Frequently Asked Questions
IDDO uses Microsoft Teams for data transfers. This system is compliant with the stringent requirements of the University of Oxford Information Security (InfoSec) guidance and the requirements of the University of Oxford Research Ethics Committee (CUREC).
A secure research environment is a highly secure computing environment that provides remote access to health data for approved users. It is however costly, and difficult to access from lower-income settings.
One of IDDO’s key guiding principles is research equity, whereby research is driven by researchers from the disease-endemic settings and locations where the data originates from.
A Secure Research Environment would put IDDO’s data repositories out of reach for many users in these locations, and we therefore do not use these systems.
Instead, we use a combination of established legal, ethical and regulatory mechanisms to manage data security and privacy: please see the section on data governance on our website and the data governance FAQs below for more information.
We can handle any data type of data in any editable format, in any language. Historically, this has been clinical data from clinical trials, observational studies and surveillance. We are happy to consider new types of data within our wider strategic aims, technical abilities and available resource: get in touch on info@iddo.org to discuss if you think you have data not currently included in IDDO’s repositories.
IDDO standardises the data submitted to it to CDISC STDTM standards, which enables greater accessibility, interoperability and reusability of data. A specialist team of data curators at IDDO carry out this operation, 'translating' the wide variety of data we receive into an internationally recognized, widely used clinical data standard in the community.
WIthout this standardisation, researchers wishing to use the data would have to spend considerable time and resources combining data from different sources in disparate formats into a common standard, and this curation is an important part of what we do to promote data reuse.
The graphic above depicts the data journey at IDDO. We ask all researchers to register and complete a data access application for the data they want to access. We then complete an internal review to check variable/data availability and statistical feasibility, before passing on your application to the independent Data Access Committee or to the data contributor (depending on the workflow preferred by the data contributor). As part of our data governance process, we also carry out a Data Transfer Risk Assessment to ensure that we comply with the UK’s General Data Protection Regulations (GDPR), and specifically its guide to international transfers. Find out more about the GDPR and guidance on international transfers on the UK Information Commissioner’s Office website
This review usually takes about 15 working days (3 weeks), and the Data Access Committee are guided by the principle of facilitating data access wherever possible; the committee consider whether they are any ethical, scientific or governance issues not to grant the data access application.
Once the data access application is granted, the lead researcher making the application and the University of Oxford sign a data use agreement. IDDO then creates and transfers the dataset via a private, safe data channel on Microsoft Teams.
Find out more and make an application for the disease area you’re interested in on Accessing data | Infectious Diseases Data Observatory (iddo.org)
Each includes a regularly updated data inventory: find these inventories under the ‘data sharing’ heading for all our disease themes. We update these inventories every month, but we do sometimes have more data available that is not currently listed on our inventories, especially for malaria. If you’re interested in particular data that is not visible in our current inventory, email us at dataacccess@wwarn.org for a discussion.
IDDO does not charge a fee or any other costs to not-for-profit researchers for accessing data hosted on the IDDO repository: all of the data we host is available free of charge to any legitimate not-for-profit researcher across the world, once our data application process has been completed.
Full details of the conditions you must abide by when accessing data hosted by IDDO are in the IDDO Data Use Agreement: email us at info@iddo.org for this document. The IDDO Data Access Guidelines also have more on the factors we consider when agreeing to data access.
Data contributors continue to own the data after it is curated in IDDO repositories, so data recipients must abide by any conditions that the contributors sets – we will let you know about this.
Data recipients must also invite the data contributors to participate in their research, but contributors are not obligated to do this – we will still share the data if the data contributor declines to participate in your research.
Data recipients also need to cite relevant digital object identifiers (DOIs) (including DOIs for specific datasets) and acknowledge IDDO (using our standard wording) in any publications. Further details are provided in the agreements you need to sign before data can be shared.
Sometimes, data contributors may also set additional conditions about sharing the data: we will let you let you know about any additional conditions you must abide by too
This is not an exhaustive list: please read our Data Use Agreement (available on request by emailing info@iddo.org) carefully for full details of your obligations as the data recipient. Note that the Data Use Agreement is signed by the individual researcher requesting the data, the researcher's institution, and the University of Oxford (on behalf of IDDO).
The Data journey at IDDO has several steps (see below) to ensure proper data governance, and we would advise leaving at least two months between making a data access application and expecting to receive the data: more complicated requests may take longer, as may the need for clarifications.
The IDDO internal review usually takes 10 days, and the Data Access Committee usually takes10 days to review data access applications. However, we aim to expedite approvals for research addressing an active public health emergency: following approval from the Data Access committee chair, we will respond to such requests within three working days.
Following approval after review, the lead researcher making the application also needs to sign the Data Use Agreement before the data can be released: some Universities/Research Organisations may impose conditions on what their researchers can sign, and we would advise discussing the data use agreement with your research organisation in advance to avoid a delay at this stage.
Note that the Data Use Agreement also needs to be signed by the University of Oxford, as IDDO operates under their governance structure, but we will handle this signing, which usually takes around seven days but can be longer.
When contributing data into the IDDO repository, researchers have the option to either assess requests for access to their data themselves (ie, data contributor review), or have their requests go through the independent IDDO data access committee (data access committee (DAC) review). We pass on data access requests to one of these pathways accordingly.
Sometimes, a data access application may request both contributor- and DAC-controlled datasets, in which case we’ll initiate both pathways in parallel at the same time for the relevant datasets.
After the IDDO internal review, we pass on relevant data access requests to the IDDO data access committee.
The governance of the IDDO DAC is independent of IDDO: it is chaired by the World Health Organisation’s Special Programme for Research and Training in Tropical Diseases. In addition to scientific experts in the research fields that IDDO has data repositories for, the IDDO DAC also includes experts on data governance and ethics.
IDDO DAC members will read through the data access request, and consider any ethical or scientific reasons not to approve the application. It generally takes at least 2 weeks for the DAC to complete its review.
The committee operates on the assumption of facilitating access to data wherever possible, and we will pass on any questions/requests for clarifications from the DAC back to the requestor, and relay answers back to the DAC.
Find out more about the IDDO Data Access Committee.
Where the data contributor chooses a contributor-controlled data access process, we will pass on the access requests to them after the IDDO internal review.
Note that the data contributor/data controller is the host institution that has generated the data, not an individual researcher. Data contributors have 10 working days to respond to an access request for the data they control. If they object to the request, they must provide a rationale.
If there is no answer within the 10 working days, we will switch to the Data Access Committee (DAC) review pathway instead, and pass on the application to the DAC to approve instead. This only happens when contributors do not respond – we always contact contributors first for contributor-controlled datasets.
Find out more on the Accessing Data and Data Access Committee pages. If you are interested in including your data in the IDDO data repository, email us at info@iddo.org for the detailed IDDO Terms of Submission.
The submission of published and unpublished data to IDDO is governed by legally-binding IDDO Terms of Submission. The IDDO Data Access Committee Terms of Reference also set out details of data governance at IDDO and how access to data is handled, designed to enable data reuse while ensuring compliance with data governance issues such as data ownership, equity and credit for data originators.
Please email info@iddo.org if you would like a copy of these legal documents.
Yes. IDDO complies with the European Union (EU) General Data Protection Regulation (GDPR) regulations as well as the UK Data Protection requirements.
Find out more on IDDO Technical and Organizational Measures
IDDO/WWARN data team members will have access to your data as data processors, and they will curate and harmonise your data to CDISC standards. When you upload your data, you will be required to electronically sign the terms of submission and decide whether you want to reject/approve requests to access your data yourself, or to delegate this function to the independent IDDO Data Access Committee.
Your data will be available to researchers who request your data, in accordance with the conditions you set – all data requests for your datasets will be routed to either you (if you choose the ‘contributor controlled’ option) or to the IDDO/WWARN Data Access Committee (if you choose to delegate access while uploading your data).
Note that IDDO/WWARN researchers wanting to use your data in their studies go through exactly the same process to access data as external researchers: the IDDO data access committee is independent of IDDO, and any IDDO/WWARN members or study group leads wanting to use data held in IDDO’s repositories apply to use data in the usual way. The IDDO data team will not pass on your data to internal IDDO researchers for use in their studies, and these requests go through the standard data access request process.
Please see the ‘Accessing Data’ FAQs above for more about Data Access Committee versus Contributor controlled processes, and have a look at the data journey at IDDO to find out more about what happens to your data, and the data access process.
Data access via the Data Access Committee is generally a more efficient option that encourages more open and collaborative data re-use, so after five years, we contact data controllers for contributor-controlled datasets, to ask if they still want to continue with the contributor-controlled option, or switch to the Data Access Committee-controlled option. We will not implement this switch without checking with you first if you choose the contributor-controlled option, and you have the option to continue with the contributor-control indefinitely. We will however check with you if you want to continue with this option every five years.
We follow GDPR guidance for this and other data transfer-related processes. As such, the Data Controller is the institution/organisation where the data was collected. It is not an individual researchers/scientific group leader/principal investigator (PI), though an individual is usually responsible for the signing the IDDO Terms of Data Submission on behalf of the institution/organisation.
Though the terms are often used interchangeably, we use GDPR guidance to define these terms:
- Data Controller: the institution (legal body) that sponsored the trial/study and collected the data, therefore owning the data legally and abides by the Terms of Service;
- Data Contributor: the PI or whoever submits the data to IDDO and signs on behalf of the institution they represent;
In addition, Data Administrators can include the data contributors or any other appointed staff member in charge of granting approval for data reuse.
IDDO doesn’t simply upload data that has been submitted to its repositories: instead, we processes data (submitted in a wide variety of formats) into a standardised forms that meet CDISC STDTM standards. Without this standardisation, the data is much less usable, and this data curation is a major part of what we do at IDDO: it enables greater data accessibility, interoperability and reusability.
Depending on the complexity and amount of data, this curation can take several months, and your data will not be immediately available in IDDO’s inventories straight after you submit it. If you are submitting data to meet specific funder/publisher requirements, please do take this delay into account. Under IDDO’s data governance guidelines, we do not pass on raw (uncurated) data to researchers.
Yes, absolutely: you continue to own and have full legal rights to your data, and can use it as you wish, including using it in publications of your own. We do ask you to use any specific IDDO/WWARN analysis or other tools that you use in the publication.
Email us at info@iddo.org with any questions.
The original Data Contributor/Data Controller own the data. IDDO acts as a Data Processor under GDPR and can only process data as instructed by the Data Controller (i.e. data contributor). Find out more on the Data Privacy Impact Assessment.
Note that the Data Controller is the organisation/institution under whose aegis the data was collected, rather than a specific named researcher/lead scientist.
No. While data stripped of all personal identifiers would no longer be subject to European Union General Data Protection Regulations (GDPR) (therefore making data governance easier), such data would also be useless for research.
At IDDO, we instead find a balance between data privacy and research utility by pseudo-anonymising data: you can find out more about our de-identification procedures by emailing info@iddo.org.
The risk of re-identifying pseudonymised data is never zero, but we try and manage data privacy risks through an interlocking framework of multiple components: data security and data governance guidelines, legally-binding agreements and independent oversight, driven by ethical principles for data reuse. This is compliant with the risk-management approach required by GDPR.
IDDO is a data processor for data provided by others. IDDO processes data as instructed by the Data Contributor/Controller, who holds the direct relationship with the original data subjects.
As the entity who collected data from patients as part of their study, it is the Data Contributor/Controller who is ultimately responsible for patient consent, ethics approvals and data subject rights for the data in their study. Nevertheless, IDDO implements a number of checks on ethics for the data it processes:
Data Controllers are asked to confirm that these rights have been respected and that they have consent from study participants when they submit data to IDDO, as part of our terms of submission. This issue is also part of our Data Use Agreement which data recipients need to sign, and is also one of the points considered by the IDDO Data Access Committee. Finally, IDDO is subject to regular review from the Oxford Tropical Research Ethics Committee, who regularly check if that data processing and secondary analyses are exempt from ethics review that would apply to primary data collection.
The Data Contributor/Controller is the institution that was responsible for data collection, not the particular researcher, including group/scientific leads or principle investigators (PIs). We may need to consult with specific researchers (such as PIs) for specific datasets, but they do not ‘own’ the data.
No. Under IDDO’s data governance guidelines, we do not pass on raw (uncurated) data to researchers, including internal IDDO researchers wanting to use data in their studies.
Currently, IDDO does not link the clinical data it holds with other data types such as imaging or genomics in other repositories. However, we are actively exploring the security and feasibility of doing so. At the moment, when IDDO transfers data to a third party, individual records are given randomly generated IDs specific to that dataset, preventing linking with other IDDO datasets or with raw data.
The IDDO DAC is independent of IDDO, and reviews non-contributor controlled data access applications. It carries out these processes independently of IDDO, and operates under specific terms of reference (with the aim of balancing ethical and scientific considerations with facilitating data access wherever possible). Find out more about the IDDO Data Access Committee.
25 years, in accordance with European Union General Data Protection Regulation (GDPR) requirements: we follow European Union clinical trials regulations on data retention (specifically European Medicines Agency Policy 0070), as most of our data contributors fall into this category. This long period of data retention is part of good practice in data management, and reflects our commitment to manage data properly and sustainably for an extended period of time.
Yes, even if the person is from a different institution. If someone is at the same institution then they can upload data under the authority of that institution – the CDUE upload process happens as normal. If someone is uploading data on behalf of someone else at another institution (e.g. the PI) then this can happen provided that:
(a) a copy of the signed Terms of Submission from the person who is authorised to submit on behalf of the institution that is the data contributor (Data Controller) is uploaded as supporting documentation;
(b) the person uploading the data has all of the information required to hand (I.e. they are familiar with the study and all institutional contacts).
Otherwise, the CDUE process happens as normal and the appropriate box against the Terms of Submission is ticked in CDUE as agreed with the data contributor.
Data governance discussion and compliance is led by the IDDO Senior Operations and Development Manager, with support from the Data Governance Officer. We also work with legal experts as required to support continuous review of internal processes and revision of the relevant documentation for full compliance.
If you have questions about data governance, please email info@iddo.org.
IDDO aims to enable the disease research agenda being shaped by the knowledge and priorities of those in disease-endemic region (where participant data comes from). More than half of the data requests for our repositories come from researchers in lower and middle income countries and we provide the technical and governance infrastructure to enable research to happen as identified and prioritised by researchers in disease-endemic settings.
Data submitted as part of a study group goes through the same data journey and process as any other data, including the laborious process of data curation and harmonisation, and signing our standard Terms of Submission for data. Data deletion is therefore not standard: it would need to be discussed and agreed prior to and as one of the conditions specified when you submit your data.
However, as with any other data contributors, you retain ownership and legal rights over your own data – IDDO is a data processor rather than a data owner. As an organisation dedicated to enabling data reuse, we encourage anyone sharing data to allow data to retained longer-term, but as the data owner, you can ask that your data is deleted once your study group aims/review are completed. See our short animation on why data resuse is important.
Note that anyone requesting and using the data in IDDO repositories is obliged to invite the data contributors to participate in their research, but contributors aren’t obligated to do this.
Data recipients also need to cite relevant digital object identifiers (DOIs) (including DOIs for specific datasets), which means that any published studies using your datasets will be identifiable.
Any additional conditions you set about sharing your data will also be passed on to data requestors.
If you have contributed data to a study Group analysis, you will have the opportunity to participate in the IPD meta-analysis, including contributing to the development of the statistical analysis plan, and writing and/or editing any resulting manuscript/s. At the start of a study group collaboration, the study group will collectively decide on the total number of authors who will be included on the publication that results from the group’s efforts.
Usually, the Data Contributor of each dataset used in the publication nominates two individuals to contribute to the study group (the inclusion of additional individuals may be justified in large, complex, multi-centre studies). Those who fulfill the International Committee of Medical Journal Editors guidelines for authorship will be listed as authors on any publication that results from the study. Depending on the nature and size of the study group, the group may decide on the most appropriate authorship model. For WWARN study groups, this would typically be named the WWARN XX IPD meta-analysis study group, with or without a named writing committee
Contributors whose data are used in an IPD meta-analysis, but who do not participate actively in the study design, analysis or manuscript preparation, will be acknowledged as Study Group Collaborators in the publication byline, as described in the US National Library of Medicine MEDLINE® authorship fact sheet.
Yes, absolutely: you continue to own and have full legal rights to your data, and can use it as you wish, including using it in publications of your own. We do ask you to use any specific IDDO/WWARN analysis or other tools that you use in the publication.
All contributors whose data are included in the Study Group analysis have the opportunity to participate in the IPD meta-analysis. They can contribute to the development of the statistical analysis plan and participate in writing or editing resulting manuscripts.
The Study Group makes the decision on the total number of authors at the start of the collaboration. Typically, the Data Contributor of each dataset nominates two individuals to contribute to the study group. Additional individuals may be justified in large, complex, multi-centre studies.
The authorship model for publications resulting from Study Group IPD meta-analyses is typically determined by the Study Group itself. This determination is usually made at the outset of the collaboration. The Study Group will follow the guidelines set by the International Committee of Medical Journal Editors (ICMJE) for authorship eligibility and criteria. Depending on the nature and size of the study group, the group may decide on the most appropriate authorship model. For WWARN study groups, this would typically be named as the WWARN XX IPD meta-analysis study group, with or without a named writing committee
Contributors whose data are used in the IPD meta-analysis but who do not actively participate in study design, analysis, or manuscript preparation are acknowledged as Study Group Collaborators in the publication by-line, following the US National Library of Medicine MEDLINE® authorship fact sheet guidelines.