Data Access Committees

The processes of depositing and sharing your data will require decisions about data access. Data access can be considered on a spectrum from open (data is freely available for anyone to reuse, modify, and redistribute) to closed (data is not distributed beyond the community or the research team). Data access can be granted to varying degrees between these two endpoints.

Remember our three case studies for data security and keeping data safe during the active stages of research? Decisions related to data access in the last part of your project will also depend on the nature of the data. For example,

• Data that is released as open access should not have any sensitivities or risks associated with making it available for use by others.
  • Examples of open access data are the number of applications per year to social service programs or data from interviews about a community art program which has had names, ages, and other identifying information removed.
• Data that is shared subject to specific terms and criteria may have some level of risk associated with reuse. In these cases, data access terms should balance the perceived level of risk to community participants against the potential benefits of making the data available, with the level of risk determined by the community that created or contributed to the creation of the data.
  • Examples of data shared with fewer restrictions may include anonymized survey results about a sensitive topic such as social housing or immigration experiences. On the other hand, data that is shared with more restrictions may include health data that is shared only with members of an organization that conducts research in alignment with the original purpose for which the data was collected.
• Data that is not available for reuse carries significant risks, such as the risk of exposing communities and research participants to harm if the data is misused.
  • Examples of restricted data are research data from unpublished studies or data containing personal information that can identify individual research participants.

The decision to make community data available can have many complexities and thus requires thoughtful engagement. Data access decisions must take into account community needs and be made by or with the community that is fully informed communities must understand the risks associated with providing access to the data, as well as the costs related to managing data access in the long term.

Risks related to data access may be identified through concerns brought forth by the community. For example, there may be a risk of vulnerable community members like children or elders being identified in the research, or a risk that data will be reused in ways that do not align with community values or beliefs. Data access risks may also relate to technology limitations, data security, and other practical considerations.

Engaging as a group of community partners and researchers is an important part of identifying risks and finding appropriate ways to minimize them so that members can make an informed decision about their participation in the research.

Costs related to data access must also consider the time, effort, and resources needed to care for and maintain the data during the research project and beyond. It is also important to be clear about who will take on responsibilities related to data access – for example, whether this will be a community member or a member of the original research team with explicit permission from the community.

It can be surprising how much cost and effort is involved with maintaining access to data. Even open access data requires care and maintenance, such as:

• publishing new versions of the data
• updating explanations of the data and how it was collected, and
• responding to questions about the data.

Data that is restricted or made available under specific terms and conditions may also require:

• a secure repository to ensure data access is restricted to specific individuals or groups
• a mechanism to ensure users understand how they may use the data, for example having them sign a license or agree to terms and conditions
• guidelines and a process to approve or deny requests to reuse the data

In general, the more restrictions placed on data access, the more effort and energy may be required to manage access requests. Risks and costs related to data access should be discussed as part of data management planning and documented in the data management plan (DMP).

A good starting point when considering data access is to think about the goals that prompted data collection in the first place. For example, if one of the goals is to influence practices of social service agencies in the community, you will want to share findings with people in these organizations who can work with community members to affect change.

Once you have determined the appropriate audience for your data, you will need to think about how access will be managed and where it will be stored.

• Low-Risk Data: If your data will be shared under an open access license, then data access may be as simple as sharing the data in your chosen repository under a Creative Commons license.
  • Most universities have a data repository on campus that would be suitable for this purpose. In Canada, this is coordinated by Borealis: The Canadian Dataverse Repository. Connect with your local installation here!
• Medium-Risk Data: If the data will be shared for reuse under relatively common terms, such as including a requirement to share research findings with the community, then you may wish to develop Data Access Terms and a Data Use Agreement which users need to sign in order to access data.
  • If data can be anonymized so that it is no longer sensitive, you can usually share it in a campus data repository using a restricted access feature. Borealis: The Canadian Dataverse Repository has this feature. Connect with your local installation here!
  • Another option is to store data on an organizational server.
• High-Risk Data: If data reuse presents a high risk to individual privacy or safety, it will be necessary to review and make decisions about data access on a by-request basis. In cases where data access requires more careful review, one approach is to form a Data Access Committee.
  • In cases of higher- risk data, the best option is to store data securely on an organizational server.

Forming a Data Access Committee

A Data Access Committee (DAC) is a defined group of individuals who are collectively responsible for granting access to data based on a set of criteria. DACs tend to use tools and resources to standardize the request and review processes, such as application forms for requestors, or a checklist to evaluate if an application meets established criteria for access.

DACs can take many forms. Membership, access criteria, meeting frequency, and the process for reviewing requests will depend on:

• the nature of the data
• the needs of the community
• the purpose of the original research for which the data was collected, and
• where the data is held, whether in a repository, with the community, or elsewhere.

When forming a DAC, it is important to consider the role of the community and community perspectives in data access decisions, as future research conducted using the data has the potential to impact the community. Some questions to consider are:

1. What role will the community play in the DAC?
   • Will there be one or several community representatives? How long will their tenure be?
   • Are there mechanisms for more people to be involved in these decisions? For example, check out the podcast Crackdown’s listening parties where the community listens to the first draft of each episode and adjusts content.
2. What capacity and resources are required for the community to participate in data access decisions?
   • Is there funding available to support community involvement?
   • Is there a staff member who can dedicate time to coordinating this?
   • Is there technical equipment or software that needs to be maintained?
3. How does the community make meaning and share information? Does this influence data access criteria in any way? For example:
   • Queer communities have been impacted by the loss of an older generation to AIDS and thus might prioritize data access by younger queer community members and researchers.
   • A community of refugees from a particular background might have cultural understandings of data that will impact how long it is stored.
4. How can you be sure that data reuse and future research conducted with the data are connected, relevant and driven by community needs?
   • Are there conversations to engage in that will inform the consent process or survey development?
   • What questions can we ask to understand the priorities of community participants?
   • How often should we revisit the guidelines used by the Data Access Committee?
5. Where will the data be held? Will it be stored in a data repository managed by the university or another entity or will the community take on the responsibility of long-term data storage and preservation?
   • In the case of smaller organizations, data will be stored in a data repository that is managed by the university or another organization. Communities can work with the research team to consider access terms for the data and if they would like to participate in ongoing decision-making.
   • Larger organizations may be equipped to store data long-term. In these cases, they would take on organizational responsibility for managing a data access committee. It is recommended that this committee adopt frameworks and terms of reference language from other committees and working groups in already established bylaws.
   • If a community does not have a representative organization, participants should be involved in drafting data access terms and may agree to be consulted by a Data Access Committee associated with the repository. However, the researchers and participants should take extra care to document detailed access terms. This could then be given to an institutional data repository.

These and other questions are important considerations that will impact the composition of the DAC and the criteria used to evaluate data access requests.