Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version

Summary

12/28/2021

Updated format to align with policy version tables

12/15/2021

Current version

12/15/2021

Created version tracking table

Audience

Synapse Access & Compliance Team (ACT). Note: make sure you have consulted the Developing Access Requirement Content SOP before implementing Access Requirements.
Table of Contents

Table of Contents

...

Overview

Public sensitive data often requires that ACT set up Access Requirements for Synapse users to satisfy before they can download data in the respective Synapse entity. Two types of Access Requirements are click-wraps and Managed Access Requirements. 

 A. Managing Data through a “Click-wrap” Agreement

Often, data contributors require Synapse users to agree to specific terms and conditions for data use before obtaining data access. These terms and conditions can include: restrictions on the type of research people can conduct using the data; specific acknowledgement or citation statements that must be stated in publications resulting from data use; and reaffirmation that data accessors will not attempt to re-identify research participants. Click-wrap agreements consist of a pop-up screen listing such terms of data use. Users must click an “agree” button before they are able to obtain access to the data.

 The “click-wrap” can be programmed so that users must be registered, certified, or validated to be able to view the agreement and obtain data access. Registered users must set up a Synapse account and agree to the Synapse Pledge, which ensures users will behave responsibly. Certified users must be registered in Synapse, and must also pass a Synapse Certification quiz, which tests data ethics and general understanding of how Synapse works. Validated users must be certified, and must also have their identity verified by the Sage Bionetworks Access & Compliance Team (ACT).

B.Managing Data through a Managed Access Requirement

Our highest level of protection for public data hosted in Synapse is a Managed Access Requirement. Users must complete a data access application, and then the ACT (or other Data Access Committee, or DAC) must review the application before granting data access. This data governance option essentially transfers data management to the ACT, and enables further selectivity into who is able to receive data access via the data access application.

...

Managed access requirements can also require users to be registered, certified, or validated before submitting their data access application.

Setting up Access Requirements

Note: run through the below steps in a sandbox space before implementing the Access Requirement in any live projects.

Note: we do not add ARs to staging folders.

  1. Navigate to the respective SynID, and ensure you have access to the entity. If you are not able to access the entity, ask the project administrator to add either your Synapse username or the ACT team to the project via the sharing settings toolbar.

  2. Access requirements can be set up on the project, folder, or table level, and will require you to navigate to Project Settings, Folder Tools, or Table Tools, respectively. 

  3. Click the dropdown menu, and select “Manage Access Requirements”

...

  1. For Managed Access Requirements, create a Data Access wiki page within the project space. See the ElevateMS project for an example.

  2. Create a new wiki subpage in the Conditions for Use project, which stores a log of all Synapse Access Requirements. Include the Access Requirement and project link within the new wiki page. Nest the new wiki page under one of the pre-existing pages if applicable.

  3. If required, set up a new wiki subpage for IDU statements to be posted. Please reference the Publicly Posting Intended Data Use Statements SOP.

  4. Test the setup

    1. Test access using a validated & certified account. The AR you just set up should now appear.

    2. Test access using an unvalidated & uncertified test account. The AR you just set up should now appear.

  5. Resolve any Jira tickets filed for the request if applicable.

Adding/Removing an Entity to an Existing Access Requirement

  1. Navigate to the respective SynID, and ensure you have access to the entity. If you are not able to access the entity, ask the project administrator to add either your Synapse username or the ACT team to the project via the sharing settings toolbar.

  2. Access requirements can be set up on the project, folder, or table level, and will require you to navigate to Project Settings, Folder Tools, or Table Tools, respectively. 

  3. Click the dropdown menu, and select “Manage Access Requirements”

...

  • Note: Before removing an entity, ensure that the reasoning is legitimate and the entity does not require the AR

Editing Click-wrap or managed AR content

*Note: always verify that you have the data contributor’s acknowledgement when making a click-wrap or managed AR requirement more lax. Evaluate AR change requests critically.

...

  1. Locate the AR, and click “Edit Access Requirement.”

  2. Make the corresponding updates. Note that users will not automatically be prompted to re-accept click-wrap terms once they are updated. Users will also not be prompted to reapply for data access if they have already been granted access before the updates were made.

    1. You can revoke users from the AR to force them to re-accept terms or reapply for access. You can also delete/archive the AR instead of modifying it (see Deleting ARs section).

Deleting ARs

There are 3 types of AR’s  that can be deleted by ACT

...