...
- User visits Synapse page for sensitive data (e.g. the Bridge data).
- User sees that data is Controlled (tier 3)
- User opens dialog, showing text for the access restriction, e.g. "Please become 'verified' (following instructions on your home page), and send a description of how you intend to use this data along with the Synapse ID of this data to SynapseAccessandComplianceTeam@synapse.org".
- User visits home page.
- User clicks link "Become Verified".
- Portal sends user to wiki that contains instructions... "Complete your user profile including name, organization; link your ORCID; then email SynapseAccessandComplianceTeam@synapse.org, including a completed ID verification document."
- User completes user profile and emails ACT, including ID verification document and data use statement.
- ACT receives email. From the user's Synapse user name (the prefix of the 'from' email address) ACT member determines the ACT management page https://www.synapse.org/#!ACTVerify:<username>.
- ACT reviews ID verification document and user profile.
- ACT member clicks 'Verify Identity' on verification page.
- Synapse captures snapshot of reviewed information (VerificationBundle, below), records that user is verified, sends notification to user.
- "Verified" now appears on user's page. "Verify Identity" changes to "Remove ID Verification" on the ACT Page.
- User receives verification notification.
- ACT visits page for sensitive data, clicks "Grant access", finds the user based on their user name, and clicks "OK".
- User is notified that they are now granted access.
- User tries to access data, is prompted to reaffirm oath. User agrees.
- User can now access data.
Future: Need TOU AR gated on being certified and verified.
Open questions
does verification require renewal after a set time? NO
...