Data Transfer Process Guideline

CLINICAL RESEARCH DATA SHARING REPOSITORY - GUIDELINE

Data Transfer Process – Overview

PURPOSE

This guideline provides an overview of the steps involved in managing the transfer of material to the clinical research Data Sharing Repository (crDSR). It spans the whole process from initial enquiry, through development and signature of a Data Transfer Agreement (DTA), quality checks on required metadata, the transfer of data objects to the repository, and finally the findability of the available data objects. It describes the responsibilities of the different organisations involved and the information that should be generated as a record of the transfer process.

THIS VERSION

1: 18th July 2024

SCOPE

This guideline applies to all the transfers of data objects to the crDSR.

Terms and Abbreviations

In this document

clinical research Data Sharing Repository

crDSR

Or

repository

The clinical research Data Sharing Repository (crDSR) is a joint project of the European Clinical Research Infrastructure Network (ECRIN) and the University of Oslo (UiO).

ECRIN manages the storage of metadata relative to clinical research, so to allow findability and eventual accessibility to clinical research data.

UiO operates the secure environment (Trusted Research Environment, TRE) where sensitive data is stored for secondary use. It also enables the secure transfer of the data from the data provider to its TRE called TSD.

Data Object

A Data Object is any file available in electronic form, of any type (document, data, media, etc.). The repository is designed to contain protocols, analysis plans, consent forms, result summaries and other documents associated with a clinical research study, as well as Individual Participant Data (IPD, see dataset definition below).

Dataset

The term Dataset refers to a data object that contains only data – e.g., a spreadsheet, CSV, JSON or XML file, database dump, etc. In the context of the repository, “dataset” will usually refer to the file or files of IPD derived from a clinical trial/study.

Data Object Provider

Provider

A Data Object Provider is an organisation that provides data objects to the repository. The Data Object Provider (e.g., clinical trial sponsors) is assumed to have the legal power to enter into a Data Transfer Agreement with ECRIN. For datasets of sensitive personal data, the Provider would be the data controller as defined under the EU GDPR.

Data Transfer Agreement

DTA

A legal agreement between ECRIN and the Data Object Provider that, inter alia, specifies the material to be transferred, the access arrangements required, and clarifies roles and responsibilities of the organisations involved.

Repository Manager

RM

A Repository Manager is an ECRIN staff (employee/consultant) who follows the processes of data transfer and data use.

Trusted Research Environment

TRE

TREs are highly secure computing environments that provide remote access to sensitive data for approved researchers to use in research. Also known as ‘Data Safe Haven’ or ‘Secure Processing Environment’.

Overview of the process

In broad terms the Data Transfer Process has the following stages:

  1. Initial enquiry and clarification of requirements

  2. Preparation and collection of metadata

  3. Development of Data Transfer Agreement (DTA)

  4. Agreement of all parties to the DTA

  5. Quality checks on metadata

  6. Transfer of data objects to the crDSR

  7. Public release of metadata

Figure 1 provides a diagrammatic representation of these stages, and each is considered in more detail below.

Initial enquiry and clarification of requirements

The crDSR landing page contains a “Contact us” button that redirects users to a contact form designed to collect initial enquiries, both of general nature and specific requests to store data. Incoming enquiries are handled by the Repository Manager. ECRIN provides guidance on the requirements of the crDSR, e.g., the need for discovery and descriptive metadata, the need for data to be pseudonymised/anonymised, and the options available for data access. The Data Object Provider will need to indicate the data objects they intend to transfer, and in broad terms the access arrangements they want to see applied to them. The Data Object Provider should also indicate the source study (or studies), and if it is registered also provide a trial registry ID. If the study is not registered, Data Object Providers will be strongly encouraged to register it before proceeding. The source study, the list of data objects to be transferred, and access arrangements, will be logged in the repository.

Preparation and collection of metadata

Metadata for discovery, access and provenance is collected in the repository. The metadata is structured using the ECRIN metadata schema[1], plus some additional fields required to clarify data object management in the repository. Steps include:

  • Data Object Providers should nominate one person who will be responsible for the provision of metadata for the study and the associated data objects in the crDSR. Their basic personal details (full name, organisation, role within the organisation, professional e-mail) are communicated to the Repository Manager.

  • These individuals are set up by the Repository Manager as named users within the crDSR. User authentication and authorisation is supported by the Life Science Login (a.k.a. Life Science Authentication and Authorization Infrastructure, LS AAI)[2].

  • Data Object Providers should also indicate the person or people who will represent the organisation for the negotiation and signature of the Data Transfer Agreement (DTA). Their basic personal details are stored in the crDSR.

  • The Repository Manager initiates a Data Transfer Process and sets up records for the source study or studies. For registered studies, metadata can be automatically extracted from the clinical research Metadata Repository (crMDR)[3].

  • User permissions are set up so that the person indicated by the Data Object Provider for the submission can edit the study and associated data object information.

  • Data objects and the required metadata is then provided by the person indicated by the Data Object Provider for the submission. The crDSR user interface provides guidance to users. In case of doubt, enquiries should be addressed to the Repository Manager.

Development of Data Transfer Agreement (DTA)

The repository provides a standard Data Transfer Agreement template, which will be shared with Data Object Providers. The information collected in the crDSR will be used to complete the specific fields in the Data Transfer Agreement with the Data Object Provider. In legal terms, the Data Object Provider remains the data controller, with the crDSR acting as a data processor on behalf of the Data Object Provider.

The DTA will list the data objects and the precise access arrangements to be applied to each, including any embargo periods or any other ‘release to public’ mechanism. It shall deal with possible revisions of data objects. Individual Participant Data (IPD) shall be qualified, by the Data Object Provider, as either ‘pseudonymised’ or ‘anonymised’. A brief justification of that status shall also be provided. The Data Object Provider shall clarify the legal basis for a) sharing IPD with the crDSR, and b) sharing IPD with others for secondary use (the basis is likely to be the same in both cases).

The Data Object Provider shall also agree to provide the required descriptive metadata file(s) for any IPD, as well as a description of the pseudonymisation/anonymisation steps that were carried out on the IPD.

The crDSR will keep the data securely for 10 years and provide proper backup and other data management services. Possible changes/extensions of the default data storage period can be considered and will be managed through amendments of the initial Data Transfer Agreement. For controlled access objects it will adhere to the Data Object Provider’s requested access regime.

Technical and organisational measures to ensure data security are described in the TSD whitepaper and the TSD security handbook, which will be appended to the DTA.

  1. Agreement of all parties to the DTA

The DTA should be signed by the legal representative of the Data Object Provider and the legal representative of ECRIN. The signatories and the date are logged in the repository. Introducing non-standard elements during the DTA negotiation is discouraged but can be considered if necessary.

  1. Quality checks on metadata

The Repository Manager shall check that:

  • Any IPD is supported by descriptive metadata

  • Any IPD is supported by a summary description of the pseudonymisation/anonymisation steps taken

If the checks are successful, the data objects will be transferred to the Trusted Research Environment of TSD (UiO).

  1. Transfer of data objects to the repository

The crDSR provides, with its user interface, an easy mechanism for the transfer of data objects. A button for upload is made available when the metadata submission process has been completed and the DTA has been signed. Upload completion is logged in the repository.

  1. Public release of metadata

Study and data object metadata are publicly available using the browsing mode of the repository. Data objects that are under managed access should indicate how access can be requested, again as part of the required metadata.

  1. https://zenodo.org/records/8368709

  2. https://lifescience-ri.eu/ls-login/

  3. https://crmdr.ecrin.org/

PreviousData Sharing Policy

Last updated