Sharing sensitive data
There is a lot of focus currently on making research data available to a wider audience, but this is not always possible. Reasons for this may include:
- the data is covered by GDPR and is subject to the consent granted by the participants to whom it relates
- the data has been obtained under a non-disclosure agreement from a partner
- access to the data has been purchased from a commercial provider
- the work building on the data may lead to a commercial opportunity and a patent
Policies on data sharing are generally phrased to take account of these circumstances: the Medical Research Council (MRC) for example, explicitly acknowledges the tension between respecting patient privacy and making data more widely available, and expects researchers to exercise their professional judgement in such cases.
Even if completely open sharing is not possible, there are many ways in which it is still possible to contribute. Regardless of whether your data is shareable, all published articles should include a data access statement.
Deposit under an embargo
If you wish to restrict access to your data for commercial reasons (e.g. to apply for a patent), your best option is to deposit in a repository under an embargo. This will ensure that you can deposit the data at convenient point in your research process and have it automatically made public at a future date.
Funders generally encourage commercialisation of research results, but generally impose a limit on how long data can be embargoed for: in most cases the data must be available within 12 months of the end of the project. For more information, check what your funder requires.
Obtain consent to share
Research involving human subjects can only be carried out with the informed consent of the participants.
If your original consent did not include data sharing, it may be possible to go back to participants and obtain further consent.
Share under a data sharing agreement
If you cannot make your data widely available, you may still be able to make bilateral agreements with individual researchers or groups to ensure the data is used in line with the consent obtained. This will probably involve drawing up a formal data sharing or collaboration agreement.
Use a secure data repository
Some data repositories provide a facility to allow carefully controlled access to sensitive information. These typically require interested researchers to prove their credentials, sign a non-disclosure agreement and analyse data in a dedicated facility without a network connection, taking away only anonymous information or statistics. One example of this is the UK Data Service, which provides a Secure Lab.
Software such as DataSHIELD enables a similar workflow across a network, allowing complex analysis scripts to run behind a firewall while being guaranteed to return only safe, anonymous results to the researcher.
Share anonymous data and / or summary statistics
If you are making your data available on a restricted basis using one of the methods above, it can sometimes be difficult for people to discover that the data exists and is available. It can help if you make some of the data available in an anonymous form through a more open route and include instructions for requesting access to the full dataset, see Mechanisms for sharing data. Additional support on processing personal data for research purposes is available on the College Information Governance web pages.