Make sure you can publish your metadata

status: in development

Introduction

Under what conditions it is allowed to share data, depends on the context. This FAQ is based on the standards as agreed in the Code of Conduct for Health Research. In the text below, we link to the Dutch version. The English translation of the Code of Conduct can be found here.

How identifiable is the data?

To determine under what conditions data may be shared, it is important to consider the question: how identifiable is the data? Data that are actually completely anonymous are not covered by the GDPR. This data may be shared, and it is not necessary to offer data subjects the opportunity to opt-out (see section 5.1.1 of the Code of Conduct for Health Research). However, the bar for speaking of anonymous data is very high, see the FAQ 'When is data considered anonymous, pseudonymous or directly identifying?'. In practice, research data is almost always (in)directly identifying, not anonymous.

What has been communicated to those involved and what is included in the data management plan or protocol?

It is also important to look at the question: what has been communicated to those involved and what is included in the data management plan or protocol? Does it state that the data will not be shared with others? Then this is not allowed. If it has been communicated that data can be shared, the conditions as agreed with those involved must be adhered to, for example when it comes to the research purposes for which the data may be shared. If a data subject opted out of the reuse of data, or if separate consent has been asked but this has been refused, the data subject's choice must be honored. In addition, agreements may have been made that do not directly concern sharing, but do impose restrictions on sharing, such as the agreed retention period (see the FAQ 'What is the retention and storage period of data and biosamples in the context of scientific research?' and the FAQ 'Can research data be kept longer than the agreed retention period if it is anonymized?'). Before (in)directly traceable data can be shared, it is important that the request is submitted to a review committee or 'Data Access Committee' that assesses whether the above criteria have been met.

Section 9.1.1 of the Code of Conduct for Health Research recommends anticipating the reuse of data for future research and making clear agreements about this with those involved. However, in the past, these agreements were sometimes not made. Data holders may then be unclear about whether data sharing is permitted. You can read an example of this situation here: 'Can I place data from historically collected DNA samples online in a data resource to share with other researchers?'. In the future, more information about sharing data based on older informed consents will be shared via the ELSI Service Desk. You can always ask a question about this by sending an e-mail to elsiservicedesk@health-ri.nl.

Open

Open access versus restricted access?

When making data available, you can opt for open access (directly accessible) or restricted access (only accessible after certain conditions have been met). Section 7.3.1 of the Code of Conduct for Health Research indicates that research data may only be made public (open access) in anonymized form, unless participants have given specific and explicit consent for disclosure of non-anonymized data. If data cannot be anonymized and there is no explicit permission to share the data publicly in non-anonymized form, the data can be made available through restricted access. For example, a Data Access Committee or review committee can check whether the conditions for sharing are met before sharing.