Stanford provides guidance and resources for research data acquisition, sharing and management.
Guidance for Faculty on Data Agreements
Memo from Ann Arvin, Vice Provost and Dean of Research and George Triantis, Professor of Law, Dated February 5, 2015
Access to large data sets has become a key component of research at Stanford. Often, the data providers -- or recipients -- require the researcher or Stanford to sign a written or online agreement. This memo clarifies when Stanford researchers may sign these agreements themselves and when to contact a University office to review and sign the agreement.
Agreements for Incoming Data
You may sign a data agreement in your individual capacity under the following conditions, which relate to: (a) the nature of the data, and (b) the proposed terms of agreement. This applies whether the agreement is a letter, non-disclosure agreement, a license, or comes in another form -- including online “click” agreements.
However, when the data agreement does include any of the conditions above, or you have questions, contact the appropriate contracting office above. They will ask for information about the research, such as a project description, your funding, and University compliance (as applicable). They will consult with the Office of General Counsel, the Office of Risk Management, the Privacy Office, the Information Security Office and the Export Control Office, as appropriate.
Agreements for Outgoing Data
For agreements where you send out data sets, please contact the appropriate contracting office from the list above when the agreement involves one of the above bulleted issues, or:
If you receive or send data without any agreement, the usual academic conventions such as authorship of publications and not sharing others’ unpublished data without permission would apply.
The Stanford Research Computing Center can assist with data security requirements.
If you wish to license out data created in the course of your Stanford work for commercial purposes, contact the OTL (Office of Technology Licensing).
Stanford Data Science Resource Web Portal
The Stanford Data Science Resources can help you access the tools, datasets, data platforms and methodologies for conducting innovative clinical and translational research.
The School of Medicine offers a limited initial consultation (underwritten by the Dean’s Office and Spectrum) to help you identify the resources you need. These consults may lead to longer-term engagements and partnerships with one or more of the consulting groups from across the School of Medicine. Through these consulting groups, you can access datasets, a variety of platforms and tools and research services, including expert advice on databases and management, study design and implementation, biostatistics, informatics, technology integration, and much more.
The FAIR Guiding Principles drive the University’s scientific data management.
Genomic Data Sharing
NIH Genomic Data Sharing Policy effective January 25, 2015. Memorandum effective January 25, 2015 from Ann M. Arvin, M.D, Vice Provost and Dean of Research, and Harry B. Greenberg, M.D., Senior Associate Dean for Research, SoM
RCO Guidance: "NIH Genomic Data Sharing for NIH Grant Submission" which links to:
- Institutional Certification Genetic/Genomic Data Sharing NOT-G1 rev1 11/14 issued by Stanford University Research Compliance Office
- Sample Genomic Data Sharing Plan template
- FAQs (see Genomic data sharing)
Standard Forms related to Institutional Certification Genetic/Genomic Data Sharing can be found on the RMG website.
The Stanford Digital Repository
The Stanford Digital Repository supports management of scholarly information resources of enduring value to Stanford University. Faculty, students, and researchers use SDR services to promote and protect the products of their work. Scholars around the world use content in the SDR in their research. The benefits of this service distinguish the SDR from other content storage or management options on campus: deposited content is preserved in a robust, reliable, and secure environment for access by scholars today and for generations to come.
Data Management Services
Stanford University Libraries offers tools and services to help researchers comply with funding agency provisions on data management and to improve the visibility of their research.
The University Libraries offer Data Management Services to assist Stanford's researchers with the organization, management, and curation of research data, including:
- Understanding and creating data management plans
- Organizing and backing up your research data
- Acquiring and analyzing data
- Assigning metadata to enable future discovery
- Preserving your data for long-term access
The DMP Tool (Data Management Planning Tool) provides templates, Stanford-specific guidance, and suggested answer text for creating a data management plan for your next grant submission. The Stanford Digital Repository provides long-term preservation of your important research data in a secure, sustainable stewardship environment, combined with a persistent URL (PURL) that allows for easy data discovery, access, sharing, and reuse.
The Data Management Plan Tool
Stanford University Libraries offers guidance for data management plan (DMP); a written document that describes the data you expect to acquire or generate during the course of a research project, how you will manage, describe, analyze, and store those data, and what mechanisms you will use at the end of your project to share and preserve your data.
The European Union General Data Protection Regulation (GDPR)
The European Union General Data Protection Regulation, or GDPR, is a new and substantial data privacy law that is relevant to 33 countries in the EU and European Economic Area.
GDPR applies to individuals and organizations handling personal data within the EU, transferring data into and out of the EU, and processing of EU data anywhere. It is effective as of May 25th, 2018.
FAQs on GDPR
How does it affect Stanford?
Stanford as an educator, employer and research institution collects and processes personal data from around the world on a regular basis. When we are collecting and processing data from people located in the EU – regardless of citizenship or residency – during the course of offering goods or services, marketing, or by one of our sites established in the EU, we fall within GDPR and must meet the regulatory requirements.
What kind of information is protected under GDPR?
The GDPR protects personal data of people located in the EU. Personal data includes some obvious types of information like name, address, health information and IP address. But it also includes information related to race or ethnicity, religion or philosophical beliefs, and sexual orientation. This is because, in the EU, protection of personal data is considered a fundamental right of the individual.
Can you give a specific example of how the GDPR might affect a particular function at Stanford?
A good example is the Bing Overseas Study Program (BOSP), which has five sites in the EU. Those sites have staff, contractors, faculty and, of course, students all in the EU. Even if personal data was never transferred outside of the EU by BOSP, the sites are still established in the EU, making them subject to GDPR.
Another example is a research study where there will be data subjects from the EU. We must ensure that our informed consent form meets EU regulatory requirements, as well as U.S. requirements like the Common Rule, otherwise known as the Federal Policy for the Protection of Human Subjects.
How has the university responded to the upcoming changes?
In August 2017, the University Privacy Office convened a multi-disciplinary task force to begin reviewing and assessing GDPR and its impact on the university. Through the GDPR Task Force and its seven working groups, we have:
- Engaged in data mapping
- Conducted a gap assessment
- Prioritized our compliance efforts
- Developed new privacy notices and policies
- Amended consent language in admissions, financial aid, human resources and research
- Updated contractual language
- Developed a training video for the university
This is an ongoing effort for us, as this is a new law and everyone – including the European regulators – is still learning how to achieve compliance.
What are the consequences for entities that fail to comply?
- Fines of up to €20,000,000 (about $23.4 million) or 4 percent of total worldwide yearly revenues, whichever is higher
- Inability to transfer data from the EU
- Inability to collaborate with entities that comply with GDPR
- Private claims from data subjects
- Heightened scrutiny from data protection authorities
These consequences could have a substantial effect on the university in terms of reputation and achieving our core mission.
Where can I find Stanford's training on GDPR?
You can find the GDPR training here.
How do I notify the University that my research entails data subject to GDPR?
For sponsored projects, at the time of proposal development and submission via the SeRA system, your PDRF or PIF (for SoM) will include project questions related to the GDPR requirements.
At the time of award, your institutional official will negotiate additional terms and conditions that may be required in order to comply with GDPR regulations.
For all research projects that include human subjects data collection and processing of the nature described in the GDPR training, language for the consent will be provided to you during your IRB review. This language will inform participants about their study data regulated under GDPR.