160 likes | 171 Views
Explore frameworks for managing sensitive data throughout the research lifecycle, including university policies, external frameworks, data management plans, consent agreements, and approaches like destruction, alteration, and restriction.
E N D
Frameworks for Sensitive Data in the Research Lifecycle John Southall Bodleian Data Librarian Subject Consultant for Economics, Sociology, Social Policy & InterventionMichaelmas 2016
Lifecycle Model • Applicable throughout data lifecycle • Before a project • During a project • After completion • First two remain key • Third stage also now focus of policy and ‘expectations’ • Management of sensitive and confidential data particularly affected by this • Various stakeholders and frameworks at work
Internal Frameworks • Project Level • Define sensitivity – allows better management • Specific content or general content • Consent agreements with participants • Licensing agreements • University level • Policy requirements or ‘Expectations’ • Applicable throughout data lifecycle
University Policy • Data should be retained for ‘as long as they are of continuing value to the researcher and the wider research community’ – but a minimum of three years • Researcher driven • Developing and documenting clear data management procedures • Planning for the ongoing custodianship of their data • Ensuring that legal, ethical, and funding body requirements are met • Institution responsible • for providing access to the services, facilities, and support needed to allow researchers to comply with the policy • Tagged as RDM
External frameworks • Funder policy • ESRC, EPSRC, Wellcome, RCUK Principles • Collaborator policy and expectations • Legal and Ethical policy • Data protection, FOI regulations • Privacy, confidentiality and consent • Broad consent arrangements need to accommodate all these
RCUK Guidance • … on best practice in management of research data • Principle 4: RCUK recognises that there are legal, ethical and commercial constraints on release of research data. To ensure that the research process is not damaged by inappropriate release of data, research organisation policies and practices should ensure that these are considered at all stages in the research process.” (July 2015)
Discipline Based Guidance • Expectation = case by case discussion • MRC – produce DMP, deposit of appropriate data in ‘timely’ manner, with limited exclusivity clauses • EPSRC – produce DMP, preservation and sharing of data • ESRC – produce DMP,preservation of data wherever possible and deposit with institutional repository or UKDA or secure data lab • ESRC will dispute non-deposit proposals • All discussed as part of application process
Data Management Plan • Place to consider the issues • Internal and external support for DMPs • Goal is to understand • Why your data is considered confidential or sensitive in some way • Impact of this on research process • How you manage it • where intent is that data/ sensitive data is not preserved or made accessible give a good reason
Consent Agreements • Help ensure participation • Create trust • Define interests of stakeholders • Avoid agreements that are too restrictive • Or do not accommodate all three stages • “only to be used by this researcher” - “will be destroyed” - “no one else will read” • Helpful but not too restrictive • Protection for you - not a strait-jacket • Formal – defining - agreements
Three Approaches • Destruction • Alteration • Restriction
Destruction • Dispose or destroy data when project ends • Traditional solution in some disciplines • Wasteful? • Now requires good reason given • Will always be needed in some cases • Retention • Variant on destruction – rules out long term preservation • Oxford policy talks of minimum retention but does not mention maximum period • Does not imply destruction
Alteration • Aggregation, anonymisation of data • Another traditional solution in some disciplines • Loss/ Degradation of content • Against expectations of data preservation? • Fragmentation • Helpful where specific content is the issue • Needs to be well defined and managed
Restriction • Anonymisation allows wide access to less data (ie by removing content) • An alternative approach is to leave content but make access harder • Relies on placing it somewhere with access control • E.g. Microdata from Eurostat • Vetting of access from UKDS • Requires clear access and usage conditions • Restrict what content may be reproduced • Introduce embargoes (last resort)
Conclusion • Content is only starting point • Actual issue is how data will be used, managed, and disseminated. • Applicable throughout data lifecycle • Before a project – planned, approved or licenced • During – managed and secure • After – documented and preserved • Maintain confidentiality through controls on handling, storage and sharing • Use research design to reduce risks • Draw on RDM support at Oxford