Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Defining a Managed Access Requirement

The Sage Bionetworks Access and Compliance Team (working ACT) discusses with the data contributor to figure out what conditions are required) can toggle a number of options for this type of Access Requirement.  Let's assume they decide to flip on all options.  That would look like this:

...

On the other side, when someone requests access to these data, they always need to tell us about their Research Project:

...

And for this access requirement configuration, they need to provide a number of other files ("other required documents" would be described in the Access Requirement instructions).

Image Removedwhat requirements must be met for a data requestor to access a particular controlled data set. The ACT then configures the access requirement (AR). Options include:

  • The data requestor must be a certified user (Y/N)

  • The data requestor must have a validated profile (Y/N)

  • A data use certificate (DUC) must be included in the request. (The ACT crafts a template to be used.) (Y/N)

  • Approval by the data requestor’s institutional review board (IRB) is required. (Y/N)

  • An intended data use statement (IDU) is required (Y/N) and, if so, whether it will be publicly visible.

...

The ACT decides which file or files in Synapse are to be controlled by the AR. If the access requirement is applied to a folder then all files beneath that folder, or within nested subfolders, are so restricted. Further, the ACT may apply multiple ARs to a file or folder in which case the data requestor must meet the requirements of all the ARs that apply.

Requesting Access to Controlled Data

When a data requestor wishes to access a data set (one or more files) they visit the page for the dataset in Synapse and click ‘request access’. First, they are requested to create a Research Project description:

Image Added

The data requestor must provide whatever documents are configured as required by the ACT. An access request may be made on behalf of multiple users (e.g., multiple collaborators in a laboratory). The data requestor enters the list of users by their Synapse user names. The names of the users must match those listed in the data use certificate.

Image Added

Further, the data requestor (and their colleagues) may need to go through the process of becoming a certified and/or validated Synapse user.

Reviewing and Revoking Access

TODO: Explain how the requirement for renewal is defined and what the process for revocation is.

On update (to renew or revoke), there's some additional information that the governance team would like to knowrequested by the ACT :

...