Selecting an appropriate access level and licence for your Data Sharing Collection

When you publish your Data Sharing Collection (DSC), it is important to specify the conditions and restrictions of data sharing.

Restricting access to sensitive data is important to protect the privacy of your research participants or prevent harm to communities, ecosystems, cultural or ethnic groups, commercial parties, etc. Sensitive data include:

  • Human participant data which cannot be anonymised, i.e. pseudonymised or directly identifiable personal data

  • Data involving controlled use of animals

  • Data subject to contractual constraints, such as licences, collaboration or data processing agreements, or funder agreements

  • Data with commercial potential or that may be patented

  • Data subject to export controls

  • Environmentally sensitive data

  • Politically sensitive data

Specifying the conditions of data sharing is also important for the reusability (the R in FAIR data management) of your data: researchers from the external scientific community must know what they can do with your data. Under what conditions can they access the data, can they re-share your data, can they use your data for commercial purposes, etc?

The collection manager must therefore specify the conditions of data access to a DSC by choosing an appropriate access level: Open access, Open access for registered users, or Restricted access. The conditions of re-use must be specified by selecting a proper licence or Data Use Agreement (DUA) based on the selected access level. If you are in doubt about which access level, licence or DUA to choose, contact your data steward.

The following options for sharing can be considered (click a title for more information):

Open access

Data of Open access DSCs can be accessed by any user of the Radboud Data Repository (RDR) anonymously (i.e., without logging in). The collection manager cannot identify external users of the collection in any way. Open access DSCs can be recognised based on their green "Open access" tag.

../../_images/selecting-oa-tag.png

Radboud University's research data management policy dictates that research data must be shared as open as possible and as closed as necessary. Therefore, if there are no reasons to restrict access to your data (i.e. if your data are not sensitive, see the definition above), you should choose an Open access DSC. If your data have been acquired on human subjects and they cannot be fully anonymised, you are not allowed to choose an Open access DSC. Visit our best practice page on data anonymisation and pseudonymisation to find out if your data are fully anonymised.

In Open access DSCs, the conditions of re-use must be specified in a licence. External users of the DSC implicitly accept the terms of that licence by downloading the data. The RDR offers a variety of licences for you to choose from.

To share your data as open as possible, we recommend that you choose a CC0 licence. Under this licence, you waiver any copyright you might hold to the data and place them in the public domain. CC0 was designed to reduce any legal and technical impediments to the reuse of data. The easier you make it for people to understand the conditions for reusing data -and the clearer you make it that you will not be suing people who do- the more likely it is that your data will be reused. That is especially important when it comes to research data: facts, and therefore most raw data, are not subject to copyright. That means that if you place a copyright licence on your data collection, the conditions and restrictions specified in that licence do not apply to that part of your collection that is not copyrightable. That can become very confusing since people can argue about whether something is copyrightable or not and something can be copyrightable in some countries but not others. To avoid confusion for end users, we recommend the use of a CC0 licence for publishing data collections.

You might be worried that if you waiver your copyright, you will not be attributed for your work. However, keep in mind that giving up your copyright does not exempt those who reuse your data to follow community norms for scholarly communication. Researchers are encouraged to cite your work since it is common practice in the scientific community and data without a citation are not considered trustworthy.

For more information on why using CC0 is becoming the standard of sharing research data, see the following blogs: CC BY and data - Not always a good fit and Why does Dryad use CC0?.

If you want to place restrictions on the re-use of your data, you can opt to use another CC licence. Be aware that in some cases, for example if you have pre-existing agreements, you cannot release your data under the CC0 terms and must choose a non-public domain CC licence. Pay extra care if you are not the owner of (part of) your dataset. For example, if your work is based on data that were published under a ShareAlike licence and you want to redistribute those data, you should use the same licence terms as the original dataset. Furthermore, you should check for funder obligations. Some funders recommend or oblige particular licences for the research they fund. For those situations, the RDR offers a variety of licences.

All non-public domain CC licences require attribution of the author. This is indicated by the text BY in the name of the licence (e.g., CC-BY). To find out which non-public domain licence meets your requirements, you can follow the decision tree below. More information can be found on the webpage of CreativeCommons.

../../_images/decision-tree-licence.png
Open access code sharing

If you only share source code of software, simulations, or data analysis scripts (i.e., no research data originating from measurements), you should use a copyright agreement rather than a licence. You can find help on choosing a proper copyright agreement here.

The RDR offers the following copyright agreements:

GPL-2.0

GNU General Public License v2.0

GPL-3.0

GNU General Public License v3.0

LGPL-3.0

GNU Lesser General Public License v3.0

APACHE-2.0

Apache License 2.0

ARTISTIC-2.0

Artistic License 2.0

BSD

BSD 2-clause "Simplified" License

EPL-1.0

Eclipse Public License 1.0

MIT

MIT License

MPL-2.0

Mozilla Pu

Open access for Registered Users

Data of Open access for Registered Users DSCs are accessible following authentication. That means that a user must log in and explicitly agree with the terms of a Data Use Agreement (DUA) before the data can be accessed. The collection manager can identify external collection users since they will be added as viewer to the collection. Your collection's metadata -including the list of files- are visible to anyone.

There are two use cases for Open access for Registered Users DSCs, each with a corresponding DUA.

  1. The data of your collection have been acquired on human subjects and are potentially identifiable or should be regarded as pseudonymised. For directly identifiable data, a Restricted access DSC (see below) must be used. If you need help to find out if your collection contains personal data, check out our best practice page on data anonymisation and pseudonymisation or contact your data steward.

    In the case of sharing potentially identifiable data, the conditions of data sharing must be specified better than in an open access licence in order to protect the privacy of research participants. For example, it is important that re-users will not attempt to identify research participants based on the data. It is also important that re-users can be identified so that they can be held accountable for responsible use of the privacy-sensitive data. For this purpose, Radboud University developed a DUA specifically for sharing potentially identifiable human data: Radboud University - Human Data - 1.1 (RU-HD-1.1).

  2. The data are potentially identifiable human data, as in use case 1, and your informed consent form stated that research data will be shared for scientific use only. Some of Radboud University's research institutes' (older) informed consent form templates contained such a statement. In this case, the DUA must mention that re-use is allowed only for the purpose of scientific research, in addition to the conditions of re-use specified in RU-HD-1.1. Such a stipulation is included in the DUA Radboud University - Human Data - Scientific Use - 1.0 (RU-HD-SU-1.0). Note that -in line with Open Science- we strongly recommend to use RU-HD-1.1 if your informed consent form allows for this. Contact your data steward if you are in doubt.

Restricted access

Restricted access DSCs require explicit approval of data access requests by a person. That person can be the collection manager or an external researcher or committee that is responsible for handling data access requests (a so-called Data Access Committee; DAC). This means that a researcher who wants to use your data, must request access to your data and specify what they want to use your data for. You or a data access committee can evaluate based on their motivation whether access can be granted. If so, you and the data access applicant must set up a DUA and have it signed. Only after a DUA has been signed, should the collection manager grant access. Your collection's metadata -including the list of files- are visible to anyone.

Be aware that if you choose for a Restricted access DSC, you will receive an email of each access request. The data access applicant will be in cc of this email, and therefore obtain access to your email address.

Restricted access collections serve for sharing sensitive (see the definition above) and/or directly identifiable data. Always consult with your data steward before sharing directly identifiable data via a Restricted access DSC. For sensitive data it is important to verify the identity of an end user so that they can be held accountable for responsible use of the data. It might also be necessary to confirm that the use of the dataset does not cause harm. In the case of directly identifiable personal data, it is important to assess that an end user's research question can be answered with your data and that it complies with the data use described in the informed consent form.

For Restricted access collections, a DUA must be signed by an authorized person representing the data provider (the dean of your research institute) and a representative of the data user. Radboud University offers a template DUA that you can use: RU-RA-DUA-1.0 (for a pdf version see here). To work with this template, simply select it in the “Data Use Agreement” field when you add metadata to your DSC. When you receive an access request, contact your research administrator and the data access applicant (both will be in cc of the access request) and work together to fill in the DUA. The research administrator uses ValidSign to allow the authorized persons to electronically sign the DUA. Make sure to safely store the signed DUA according to your OU’s guidelines.

Warning

This DUA is suitable for sharing data with parties within the European Union or countries that offer an adequate level of data protection according to the European Union (see the list of non-EU countries with an adequate protection level). Please check whether the data access applicant is located in one of these countries. If you want to share data with parties outside of the above-mentioned countries, contact the university’s legal department.

If our template DUA does not suffice for you, you can set up a custom DUA in collaboration with the legal department of Radboud University. In that case, send your custom DUA to us at rdmsupport@ubn.ru.nl so that we can add it to the “Data Use Agreement” metadata field (see our help page on adjusting metadata).

When setting up a DUA, always consider the following aspects:

  1. If applicable, the agreement must specify how to deal with ethical and subject confidentiality issues

  2. The party obtaining the data must be specified

  3. The use of the data must be specified

  4. The agreement must specify the requirement to abide to all laws and regulations (both in the jurisdiction of the data recipient and in the Netherlands), including but not limited to the General Data Protection Regulation (GDPR) and other relevant privacy laws

  5. The agreement must describe the methods and infrastructure the receiver must use to ensure data security

  6. The agreement should specify whether there are restrictions to the use of the data

  7. The agreement should specify whether and how original and derived data can be redistributed and/or shared

  8. The agreement should specify the liability for data and derived data that is redistributed

  9. The agreement should specify whether and how credits and acknowledgements are to be handled

  10. Ensure that nothing in the agreement conflicts with, supersedes, or limits any prior contractual obligations on the part of the user (i.e., you), any third parties, downloaders, or Radboud University

  11. The agreement may specify specific situations under which the agreement is terminated

  12. Make sure not to infringe copyrights of others

  13. You are responsible for making sure that the agreements is legally sound. Therefore, never set up a custom agreement without involving legal experts. You can always contact Radboud University’s legal department (see above)

  14. Always incorporate the laws of the Netherlands as the applicable law and the court of Gelderland, the Netherlands, as the applicable court for conflicts

Warning

Never set up a contract by yourself without the involvement of legal experts. You can contact Radboud University’s legal department if you need help.