Follow this SOP if:
You want to make certain Synapse data anonymously viewable and downloadable by anyone on the web.
File, folder, and table metadata can be made anonymously viewable on Synapse if the project sharing settings are set to “public” and if there are no local access restrictions applied to the entity. The underlying data itself, such as file contents or table row data, is not anonymously viewable or downloadable unless you follow the instructions below to mark it as OPEN_DATA.
2. You want to use table row data to drive a Portal homepage component.
Row data from Synapse Tables are used to drive Portal homepage components, such as the Programs, People, or Portal Goals components. To make this information publicly viewable on the Portal homepage, it must be marked as OPEN_DATA.
Important: Only data that does not contain PHI/PII or sensitive data is eligible for anonymous viewing and/or download. Before you start, consider the risks carefully, and do not follow this SOP if your data contains sensitive human information, which should not be downloaded anonymously. For more information on data access types, please refer to this Synapse Docs page.
Definitions:
Metadata: A set of data that describes other data. For example, the file type, file size, and creation date are all types of metadata that could be associated with a data file.
Department Head: The person who leads the requestor’s department. If you are unsure who your department head is, please refer to the Team Sage Directory & Org Chart.
Protected health information (PHI): Also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Personally identifiable Information (PII): Information that can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.)
Requestor: The person who initiates the request to make data anonymously viewable and/or downloadable.
Sensitive information: Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. “De-identified” data (maintained in a way that does not allow association with a specific person) is not considered sensitive.
Synapse: A platform developed by Sage Bionetworks to support scientific collaborations centered around shared biomedical data: www.synapse.org
Process:
Please follow the steps below to request and implement public anonymous download for datasets that do not contain PHI, PII, or sensitive information.
A. Requestor indicates that data does not contain PHI/PII
Step 1: Review the data/content to ensure it does not contain PHI, PII, or sensitive information. Confirm with PI that they want to make their data anonymously downloadable and that it does not contain PHI/PII.
IF APPLICABLE: Contact the PI of the Project and verify that there are no constraints to the release of the content on the Web (review of legal contracts, MoU, etc).
Step 2: Submit a JIRA request within the Sage Governance (SG) project. Refer to the Team Sage Directory & Org Chart and assign issue to your Department Head (or an LT member) asking them to verify that the content does not contain PHI, PII, or sensitive information. List the content Synapse ID and a rationale for the request.
If the Department Head is not available, the Sage Governance Lead can also approve these requests. Please reassign the Jira ticket to Christine Suver and tag her in the ticket description with clear instructions and link to this SOP. This should be a last resort if the Department Head is not available.
B. Department Head confirms that data does not contain PHI/PII
Step 3: The respective Sage Department Head confirms that the content listed in Step 2 does not contain PHI/PII/sensitive human information, nor possess a risk of re-identification, harm, or discrimination to the research participant/community. The Sage Department Head approves or rejects the request in JIRA accordingly.
Step 4: If the Department Head approves the request, submit a Jira issue to IT (e.g., Xa). Link IT Jira to original Jira in SG. Provide a summary of the request in the Jira and request that the data be made available for anonymous download. If the Department Heads denies the request, comment reasoning for rejection back to the requestor so the content can be revised, or close the JIRA request.
Significant updates or modifications to an anonymously downloadable dataset require re-verification by your Department Head to ensure that the data does not contain sensitive material and can still be downloaded anonymously. An example of such an update would be adding new data variables to an existing table of patient demographics or combining datasets. If you are expanding a data repository without adding new variables, you do not need re-verification. For example, if you have already received approval to publicize de-identified patients’ height and weight data, you can add additional patients to the repository without receiving approval. However, if you want to add “age” as a new variable to the dataset, you will need department approval. Anytime new information is added, there should be a spot check to ensure there is not sensitive data.). Any proposed dataset variable additions and their approvals should be noted in the JIRA ticket for auditability by the Governance team.
C. Engineering makes data downloadable anonymously
Step 5: IT will run a script to designate the Synapse data as "open" so it can be downloaded anonymously. Please see instructions here.
Step 6: IT will comment in the JIRA when Step 5 is completed, indicating that the entity has been made available for anonymous download. Note: Access permission does not need to changed by Administrator to Anyone on the Web. Access can remain set as “Can View.”
D. Requestor notifies Administrator that content can be downloaded anonymously in the Synapse Project
Step 7: The original requestor verifies that the content can be downloaded anonymously:
a. Copy the URL of the dataset (which should be available for anonymous download).
b. Logout out of your Synapse account.
c. Paste the URL into the address bar and attempt to download the data without being signed into Synapse.
Step 8: The original requestor notifies the Administrator of the Synapse project that the content has been made available for anonymous download.
Step 9: If the data can be downloaded anonymously, close the JIRA ticket. If it cannot be downloaded:
a. Check that the sharing settings were applied appropriately (see Step 7).
b. If the sharing settings are correct, comment on the JIRA ticket about the issue and tag the IT contact for visibility.
Process Diagram:
*If Department Head is not available, the Sage Governance Lead (i.e. Christine Suver) can approve requests.
What to Do if an External Independent User Requests Anonymous Download for their Data
First ensure that the user is not asking for an anonymous journal review, and ensure they understand the implications of making data available to anyone on the web
Have the PI complete this form, and confirm that the nature of the data is not sensitive.
Complete the process outlined above, starting with step 3. You will need to create a Jira ticket and link the form that was completed by the PI.
Do’s and Don’ts for Requesting Anonymous Download
Do: verify the data content carefully -- Releasing data incorrectly is a serious data breach.
Do: reach out to Sage Governance with any questions or concerns.
Don’t: side-step this process. You are responsible for handling the data.