetworks Access and Compliance Team (ACT) discusses with the data contributor what requirements must be met for a data requestor to access a particular controlled data set. The ACT then configures the access requirement (AR). Options include:
The instructions/verbiage for the AR.
The data requestor must be a certified user (Y/N)
The data requestor must have a validated profile (Y/N)
A data use certificate (DUC) must be included in the request. (The ACT crafts a template to be used.) (Y/N)
Approval by the data requestor’s institutional review board (IRB) is required. (Y/N)
An intended data use statement (IDU) is required (Y/N) and, if so, whether it will be publicly visible.
...
When a data requestor wishes to access a data set (one or more files) they visit the page for the dataset in Synapse and click ‘request access’. First, they are requested to create a Research Project description:
The data requestor reads the instructions/verbiage which provides additional guidance. They must provide whatever documents are configured as required by the ACT. An access request may be made on behalf of multiple users (e.g., multiple collaborators in a laboratory). The data requestor enters the list of users by their Synapse user names. The names of the users must match those listed in the data use certificate.
...
Further, the data requestor (and their colleagues) may need to go through the process of becoming a certified and/or validated Synapse user.
Once submitted the request goes to the ACT. After approval the data is unlocked and this status is indicated in the Synapse UI.
...
TODO: Are email notifications sent?
Updating, renewing and Revoking Access
TODO: Explain how the requirement for renewal is defined and what the process for revocation is.
A data accessor can update an access request, e.g., to add additional end users or to remove users who are no longer part of their group.
On update (to renew or revoke), there's some additional information requested by the ACT :
...