ODISSEI User Policy
Version: March 2021 (also available in pdf)
Ricarda Braukmann, Tom Emery, Lucas van der Meer
ODISSEI is the Open Data Infrastructure for Social Science and Economic Innovations (www.odissei-data.nl). It consists of Member Organizations that pay an annual membership fee. ODISSEI uses the revenue generated through the membership fees and through 3rd party financing to provide services to its Member Organizations. In order to access these services, an individual must be employed by an ODISSEI Member Organization. This document sets out the ‘Terms of Participation’ for individuals at a Member Organization who wish to use an ODISSEI Service.
The ODISSEI Management Board is responsible for the development and maintenance of these terms of participation. It is the responsibility of the ODISSEI Coordination Team (firstname.lastname@example.org) to ensure that these terms of participation are visible, enabled and enacted.
ODISSEI is a federated infrastructure which provides a single operational framework for multiple ODISSEI Service Providers to support social scientists. These Service Providers include but are not limited to Statistics Netherlands, SURF, CentERdata, eScience Center, and DANS. Service Providers have their own independent terms of usage and operational policies in addition to those presented here. All ODISSEI Service Providers are also Member Organizations themselves. If there is a conflict between the policies of the Service Provider and ODISSEI with respect to research conducted as part of ODISSEI, it is the responsibility of the Service Provider to make the ODISSEI Coordination Team aware of this conflict. It is the responsibility of the ODISSEI Coordination Team to evaluate the conflict and defer to the ODISSEI Management Board where necessary. Data made available by ODISSEI Service Providers such as CBS Microdata, the LISS Panel or the data collections that are supported by ODISSEI (such as SHARE, GGP, EVS, NKO etc) needs to be FAIR (findable, accessible, interoperable, and reusable). This is the responsibility of the Service Provider.
An ODISSEI User is someone who engages with a Service Provider under the framework of ODISSEI. This means that a Service Provider is providing a service that is conditional on the user being an employee at an ODISSEI member organization. For example, a recipient of a Microdata Access Grant, Microdata Access Discount, a LISS grant, a SoDA project, an ODISSEI eScience project or any other ODISSEI service.
An ODISSEI User can either process the data of an ODISSEI service provider or use an ODISSEI service to process their own data. In this document, such data that is used in conjunction with an ODISSEI service by an ODISSEI User is referred to as ‘User Data’, regardless of whether this is data provided by an ODISSEI Service Provider and processed by the User or it is data brought into ODISSEI by the user and then processed. Such data must be FAIR and is subject to these terms of participation. Failure to do so may curtail their rights to use ODISSEI Services.
2. Legal and Ethical Requirements
ODISSEI is not a data controller. This means that ODISSEI does not hold or own data. ODISSEI Users or Service Providers always remain the controller of their data. All User Data remains with its respective owner and no transfer of Intellectual Property occurs, unless explicitly stated otherwise.
Most of the User Data will contain personal data or even sensitive personal data and therefore falls under the General Data Protection Regulation (GDPR).1 Sensitive personal data in ODISSEI should be processed under Article 9(2(J)) of the GDPR (EU 2016/679). These are ‘Research Grounds’ for the processing of personal data. This means that processing must be in the public interest, or for scientific, research or statistical purposes. To ensure this is observed, ODISSEI and all ODISSEI Users shall act in accordance with Article 89(1) of the GDPR:
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Data processed on ‘Research Grounds’2 must be pseudo-anonymized and minimized to the level necessary for research purposes. Access to and use of User Data will only be for research purposes. It is the responsibility of an ODISSEI Service Provider to ensure that adequate security and technical measures shall be put in place to ensure compliance with Article 89(1) and the responsibility of ODISSEI Users to only process data for research purposes. ODISSEI Users should report to the ODISSEI Coordination Team and respective Service Provider if they perceive security or technical measures to be inadequate.
The use of ODISSEI services shall not be for commercial purposes or for purposes other than those outlined in Article 89(1)3 of the GDPR. Data processing should be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
ODISSEI Users must be registered employees at one of these ODISSEI member organisations. Ethical approval needs to be in place and is the responsibility of the respective member organization. This ethical approval should critically evaluate participant information sheets and consent procedures where applicable. Cases that are particularly complex or sensitive, or those presenting a specific conflict of interest can be referred to the ODISSEI Data Protection Office (email@example.com) under the discretion of the relevant users institution.
Processing User Data may require further ethical considerations as stipulated by the data controller, in instances where this is not the data user. Where applicable, this will be clearly indicated and completed in a timely manner by the data controller.
3. FAIR Data
An open data infrastructure is one that increases the findability, accessibility, interoperability and reusability of data (FAIR). ODISSEI Users are required to ensure User Data is FAIR. The general FAIR principles are displayed in Appendix A. In order to ensure that all User Data aligns with the FAIR principles, the following specific ODISSEI guidelines apply:
- User Data must be accompanied with appropriate and detailed metadata that accurately describes the dataset and provides all relevant information including usage rights, licenses and associated datasets.
- User Data should be documented using existing international metadata standards. If unsure of the appropriate standard, the ODISSEI User should consult DANS (ODISSEI contact person at DANS is Ricarda Braukmann).
- Metadata must be publicly available under a Creative Commons (CC0) license.
- Metadata should be provided in English and, where relevant, Dutch information should be added.
- User Data should be deposited in a Trustworthy Digital Repository (TDR) and allocated a Persistent Identifier (PID) within 6 months of a research project being completed.
- A dataset’s access procedures must be published as part of its metadata. These procedures should be clear, comprehensive and transparent. Access to the data should be sustainable in so much as they are not dependent on the consent of a specific individual.
- User Data should use international standards and best practices where possible.
- User Data should be stored in open and sustainable formats. For a list of formats that can be considered sustainable see for instance the recommendations by DANS.
- User Data should include metadata that is stored in a machine-readable format.
- When creating a Data Management Plan (DMP), ODISSEI Users should follow a suitable standardized DMP template, for instance from NWO, and describe the data and procedures in as much detail as possible.
- Code used to produce, enhance or adapt the User Data should be made available alongside the User Data where possible.
- Efforts should be made to enhance the FAIRness of the code, e.g. by following the recommendations for FAIR-software (www.fair-software.nl).
- User Data must be accurately cited in scientific research with reference to the dataset’s PID.
- Access procedures for User Data should be clearly stated as part of the accompanying metadata and sustainable access procedures put in place to ensure reusability and replicability. Access to the data should be sustainable in so much as they are not dependent on the consent of a specific ODISSEI User.
- It is not permissible to restrict access to User Data due to a conflict or overlap with existing research projects. Nor is it permissible to require co-authorship of resulting scientific papers as a condition of access.
- All ODISSEI users must follow the open access policy of NWO (https://www.nwo.nl/en/open-access-publishing)
4. FACT Users
ODISSEI Users must adhere to the Netherlands code of conduct for research integrity. This code emphasizes honesty, scrupulousness, transparency, independence and responsibility. ODISSEI Users are also required to abide by the FACT principles which emphasize Fairness, Accuracy, Confidentiality and Transparency. FACT principles compliment FAIR principles by providing a research code of conduct for data intensive research.
- ODISSEI Users are responsible for communicating data and analytical methods in a fair and balanced manner.
- ODISSEI Users will avoid unfair conclusions without due consideration for the manner in which the data was collected, processed and analyzed.
- ODISSEI Users must critically assess analytical outputs and interpret them in a fair and balanced way and present all analytical outputs alongside the limitations of the data and methods used.
- ODISSEI Users must strive for accuracy throughout the research lifecycle to avoid misleading conclusions.
- ODISSEI Users are responsible for the communication, not only of results, but the accuracy of such results and the degree of accuracy of any analysis.
- The communication of accuracy is not dependent on the audience to which the results are being communicated.
- ODISSEI Users are required to report any breach of confidentiality or data subjects’ rights to the ODISSEI Coordination Team immediately.
- ODISSEI Users must refrain from undertaking analysis which disclose the identity of a specific individual or organization.
- ODISSEI Users are responsible for communicating with data subjects in a clear and accessible way with regards to the risks associated with participating in a study and their rights when doing so.
- ODISSEI Users must make all data processing code associated with published scientific outputs available under an open license.
- ODISSEI Users are responsible for accurately documenting all generated data and associated code.
- ODISSEI Users are required to enable and facilitate replication of analysis wherever possible.
- ODISSEI users must acknowledge the use of ODISSEI services in any publication resulting from data processed on ODISSEI infrastructure, for example using the text below or equivalent: “This research was conducted in whole or in part using ODISSEI, the Open Data Infrastructure for Social Science and Economic Innovations (https://ror.org/03m8v6t10)”
5. Open Data
ODISSEI subscribes to the principle of ‘as open as possible, as secure as needed’.
While User Data should where possible be shared with an open license, restricted access can apply to User Data containing (sensitive) personal data. Special dispensation to charge for access to User Data must be obtained from the ODISSEI Management Board.
Importantly, however, User Data should be archived in a Trustworthy Digital Repository and the metadata of all User Data needs to be available under a CC0-license in all cases. In addition, production code should be made openly available and the guidelines for FAIR software and code should be followed (www.fair-software.nl).
Appendix A – FAIR Principles
|F1||(meta)data are assigned a globally unique and eternally persistent identifier|
|F2||data are described with rich metadata|
|F3||(meta)data are registered or indexed in a searchable resource (able to google data-objects)|
|F4||metadata specify the data identifier|
|A1||(meta)data are retrievable by their identifier using a standardised communications protocol|
|A1.1||the protocol is open, free, and universally implementable|
|A1.2||the protocol allows for an authentication and authorization procedure, where necessary|
|A2||metadata are accessible, even when the data are no longer available|
|I1||(meta)data use a formal, accessible, shared, and broadly applicable language for knowledge representation|
|I2||(meta)data use vocabularies that follow FAIR principles|
|I3||(meta)data include qualified references to other (meta)data|
|R1||(meta)data have a plurality of accurate and relevant attributes|
|R1.1||(meta)data are released with a clear and accessible data usage license|
|R1.2||(meta)data are associated with their provenance|
|R1.3||(meta)data meet domain-relevant community standards|
APPENDIX B – Glossary
|ODISSEI||The Open Data Infrastructure for Social Science and Economic Innovations, see www.odissei-data.nl.|
|ODISSEI Member Organisation||Organisations that pay an annual contribution to ODISSEI. A list can be found on the ODISSEI site.|
|ODISSEI Service Provider||An ODISSEI Member Organisation operating an ODISSEI facility to provide ODISSEI Services|
|ODISSEI Infrastructure||The conjunction of all facilities operated by ODISSEI Service Providers partners that are developed using ODISSEI funding|
|User Data||Data and metadata that has been processed by an ODISSEI User as part of work with an ODISSEI Service Provider|
|ODISSEI User||Individual researchers using an ODISSEI Service|
|ODISSEI Coordination Team||The team responsible for day-to-day operations of ODISSEI, located at Erasmus University Rotterdam (firstname.lastname@example.org).|
|ODISSEI Data Protection Office||The part of the ODISSEI Coordination Team that deals with data protection (email@example.com).|
|ODISSEI Management Board||The ODISSEI board that supervises day-to-day operations.|
|Data controller||The instance that determines the purposes for which and the means by which personal data is processed. This is typically a formal legal entity that is responsible for the maintenance and use of the data. A data controller can grant access and processing rights to a data processor.|
|Data processor||The instance that processes personal data only on behalf of the controller. This can be an organization or an individual researcher.|
|PID||A Persistent Identifier, such as a Digital Object Identifier (DOI) or ORCID.|
|ISO||International Standardization Organization|
|FAIR||Findable, Accessible, Interoperable, and Reusable data|
|FACT||Fair, Accurate, Confidential, and Transparent data analysis.|
|TDR||Trustworthy Digital Repository|
- 1. In order for the GDPR not to apply, the data must be fully anonymized and it must be impossible to identify individual subjects within the data.
- 2. Research is defined by Recital 159 of the GDPR, and “should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”
- 3. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.