...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Follow this SOP if:
You want to make certain Synapse data anonymously viewable and downloadable by anyone on the web.
...
Important: Only data that does not contain PHI/PII or sensitive data is eligible for anonymous viewing and/or download. Before you start, consider the risks carefully, and do notfollow this SOP if your data contains sensitive human information, which should not be downloaded anonymously. For more information on data access types, please refer to this Synapse Docs page.
Definitions:
Metadata: A set of data that describes other data. For example, the file type, file size, and creation date are all types of metadata that could be associated with a data file.
Department Head: The person who leads the requestor’s department. If you are unsure who your department head is, please refer to the Team Sage Directory & Org Chart.
Protected health information (PHI): Also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Personally identifiable Information (PII): Information that can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.)
Requestor: The person who initiates the request to make data anonymously viewable and/or downloadable.
Sensitive information: Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. “De-identified” data (maintained in a way that does not allow association with a specific person) is not considered sensitive.
Synapse: A platform developed by Sage Bionetworks to support scientific collaborations centered around shared biomedical data: www.synapse.org
Process:
Please follow the steps below to request and implement public anonymous download for datasets that do not contain PHI, PII, or sensitive information.
A.Requestor indicates that data does not contain PHI/PII
Step 1: Review the data/content to ensure it does not contain PHI, PII, or sensitive information. Confirm with PI that they want to make their data anonymously downloadable and that it does not contain PHI/PII.
...
If the Department Head is not available, the Sage Governance Lead can also approve these requests. Please reassign the Jira ticket to Christine Suver and tag her in the ticket description with clear instructions and link to this SOP. This should be a last resort if the Department Head is not available.
B.Department Head confirms that data does not contain PHI/PII
Step 3: The respective Sage Department Head confirms that the content listed in Step 2 does not contain PHI/PII/sensitive human information, nor possess a risk of re-identification, harm, or discrimination to the research participant/community. The Sage Department Head approves or rejects the request in JIRA accordingly.
Step 4: If the Department Head approves the request, submit a Jira ticket to IT Operations. Link the IT ticket to the original SG ticket. Provide a summary of the request in the Jira and request that the data be made available for anonymous download. List the SynIDs for each entity. Each entity must individually be made available for anonymous download. If the Department Heads denies the request, comment reasoning for rejection back to the requestor so the content can be revised, or close the JIRA request.
Significant updates or modifications to an anonymously downloadable dataset require re-verification by your Department Head to ensure that the data does not contain sensitive material and can still be downloaded anonymously. An example of such an update would be adding new data variables to an existing table of patient demographics or combining datasets. If you are expanding a data repository without adding new variables, you do not need re-verification. For example, if you have already received approval to publicize de-identified patients’ height and weight data, you can add additional patients to the repository without receiving approval. However, if you want to add “age” as a new variable to the dataset, you will need department approval. Anytime new information is added, there should be a spot check to ensure there is not sensitive data.). Any proposed dataset variable additions and their approvals should be noted in the JIRA ticket for auditability by the Governance team.
C. Engineering makes data downloadable anonymously
Step 5: IT will run a script to designate the Synapse data as "open" so it can be downloaded anonymously. Please see instructions here.
Step 6: IT will comment in the JIRA when Step 5 is completed, indicating that the entity has been made available for anonymous download. Note: Access permission does not need to changed by Administrator to Anyone on the Web. Access can remain set as “Can View.”
D. Requestor notifies Administrator that content can be downloaded anonymously in the Synapse Project
Step 7: The original requestor will ask the Administrator to add ACT as Admin on the dataset.
...
b. If the sharing settings are correct, comment on the JIRA ticket about the issue and tag the IT contact for visibility.
Process Diagram:
...
*If Department Head is not available, the Sage Governance Lead (i.e. Christine Suver) can approve requests.
What to Do if an External Independent User Requests Anonymous Download for their Data
First ensure that the user is not asking for an anonymous journal review, and ensure they understand the implications of making data available to anyone on the webHave the PI complete this form, and .
Instruct the User to follow the link to the Help Center and click the Anonymous Access Data link to confirm that the nature of the data is not sensitive.
Complete the process outlined above, starting with step 3. You will need to create a Jira ticket and link the form that was completed by the PI.
Do’s and Don’ts for Requesting Anonymous Download
Do: verify the data content carefully -- Releasing data incorrectly is a serious data breach.
Do: reach out to Sage Governance with any questions or concerns.
Don’t: side-step this process. You are responsible for handling the data.