Document toolboxDocument toolbox

Managing ACTAccessRequirement Requests Use Cases

Owned by Kimyen Truong (Unlicensed)
Last updated: Feb 10, 2017 by Bruce Hoff
5 min read

Actors

  1. Reviewer - who views the application, determines if it meets the requirements.
  2. Requestor - the person who fills out the application, submitted and follow up as needed. 
  3. Data Provider - external group that dictates the term under which access is granted. 
  4. Accessors - users who would gain access to the data if their application is approved.
  5. Signing Official - The Signing Official is somebody with oversight authority over the data requester and who is responsible for ensuring appropriate and ethical use of the data by the data requester.
  6. Project Lead - who name will be published with the research statement. A Project Lead must be an accessor. A requestor can be a Project Lead.
  7. Working Group - A group of accessors who work at the same lab/project/institution towards a common goal (defined by the research statement).

Terms

  1. Access Requirements - uniquely identify the set of requirements to access Controlled/ Restricted Data.
  2. Access Approval - the record of requirements being met. 
  3. Controlled Data - a set of entities that are under certain Access Requirements.
  4. Intended Data Use Statement - A few paragraphs that explaining how the data will be used by a work group or an individual.

Use Cases

  1. A user would like to access controlled data in Synapse governed by a single ACTAccessRequirement. The requirement stipulates the following information be provided in order to gain access to the controlled data:
    • Intended Data Use Statement
    • His/ her Synapse username where the profile must be validated.
    Once the requestor submits the required information, a reviewer will determine if the requestor has met all requirements. The reviewer approves the request and the requestor gains access to the data.
  2. A user would like to access controlled data in Synapse governed by a single ACTAccessRequirement. The requirement stipulates the following information be provided in order to gain access to the controlled data:
    • Intended Data Use Statement
    • His/ her Synapse username where the profile must be validated.
    • An IRB approval document
    Once the requestor submits the required information, a reviewer will determine if the requestor has met all requirements. The reviewer approves the request and the requestor gains access to the data.
  3. A user would like to access controlled data in Synapse governed by a single ACTAccessRequirement. The requirement stipulates the following information be provided in order to gain access to the controlled data:
    • Intended Data Use Statement
    • His/ her Synapse username where the profile must be validated.
    • A DUC listing the Institution, the Signing Official at the Institution & his/her signature, and the applicant' signatures.
      • The DUC may require additional attachments. If so, the requestor need to provide the required attachments.
    Once the requestor submits the required information, a reviewer will determine if the requestor has meet all requirements. The reviewer approves the request and the requestor gains access to the data.
  4. A working group would like to access controlled data in Synapse governed by a single ACTAccessRequirement. To make it convenient for the working group, a reviewer accepts the required information (listed in use case #1, #2, #3) for all members of the working group in a single request. The requestor, a member from the working group, would gather the information for all members and list all members' Synapse usenames under a list of accessors. A reviewer would need to review and verify that all accessors have provided the required information to gain access to the data. The reviewer approves the request and the accessors gain access to the data.
  5. When a reviewer find that a request needs more information/ clarification, he/she would reject the request and provide instructions on how to provide the missing information. The requestor would receive an email notifying them that their request needs action. They follow the provided instructions to submit the missing information. Once the requestor submits the required information, a reviewer will determine if the accessor has met all requirements. The reviewer approves the request and the accessor(s) gains access to the data.
  6. After a working group gains access to the dataset, the accessors of the working group may change. 
    1. When a new member joins a group, the requestor would provide the required information (listed in use case #1, #2, #3) for this new accessor to gain access to the data. A reviewer will need to make sure that the new accessor's information is sufficient for him/her to access the data. If so, the reviewer will approve the addition request and the new accessor gains access to the data.
    2. The new member(s) will need to provide the required information (listed in use case #1, #2, #3) in a new request. A reviewer will determine if the requestor has met all requirements. The reviewer approves the request and the accessor(s) gains access to the data.
  7. After a working group gains access to the dataset, the accessors of the working group may change. When an accessor leaves the project, the requestor will let the reviewer know to remove this accessor's access from the dataset.
  8. After a year, some datasets require that the accessors provide updated information about their project. They would need to provide the following information:
    • Summary of how the data was being used.
    • Publication, if any.
    • If the original request requires an IRB approval, they would need to provide an updated IRB approval document.
    1. A requestor may provide the above information on behalf of a working group. In this case, if the list of accessors has been changed, the requestor would provided information described in use case #6a and #7.
    2. Each accessor may provide the above information in order to keep their access to the data.

If the accessor does not provide the required information, they will lose access to the dataset.

9. One month before a working group lose access to the dataset, an email needs to be sent to the requestor and accessors to remind them about the renewal process. In the email, they would find the instructions on what they need to provide to be able to keep their access.

10. If an accessor no longer need access to the data set, they would need to provide a final use statement to the dataset. 

    1. All accessors in their request will lose access to the dataset.
    2. Only the accessor will lose access to the dataset. Other accessors in the same request will need to go through the annual review process described in use case #8 to keep their access.

11. Every 6 months, a reviewer would download all requests related information including:

    • DUC
    • Intended Data Use Statement

zip them up and send them to the data contributor.

12. An accessor needs to see how other people are using the data. They need to be able to see the following information from other's submission:

    • The name of the project lead
    • The Institution 
    • Intended Data Use Statement

Since use case #6b, a reviewer would decide to exclude some requests' information from being public to eliminate duplicates set of the information above.

13. A requestor wants to change their intended data use statement after it's public. They would submit their new statement and expects the information on the public page to change accordingly.