...
What is Data Governance?
Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods. (Source: Do’s and don’ts for Informed Consent for Sharing Data, UU, A. vd Kuil).
What are internal and external access policies?
Having access policies for your data is an important aspect of data stewardship. Your access policies should establish who is authorised to access the data:
who gets access to your data (e.g., researchers, data managers, ICT staff, administrative staff);
to which data these people get access;
what type of access they get (e.g., read only, edit).
This includes:
internal access policies (i.e., for yourself and your colleagues, for instance when you need remote access to your data);
external access policies (e.g., in case you are sharing files with others as part of a new research project).
Access policies are part of your data management plan. It is your responsibility to describe them before you start collecting data. In case of a clinical trial, a substantial change in access policies should lead to an amendment of your ethical protocol.
Important aspects are:
never allowing access to personal or clinical data to unauthorised people (this includes colleagues from your research group who are not involved in the project);
under no circumstances granting access to (in)directly identifiable data via computer accounts shared by multiple persons;
not providing more information in a data extraction than needed for a particular analysis;
making sure that access to the database is logged properly (i.e., who accesses the system for what purpose and who retrieves which data elements).
preferably verifying the identity of the user logging into a database with (in)directly identifiable data by at least one other method than just password security (“2-factor authentication”);
preferably use a one-time password generating tag or a message to your phone;
Any access outside the authorisations in the access policies should be considered unauthorised access. You should be able to detect unauthorised access timely, whether from inside or outside. Note that there is a legal obligation to report personal data leaks in most countries.
Who can access contact information? (PATIENT contact information)
In cohort studies, contact data of study subjects are usually registered. Access rules should differentiate between those having access to research data and those having access to these contact data. In principle, one person should not have access to both, unless the researcher is also the treating physician. An exception can only be made for smaller projects that have a limited period during which data are created, processed and analysed. In your Data Management Plan, you will have to argue why this exception applies to your research project (i.e., explain why it is necessary for staff members to access both research data and contact data).
Why do I already have to decide on access policies at the start of my study?
In principle, your access policies should be described at the start of your project. One reason for this is that, in many cases, patients have to give informed consent on data sharing before you start collecting data. Yet, there should be sufficient room for change, following from the principle of responsible data sharing, for instance because:
new funders may require new access and sharing conditions;
your project may lead to unforeseen data, which generate unforeseen requests for those data.
https://rdmkit.elixir-europe.org/human_data
...