Best Practices
Data access committees (DACs) are institutional safeguards responsible for ensuring a balance between data protection and accessibility. However, there are no procedural standards that apply across DACs, which can lead to inconsistencies in their reviews and compromise their quality and effectiveness. Standardising DAC processes can foster trust and mutual recognition, paving the way for greater coordination, collaboration, and delegation between DACs and other oversight bodies to improve the efficiency of data access without sacrificing protection.
To provide guidance, the following are suggestions for actions a DAC might take upon receiving a data access request:
- Aim to respond to all initial requests in less than 2 weeks. Failure to do so may result in follow-up emails from the EGA, journals, and ultimately dataset withdrawal.
- First, check that the data/EGAD number is consistent with your data submission. In other words, ensure that the requester has contacted the correct DAC.
- Verify that the user will be using the data within the terms of consent by asking them to sign up to the terms within the DAA.
- Ensure that data users who are granted access to the data comply with the terms of a Data Access Agreement (DAA) and to use the data only in approved ways.
- Look for an institutional email address for the requester.
- Search for evidence that the requester is "appropriately qualified/bona fide" for using the data, for example on PubMed, Research Gate, LinkedIn, etc.
- Confirm that the affiliated organisation is real and that the requester still works there.
- Inquire with the requester about who should have accounts created at the EGA under the terms of the agreement.
- If a negative decision is made, promptly communicate it to the requester and support it with the terms of the Data Access Policy that the requester has not met or cannot meet.
- Keep the information in the DAC up to date. If you leave your institution and are unable to manage data access requests on their behalf, you should add your replacement as a new contact in the DAC.
- Assist with data access requests for any further questions related to your data. The EGA can only check information that has been deposited in the repository. If the user has a specific question that the EGA cannot answer, we will redirect the user to the DAC.
- All the EGA studies and datasets referenced in a publication under your DAC must be publicly searchable on the EGA website before the paper is released.
- If possible, describe the permitted purposes for subsequent research projects, including associated limits and conditions, for all resources hosted in a repository using a common ontology, such as the GA4GH Data Use Ontology (DUO).
It is considered best practice to try and release data only to those with an institutional email address. This gives reassurance to the EGA, research participants, and the general public that an appropriate individual is accessing and using the data.
To prevent potential data breaches and ensure adherence to GDPR regulations, it is essential that the European Genome-Phenome Archive (EGA) is informed via the Helpdesk team of any changes to the Data Access Committee (DAC). This should be done in addition to any changes being made on the DAC portal. Data Controllers (as per the definition in the DPA) are also responsible for notifying the previous DAC of any modifications. Without proper notification, changes might not be automatically updated in our system, leading to the risk of incorrect permissions being applied and potential data access issues. Therefore, it is imperative that all Data Controllers follow this protocol to maintain data integrity and security.