Sage Access Requirement and Data Sensitivity Guidance
- Emily Lang (Unlicensed)
Audience: Sage Employees
Table of Contents:
Overview
Sensitive data often requires that ACT set up Access Requirements for Synapse users to satisfy before they can download data within the respective Synapse entity. Two types of Access Requirements are click-wraps and Managed Access Requirements.
Managing Data through a “Click-wrap” Agreement
Often, data contributors require Synapse users to agree to specific terms and conditions for data use before obtaining data access. These terms and conditions can include: restrictions on the type of research people can conduct using the data; specific acknowledgement or citation statements that must be stated in publications resulting from data use; and reaffirmation that data accessors will not attempt to re-identify research participants. Click-wrap agreements consist of a pop-up screen listing such terms of data use. Users must click an “agree” button before they are able to obtain access to the data.
The “click-wrap” can be programmed so that users must be registered, certified, or validated to be able to view the agreement and obtain data access.
Managing Data through a Managed Access Requirement
Our highest level of protection for public data hosted in Synapse is a Managed Access Requirement. Users must complete a data access application, and then the ACT (or other Data Access Committee, or DAC) must review the application before granting data access. This data governance option essentially transfers data management to the ACT, and enables further selectivity into who is able to receive data access via the data access application.
The data access application may consist of an intended data use statement, an IRB approval letter, a signed data use certificate, among other options. Within the application, users must indicate their institution, any collaborators, and the project lead. Typically, applications are valid for a finite period, and users are prompted to renew their access and submit a progress report after a specified time interval.
Managed access requirements can also require users to be registered, certified, or validated before submitting their data access application.
How sensitive is my data?
Sensitive data is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. “De-identified” data (maintained in a way that does not allow association with a specific person) is not considered sensitive.
Below is a general rule of thumb for determining data sensitivity based on ease of re-identification. Please note that data contributors can always determine their own data sensitivity level per contract or community standard, and the diagram below should only serve as general guidelines.
When communicating externally about data sensitivity and restrictions for access, please reference the Synapse Data Access Tiers:
Private Access Tier: Visible only to you and other users whom you select in Sharing Settings.
Controlled Access Tier: Available to registered, certified, or validated users that fulfill specific requirements for data access, such as submitting an Intended Data Use statement, obtaining IRB approval, agreeing to data use limitations, or other prerequisites.
Open Access Tier (also called open access data or open use data): Available for all registered Synapse users without use limitations.
Anonymous Access Tier: Available for anyone on the web without Conditions for Use.
How to Control My Data
For Controlled Access Tier data for new communities, please reach out to Ann Novakowski or Christine Suver for governance project intake.
For Controlled Access Tier data for existing communities, please file a Governance Jira Ticket to the ACT using the component “Add, Edit, or Remove Access Requirement.” You will be asked to fill out information regarding the nature of the data and data use limitations.