Data Access Restrictions

Owned by Mandy Gooch
Last updated: 2024-47-15
6 min read

This article explains data access restrictions such as ethical, legal, or resource limitations and provides examples to researchers for ways to implement access restrictions on data.

What are Access Restrictions to Data?

Access restrictions for data are limitations imposed and enforced by data owners on how, why, and when data can be shared with secondary users. This guide discusses reasons for limiting data sharing based on ethical and/or legal considerations. It further offers guidance on methods for sharing sensitive data, using data use agreements and access requests, and limiting data file access while enabling discovery within a data repository.

Reasons for Limiting Data Sharing

Most funding agencies require researchers to share a public-use version of the data collected during their research. These data should be well-documented, cleaned, and should be the same files researchers used to publish the results of their research. For most researchers, sharing a public-use version of their data will not be an issue; however, for some, it may not be as simple as sharing the same data files used in the analyses.

Depending on the data you are collecting, you may find yourself limited in what you are able to share due to ethical, legal, or even resource limitations.

Ethical Restrictions

The most prominent reason for not being able to share data are ethical limitations due to the highly sensitive nature of the data being collected. Many researchers conducting human subjects research must abide by the laws and regulations enacted by the government and the university’s institutional review board. What does this mean?

This means that anyone collecting and interacting with human subjects during their research must ensure that the privacy and confidentiality of their participants remains intact and secure. This does not mean that all human subjects research is exempt from data sharing. Instead, it means that researchers must take the necessary steps to de-identify and clean their data sufficiently before sharing any version of it with the public.

While most researchers will be able to comply with these requirements – for example, using the safe harbor method to de-identify datasets – some projects may not be able to sufficiently de-identify their data while maintaining its utility.

In these instances, it is important to establish a protocol for keeping the highly sensitive data files secure while also assessing the possibility of permitting data access requests through a secure file transfer process in combination with a signed data use agreement. You can learn more about considerations for sensitive data in our Sensitive Data Guide.

Legal Restrictions

Aside from ethical considerations, there may be instances where your data have been purchased or acquired from other data producers. Some data producers make their data publicly available without limitations; however, others may stipulate that only a small percentage of their data may be shared as part of a larger dataset. In other instances, a data producer may not permit the sharing of any of the data as agreed upon in a data use agreement or terms of use. It is important to thoroughly review all terms and conditions of using data collected and produced by external parties and to abide by those requirements. If you have questions about any legal terms and conditions, please seek assistance from UNC Libraries' Scholarly Communications Office.

Resource Limitations

For some researchers collecting large amounts of data (i.e., terabytes or more), sharing data within a data repository may not be feasible due to limitations in the amounts of data that can be stored and shared through the repository interface. It is prudent that you investigate the file size limits of a data repository before deciding on where your data will be preserved.

Examples for Implementing Access Restrictions

As mentioned above, there may not be a way to sufficiently de-identify your data for open sharing in a data repository. This does not necessarily mean that your data should not be shared at all. Instead, it means that processes should be put in place to ensure the security of the sensitive data files while also permitting access through alternative secure methods. Below are a few examples for sharing sensitive data and facilitating access requests. Please keep in mind that these are merely a few options, and you should think through your sharing and access restriction protocols before enacting any measures described below. You might implement one or multiple options depending on your data needs. Additionally, please ensure you consult IRB requirements and federal regulations while developing any access request workflows.     

Discovery via Metadata in a Data Repository

If the data are too sensitive to share in an open data repository, some repositories will permit researchers to create a metadata record describing the data and documentation from a research project. The metadata record acts as a finding aid for researchers interested in learning more about your data. In some cases, you may be able to include documentation and other relevant materials for users to download. You may also include access request instructions within the metadata record. These instructions should clearly describe the steps a user must take to request access to the restricted, sensitive data. Please note in this option researchers do not include a publicly available data set in the data repository.

Creating a metadata record for your sensitive data increases the visibility and discoverability of your research and may meet the requirements of a funder’s data management and sharing requirements. Please fully review the funding agency’s data sharing policies and discuss sharing options with RDMC staff as appropriate.

Restricted Access via Data Use Agreements

A data use agreement is a formal agreement made between a potential secondary user and an institution that clearly stipulates the conditions under which data from the research project may be utilized. The agreement may include limitations on the amount of data shared, the location the data may be accessed, how long the data may be accessed, the person(s) permitted to use the data, and whether further analyses on the data may be published.

If you are unable to share your research data publicly due to its sensitivity, you should consider implementing a data use agreement as part of a data access request workflow. Data use agreements should be discussed with the UNC Office of Sponsored Programs Industry Contracting team. Industry Contracting also created the Data Use Agreement Guidance to help determine if a DUA is needed for data sharing.

Here are a few resources to learn more about DUAs:

Health Care Systems Research Network DUA Toolkit

Data2Health Data Use Agreement Library

Secure Access via File Transfer (FTP, OneDrive, Encrypted File Transfer Services)

With a data use agreement in place and instructions available for requesting access to restricted, sensitive data, it is recommended that you identify a secure mechanism for transferring the data to a secondary user. This could include a secure file transfer protocol through the university or transfer through UNC-approved OneDrive or by a third-party encrypted file transfer service.

Whichever option you choose, please consult with UNC ITS or your department ITS to make certain your chosen method is the most appropriate for the type(s) of data you are planning to transfer.

Off-Network Access via Secure Data Enclave

Some data may require more access restrictions due to its sensitivity. In these cases, it may require more consultation with UNC ITS to determine the most appropriate mechanism for securing the data. A secure data enclave, essentially an off-network secure desktop, may be the solution. If you are anticipating data with a high level of security requirements, but would still like to share aspects of it, a secure data enclave may be an option to facilitating access requests in a designated location on campus.

Please discuss your options with UNC ITS or your department ITS.

Resources

UNC IRB and the Office of Human Research Ethics - https://research.unc.edu/human-research-ethics/standard-operating-procedures-sops/

UNC HIPAA Guidance - https://privacy.unc.edu/protect-unc-information/hipaa/

UNC HIPAA Training - https://www.med.unc.edu/security/hipaa/hipaa-train/

UNC FERPA Guidance - https://registrar.unc.edu/academic-services/uncferpa/

Additional UNC Privacy Guidelines and Requirements - https://privacy.unc.edu/protect-unc-information/

References

Data Use Agreement Library. GitHub. (n.d.). https://github.com/data2health/governance-pathways/blob/master/library.md

Health Care Systems Research Network. (2021, December). DUA Toolkit: A Guide to Data Use Agreements. https://hcsrn.org/wp-content/uploads/2021/12/HCSRN_DUAToolkit.pdf

Office for Civil Rights. (2012, September 7). Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule [Text]. HHS.Gov. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

 

CC-BY-NC

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

 

RDM Guidance formatting was influenced by The Writing Center, University of North Carolina at Chapel Hill Tips & Tools handouts.