SlideShare a Scribd company logo

Managing sensitive data at the University of Bristol

Download as PPT, PDF
Jisc RDM
Jisc RDM

Presentation on managing sensitive data at the University of Bristol by Kellie Snow, Research Data Librarian for the Research Data Network event, May 2016, Cardiff University.

Related slideshows

Grampian safe haven, research data network
Grampian safe haven, research data networkGrampian safe haven, research data network
Grampian safe haven, research data network
 
Implementing Archivematica, research data network
Implementing Archivematica, research data networkImplementing Archivematica, research data network
Implementing Archivematica, research data network
 
Journal research data policy update
Journal research data policy updateJournal research data policy update
Journal research data policy update
 
1 of 15
Managing sensitive data at the University of Bristol Kellie Snow Research Data Librarian, Research Data Service Jisc Research Data Network Workshop, 18th May 2016
Background • Research Data Repository (data.bris) went live in July 2014 • For open data only • Immediately apparent some researchers would require restricted access • Studies wanting to share, but not knowing how – informal processes 2
Initial thoughts • What would any restricted access level(s) be? • How should they be applied? • Would this fit with the ethical policies and workflows of the University? • How would we objectively decide who to grant access to? • What would be the processes that needed to be in place? • What would be the technical challenges? • Did we have the capacity as a service to administer this? 3
First steps • Issue raised by Research Governance • Number of meetings and discussions over several months • November 2014 – report put forward by RDS and Governance to University Ethics Research Committee: • Suggested data access levels • Request to establish Task & Finish Group 4 Image: Sharyn Morrow
Data Access Task & Finish Group • Established to investigate the feasibility of a Data Access Committee (DAC), as recommended by the EAGDA report • Representation from IT security, Governance, Secretary’s Office (DPA/FoI), senior academics • Met three times – matters addressed: • Scope of a DAC • Data Access Agreements (drawn up by external lawyers) • Processes for controlled datasets • Many of proposed procedures based on EAGDA recommendations and UKDA 5
Data Access T&F Group recommendations • October 2015 – produced set of recommendations: • Access levels embedded in ethics application process • Processes for handling restricted and controlled datasets piloted • Permanent DAC is formed • Further consideration around retention of copies of requested data • Consideration of data access levels at contracts stage (commercial research) • Passing through University committees – DAC soon to be approved 6
Established processes 7
Data Access Levels 8 Open Restricted Controlled Closed Online and available to anyone without restriction. No sensitivities. Available to bona fide researchers. Repository staff will check credentials. Only available after panel of senior staff (DAC) have assessed request. Highly sensitive or older studies where appropriate permissions have not been sought. Data not available for sharing (except regulators) because of ethical, IPR, prior exclusive agreements or other constraints (requests handled by Information Rights Officer).
At the start of a project… • Researcher identifies likely access level(s) that will be used • Outlined in DMP • Allocated as part of ethics application • Included in contracts with external partners (where necessary) 9
At the data deposit stage… • Researcher assigns access level in metadata record (verified by RDS) • DOI landing page/repository record directs third party to RDS to request access form • Dataset itself is stored either within Research Data Storage Facility or with research group 10
When a request is received… 11 Restricted Controlled
Unforeseen challenges • Procedure for checking if applicants ‘bona fide’ • Procedure for retaining Data Access Agreements • Storage location of datasets • Supplying large datasets • Researchers with controversial papers 12
Advice for other institutions • Never underestimate time involved getting agreement across the institution • You’re unlikely to have covered every eventuality – be prepared to be reactive • Process will allow you to build better relationships with other University services • Your researchers will be grateful! 13
Future plans • Software system to deal with requests process (audit trail) • Online request form • Data Access Agreement repurposed by existing studies • Further procedures around commercial data (contract issues, IP) • Further knowledge and procedures around clinical data (esp. NHS) – where do sharing responsibilities lie? 14
Thank you for listening! data-bris@bristol.ac.uk @databris 15

More Related Content

Managing sensitive data at the University of Bristol

  • 1. Managing sensitive data at the University of Bristol Kellie Snow Research Data Librarian, Research Data Service Jisc Research Data Network Workshop, 18th May 2016
  • 2. Background • Research Data Repository (data.bris) went live in July 2014 • For open data only • Immediately apparent some researchers would require restricted access • Studies wanting to share, but not knowing how – informal processes 2
  • 3. Initial thoughts • What would any restricted access level(s) be? • How should they be applied? • Would this fit with the ethical policies and workflows of the University? • How would we objectively decide who to grant access to? • What would be the processes that needed to be in place? • What would be the technical challenges? • Did we have the capacity as a service to administer this? 3
  • 4. First steps • Issue raised by Research Governance • Number of meetings and discussions over several months • November 2014 – report put forward by RDS and Governance to University Ethics Research Committee: • Suggested data access levels • Request to establish Task & Finish Group 4 Image: Sharyn Morrow
  • 5. Data Access Task & Finish Group • Established to investigate the feasibility of a Data Access Committee (DAC), as recommended by the EAGDA report • Representation from IT security, Governance, Secretary’s Office (DPA/FoI), senior academics • Met three times – matters addressed: • Scope of a DAC • Data Access Agreements (drawn up by external lawyers) • Processes for controlled datasets • Many of proposed procedures based on EAGDA recommendations and UKDA 5
  • 6. Data Access T&F Group recommendations • October 2015 – produced set of recommendations: • Access levels embedded in ethics application process • Processes for handling restricted and controlled datasets piloted • Permanent DAC is formed • Further consideration around retention of copies of requested data • Consideration of data access levels at contracts stage (commercial research) • Passing through University committees – DAC soon to be approved 6
  • 8. Data Access Levels 8 Open Restricted Controlled Closed Online and available to anyone without restriction. No sensitivities. Available to bona fide researchers. Repository staff will check credentials. Only available after panel of senior staff (DAC) have assessed request. Highly sensitive or older studies where appropriate permissions have not been sought. Data not available for sharing (except regulators) because of ethical, IPR, prior exclusive agreements or other constraints (requests handled by Information Rights Officer).
  • 9. At the start of a project… • Researcher identifies likely access level(s) that will be used • Outlined in DMP • Allocated as part of ethics application • Included in contracts with external partners (where necessary) 9
  • 10. At the data deposit stage… • Researcher assigns access level in metadata record (verified by RDS) • DOI landing page/repository record directs third party to RDS to request access form • Dataset itself is stored either within Research Data Storage Facility or with research group 10
  • 11. When a request is received… 11 Restricted Controlled
  • 12. Unforeseen challenges • Procedure for checking if applicants ‘bona fide’ • Procedure for retaining Data Access Agreements • Storage location of datasets • Supplying large datasets • Researchers with controversial papers 12
  • 13. Advice for other institutions • Never underestimate time involved getting agreement across the institution • You’re unlikely to have covered every eventuality – be prepared to be reactive • Process will allow you to build better relationships with other University services • Your researchers will be grateful! 13
  • 14. Future plans • Software system to deal with requests process (audit trail) • Online request form • Data Access Agreement repurposed by existing studies • Further procedures around commercial data (contract issues, IP) • Further knowledge and procedures around clinical data (esp. NHS) – where do sharing responsibilities lie? 14
  • 15. Thank you for listening! data-bris@bristol.ac.uk @databris 15