How to Work with Sensitive Data

There are a number of different mechanisms that can be used to control access to sensitive data; these are briefly discussed below:

• Self-attestation: this is the lowest form of control and only requires a potential user to agree to prescribed terms of use (e.g., checking a box, digital signature), and upon agreement, the user is immediately granted access to data. It is a minimal restriction but may block bots depending on how it is configured.
• Log-in requirement: some repositories will require potential data users to create and log into an account. This allows a repository to monitor exactly who accesses data, which is not typically possible (or legal) when content is made publicly available. There may be additional requirements for account creation (e.g., must use an email affiliated with a university or similar research institution).
• Depositor-managed access: some repositories allow depositors to require a potential user to request access, and that depositor is responsible for assessing and reviewing the request.
• Repository-managed access: some repositories have in-house staff who are responsible for facilitating data deposits as well as responding to access requests for controlled-access data. In this configuration, repositories may either have a standardized set of criteria (e.g., must have PI status at university) for all datasets or may allow depositors to define the specific (custom) terms of access and reuse.
• Independent committee review: some repositories have set up a vetting system not unlike an IRB or grant review board in which external researchers review a request.
• University-managed access: some repositories have arrangements with UT Austin (bottom of this page) where data are hosted in a repository and both deposits and requests for access are routed to a university administrator.

These are not all mutually exclusive; in some instances, there may be multiple levels of request review (e.g., repository staff filter out unqualified or junk requests, forward serious requests to depositors for final approval).

The various forms of controlled access listed above can be divided into two groups based on who is setting the access policy. In some instances, repositories have standardized policies that apply across all datasets (e.g., someone must have PI status to access the data). In other instances, the depositor sets the policy. Note that this is related to, but slightly different from, who manages the policy (e.g., a depositor could prescribe a policy that a repository agrees to enforce).

• Repository sets policy: If the repository sets the policy, a depositor will likely not be able to request custom modifications. Make sure that you read the conditions, understand them, and agree to them fully.
• Depositor sets policy: If a depositor is responsible for setting a policy, this can be more complicated because theoretically, a researcher could set any policy (e.g., requiring authorship, payment, endorsement of political candidates [an extreme example]), but the policy may not be legally sound or enforceable. In general, researchers should work off of existing templates developed by reputable entities, rather than attempting to create their own legal text from scratch. This is mainly because people without legal backgrounds (most researchers) are not qualified to create legal documents or agreements. Attempting to do so can create a host of logistical and legal problems for you (and/or any organization you are affiliated with).

In either instance, if you think that you will need to restrict access to data, it is highly recommended that you reach out to your unit's contact at the Office of Sponsored Projects (for sponsored projects) and/or Discovery to Impact (for commercializable items like patents). The university has a vested interest in (and shared responsibility for) many research outputs and should be consulted before entering into contractual obligations with third parties or establishing contracts/terms of use.