Skip to ContentSkip to Navigation
Digital Competence Centre
your one-stop for research IT and data
Digital Competence Centre Data & Software Management Archive & Publish

Data with restricted access

Although data can often be shared openly, sometimes access needs to be restricted. This means that your data is only shared with interested parties under well-defined conditions. In line with the FAIR-principles, restricted access data should be made 'as open as possible and as closed as necessary'.

What are reasons to restrict access to your data?

There can be various reasons for restricting access to research data, which are not mutually exclusive. Reasons can be both practical (e.g., related to size and costs) and legal (e.g., respecting third party licences). You are encouraged to think carefully about all potential reasons for restrictions, how you want to make these data available for reuse and the Terms of Use.

Size and costs

Size and costs

Practical reasons for restricted access to research data can be related to the size of the dataset and the costs for data publication. Most data repositories have a maximum size for data publication. Currently, datasets larger than 50 GB usually come with additional conditions or are not supported at all. Furthermore, there are generally costs associated with depositing data in public repositories. 

How to restrict access

If costs cannot be covered or if the dataset is too large to be deposited in a public repository, you are encouraged to archive the data at UG facilities instead (e.g., Y: drive or RDMS), and possibly publish a sample of the dataset in DataverseNL. 

Terms of use

Datasets archived at UG facilities can still be shared with interested parties under a CC0 1.0 (or CC BY 4.0) licence, assuming there are no further restrictions. 

Embargo

Placing an embargo on your data

It is possible that you would like to make the data publicly available, but that you may need additional time to analyse or publish your findings. In the field of astronomy, for example, it is common practice to receive a time window to analyze data from a telescope, after which the data automatically becomes publicly available. Because these datasets are very rich and expensive, researchers from all over the world may benefit from access to the data. The embargo ensures that the PI who created the dataset has time to publish their research without worrying about competition. The same yields for research projects with a commercial potential.

How to restrict access

In that case, you can place an embargo on your research data, restricting access to the data for a limited period. This period generally ranges from six months to three years after depositing the data. Depending on the platform used for data publication, you could specify a date or a period of time after which the embargo should be lifted or whether the embargo should be lifted manually.

Terms of Use

When the embargo period ends and no other reasons for restricted access apply, the data become publicly available with a CC0 1.0 (or CC BY 4.0) licence.

Privacy and data protection

Privacy and data protection

When a dataset contains data collected from human subjects, you will need to comply with the General Data Protection Regulation (GDPR), which prohibits you from sharing personal data openly with the general public. Before publishing your data, it is important to think carefully about whether 1) there is a possible risk of re-identification of the participant, for instance by combining different datasets, due to demographics, or outliers. 2) participants provided consent to the reuse of their data.

How to restrict access

Datasets containing personal data can be deposited in the UG default data repository DataverseNL, but access to the datafiles usually has to be restricted, which can be done on the platform. DataverseNL is not suitable for highly sensitive personal data. Instead, you are encouraged to archive the research data at the Y: drive or RDMS

Terms of use

When needing to protect personal data, Creative Commons licences are not suitable. Instead, custom Terms of Use have to be set which will largely depend on the consent given by the participants. As such, the custom Terms of Use have to reflect what is allowed according to the informed consent and, more generally, the GDPR.

Sensitive and/or confidential data

Sensitive and/or confidential data

Data does not necessarily need to be personal data (anymore) in order to be sensitive. There may be circumstances where the public release of data might put research participants, vulnerable groups or the public at risk. Sensitive data can for instance include information on domestic energy usage that could possibly be used to determine occupancy patterns in participants' homes. In addition, confidential data could refer to data which reveals private information about a company or could threaten national security (e.g., nuclear research).

How to restrict access

Unfortunately, DataverseNL is not suitable for highly sensitive or confidential data. Instead, you are encouraged to archive the research data at the Y: drive or RDMS

Terms of Use 

Think critically about whether and how the data can be reused by others as Creative Commons licences are not suitable for sensitive and/or confidential data.

Third party licenses

Third party licenses

If you are making use of data from other sources (e.g., existing datasets or databases), you are encouraged to carefully read the Terms of Use set at the source. One example is the use of Twitter data. Twitter allows researchers to scrape social media data from its platform via the Twitter API. When you use the API, you agree with the terms in the licence which states that Twitter or user IDs can only be shared with other researchers, and not with the public.

How to restrict access

You should always comply with third party conditions. Whether or not you are allowed to make the data available for reuse, will largely depend on this third party licence. If the licence allows you to make (parts) of the data publicly available, your dataset could be deposited in the UG default data repository DataverseNL. Datafiles usually have to be restricted, which can be done on the platform. DataverseNL is not suitable for highly sensitive personal data. Instead, you are encouraged to archive the research data at the Y: drive or RDMS.

Terms of Use

Reuse cannot extend to what was specified at the source.

How can I allow others access to my restricted data?

By facilitating the reuse of your data you enhance the impact of your research. In order to allow others to gain access to restricted data, a clear access procedure is needed. Depending on where the data is stored (e.g., Y: drive, RDMS, or DataverseNL) and the Terms of Use, the access procedure may differ.

In any case, you should inform others about the data through, for example, a Data Availability Statement in your publication. Make sure it is clear how interested parties can get in touch with the persons or services facilitating the transfer of the data. This is not necessarily the corresponding author. Recommended means of (digital) transport are SURFfilesender and Unishare. You should also consider what information is required from the requesting party to facilitate the transfer of the data (e.g., email or address).

Option 1: DataverseNL (restricted access light)

Option 1: DataverseNL (restricted access light)

A simple procedure can merely consist of a check of the credentials of the requesting party. For instance, if the Terms of Use specify that the data may only be shared with researchers affiliated with a university or not-for-profit research institute. If this is the case for a dataset published in DataverseNL, support staff of DataverseNL at the UG can validate the request on behalf of the authors and grant access to the requesting party via the platform.

Option 2: Faculty Y-drive or RDMS

Option 2: Faculty Y-drive or RDMS

If the data is archived on the Y: drive or RDMS, the responsible faculty members (e.g., researchers, ethics board, or other relevant staff members) can validate the request and grant access to the data by sending the dataset to the requesting party through SURFfilesender or Unishare.

Option 3: Data Transfer Agreement

Option 3: Data Transfer Agreement

A stricter procedure can require the signing of a Data Transfer Agreement (DTA). A DTA —sometimes referred to as a Data Sharing Agreement or a Data Use Agreement—is a legal contract that defines the specific purposes for which the data may be used by the requesting party. It specifies the rights and obligations of both parties involved and sets out the measures for data protection. The UG has their own model DTA that may be tailored for the dataset of your research project. The Privacy and Security coordinator of your Faculty or the DCC can help you in this process. Moreover, the DTA always has to be signed by an authorised person. At the UG, this is the Managing Director of your Faculty or the Dean of the Board of the University, depending on the level of risk.

Example access procedure with DTA - DataverseNL

An example of an access procedure for DataverseNL that includes the signing of a DTA is the procedure for a dataset of UG Faculty of Arts researcher dr. Tommaso Caselli: “DALC - Dutch Abusive Language Corpus”.

Example: how to get access to the DALC - Dutch Abusive Language Corpus dataset

The dataset “DALC - Dutch Abusive Language Corpus” is created by UG Faculty of Arts researcher Dr. Tommaso Caselli. It is available under restricted access via DataverseNL. This dataset contains personal data. The Terms of Use for this dataset limit the use of the data to conduct not-for-profit scientific research only. Researchers interested in the dataset can request access via DataverseNL.

Step 1: The administrators and curators of DataverseNL at the UG are notified of the request and will contact the requesting party to ask for additional information such as their affiliation, line of research, and reason for the request.

Step 2: The curators will subsequently check the credentials and consult with the UG researcher for scientific relevance.

Step 3: When the request is deemed valid, the curators will send the tailored DTA to the requesting party, who will need to fill in the following details in the DTA:

  • a detailed description of research/intended use of the data
  • the first and last name of the principal investigator of the requesting party, including their job title
  • description of security measures
  • the name and job title of the contact person

Step 4: An authorized person at the requesting institute has to sign the DTA. The requesting party can return the signed document to the UG curators, who will subsequently send the DTA to General & Legal Affairs (AJZ) for a legal check. Once AJZ gives the go-ahead, the UG curators will ask the Privacy & Security coordinator of the Faculty to have the DTA signed by the Managing Director of the Faculty.

Step 5: The Privacy & Security coordinator will return the signed DTA to the UG curators, who will subsequently send a copy to the requesting party. Finally, the curators will grant access to the dataset via DataverseNL.

Laatst gewijzigd:26 januari 2024 14:40