Frequently Asked Questions

Data handling at IDDO

IDDO uses Microsoft Teams for data transfers. This system is compliant with the stringent requirements of the University of Oxford Information Security (InfoSec) guidance and the University of Oxford Research Ethics Committee (OXTREC).  

A secure research environment is a highly secure computing environment that provides remote access to health data for approved users. It is, however, costly, and difficult to access from lower-income settings.  

One of IDDO’s key guiding principles is research equity, where research is driven by researchers from the disease-endemic settings and locations where the data originates from.  

A Secure Research Environment would put IDDO’s data repositories out of reach for many users in these locations, and we therefore do not use these systems. Instead, we use a combination of established legal, ethical and regulatory mechanisms to manage data security and privacy: please see the section on data governance on our website and the data governance FAQs below for more information.      

We can handle any type of data in any editable format, in any language. Historically, this has been data from clinical trials, observational studies, and surveillance. We are happy to consider new types of data within our wider strategic aims, technical abilities and available resources: get in touch on info@iddo.org to discuss if you think you have data not currently included in IDDO’s repositories.   

All data submitted to us does need to be pseudo-anonymised to preserve patient confidentiality and to comply with data governance procedures. This means that identifiable information such as names and addresses need to be removed. See our de-identification procedures (will open as a PDF) for more information.  

IDDO standardises the data submitted to it to CDISC STDTM (link to external website) standards, which enables greater accessibility, interoperability and reusability of data. A specialist team of data curators at IDDO carry out this operation, 'translating' the wide variety of data we receive into an internationally recognized, widely used clinical data standard.  

WIthout this standardisation, researchers wishing to use the data would have to spend considerable time and resources combining data from different sources in disparate formats into a common standard. This curation is an important part of what we do to promote data reuse. 

Accessing data
Infrographic showing data access process: data deposition (data contributors upload data, agreeing to Terms of Submission, decide if they or Data Access Committee will review access requests), data in IDO inventory (data in standardised format), data access application, internal review, ddata access committee or contributors consider access applications, with questions and clarifications going back to applicant), application approved and data use agreement signed and data shared, collaboration and publication (data requestors acknowledge data contributors in analyses/publication)

 

The graphic above depicts the data journey at IDDO. We ask all researchers to register and complete a data access application form listing the datasets they wish to access for their analysis. We then complete an internal review to check variable/data availability and statistical feasibility, before passing on your application to the independent Data Access Committee or to the data contributor (depending on the workflow preferred by the data contributor).Find out more about the GDPR and guidance on international transfers on the UK Information Commissioner’s Office website 

This review usually takes about 15 working days (3 weeks), and the Data Access Committee are guided by the principle of facilitating data access wherever possible. The Committee considers studies’ ethical feasibility and scientific relevance. 

Once the data access application is approved, the data requestor enters into an agreement (the Data Use Agreement) with the University of Oxford. IDDO then transfers the dataset via a private, safe channel on Microsoft Teams.  

Find out more and make an application for the disease area you’re interested in on accessing data. 

Each IDDO researh theme includes a regularly updated data inventory. We update these inventories every month, but we do sometimes have more data available that is not currently listed on the inventories, especially for malaria. If you’re interested in particular data that is not visible in our current inventory, email us at dataacccess@iddo.org. 

IDDO does not charge a fee or any other costs to not-for-profit researchers for accessing data hosted on the IDDO repository: all of the data we host is available free of charge to any legitimate not-for-profit researcher across the world, once the data access application process has been completed.  

Full details of the conditions you must abide by when accessing data hosted by IDDO are in the IDDO Data Use Agreement: email us at dataaccess@iddo.org for this document. The IDDO Data Access Guidelines also have more on the factors considered when approving data re-use applications.  

Data controllers continue to own the data after it is curated in IDDO repositories, so data recipients must abide by any conditions that the controllers sets – we will let you know about this.  

Data recipients must also invite the data contributors to participate in their research as described in the IDDO Publication Policy (link to policy). However, contributors are not obligated to participate in invited research. – we will still share the data even if the data contributor declines to participate in your research.  

Data recipients also need to cite relevant digital object identifiers (DOIs) (including DOIs for specific datasets) and acknowledge IDDO (using our standard wording) in any publications as set in Data Use Agreement and IDDO Publication Policy. 

Data contributors may also set additional conditions about sharing the data: we will let you let you know about any additional conditions you must abide by. 

This is not an exhaustive list: please read our Data Use Agreement (available on request by emailing dataaccess@iddo.org) carefully details of your rights and obligations as the data recipient. Note that the Data Use Agreement is signed by the data requestor, the requestor's institution, and the University of Oxford (on behalf of IDDO). 

 The Data journey at IDDO has several steps (see below) to ensure proper data governance, and we would advise leaving at least two months between making a data access application and expecting to receive the data: more complicated requests may take longer, 

The IDDO data journey: data deposited, IDDO curated data, data in IDDO inventory, data access application, internal review, followed by application being assessed by either the independent data access committee or the data contributor (depending on the option chosen by the contributor). Once the application is approved and the data use agreement is signed, the data is shared, followed by collaboration and publication.

The IDDO internal and Data Access Committee review may take up to 10 working days. However, we aim to expedite approvals for research addressing an active public health emergency: following approval from the Data Access Committee chair, we will respond to such requests within three working days.  

Following approval after review, thedata requestor needs to sign the Data Use Agreement, before the data can be released: some Universities/Research organisations may impose conditions on what their researchers can sign, and we would advise discussing the data use agreement with your research organisation in advance to avoid a delay at this stage.  

Note that the Data Use Agreement also needs to be signed by the University of Oxford, as IDDO operates under their governance structure. 

When contributing data into the IDDO repository, researchers have decide whether they would like to assess requests for access to their data themselves or delegate this task to the independent IDDO Data Access Committee (data access committee (DAC) review). We pass on data access requests to one of these pathways accordingly. 

Sometimes, a proposed analysis may request both contributor- and DAC-controlled datasets, in which case we’ll initiate both pathways in parallel at the same time.  

While carrying out the IDDO internal review, we pass on relevant data access requests to the IDDO data access committee.  

The Data Access Committee is independent of IDDO: it is chaired by the World Health Organisation’s Special Programme for Research and Training in Tropical Diseases (TDR). In addition to disease  expertsthere experts on data governance and ethics.  

IDDO DAC members assess the application and consider the ethical feasibility and scientific relevance of the study. It generally takes at least two weeks for the DAC to complete its review.  

The Committee operates on the assumption of facilitating access to data wherever possible, and we will pass on any questions/requests for clarifications from the DAC back to the requestor, and relay answers back to the DAC. 

Find out more about the IDDO Data Access Committee. 

Where the data contributor chooses to assess the data access request themselves, we will pass on the access requests to them during the IDDO internal review.  

Note that the data controller is the host institution that has generated the data, not an individual researcher.  Data contributors have 10 working days to respond to an access request for their data. If they object to the request, they must provide a rationale.  

If there is no answer within the 10 working days, the Data Access Committee will then review the data access application on the data controller’s behalf, as outlined in the IDDO Terms of Submission. a. This only happens when contributors do not respond – we always contact contributors first for contributor-controlled datasets.  

Find out more on the Accessing Data and  the Data Access Committee pages. If you are interested in including your data in the IDDO data repository, email us at dataaccess@iddo.org for the IDDO Terms of Submission. 

Email us at info@iddo.org 

Contributing data

The submission of published and unpublished data to IDDO is governed by the legally-binding IDDO Terms of Submission. The IDDO Data Access Committee Data Access Guidelines also set out details of data governance at IDDO and how access to data is handled. This is designed to enable data reuse while ensuring compliance with data governance issues such as data ownership, equity and credit for data originators.  

Please email dataaccess@iddo.org if you would like a copy of these legal documents. 

Yes. IDDO complies with the European Union General Data Protection Regulation (EU GDPR),  UK General Data Protection Regulation (UK GDPR) and the  UK Data Protection Act (2018). 

The IDDO data team will curate and harmonise your data to CDISC standards. When you upload your data, you will be required to electronically sign the IDDO Terms of Submission and decide whether you want to want to make decisions on data reuse requests yourself, or to delegate this function to the independent IDDO Data Access Committee.  

Your data will be available to researchers who request your data, in accordance with the conditions you set – all data requests for your datasets will be routed to either you (if you choose the ‘contributor controlled’ option) or to the IDDO Data Access Committee (if you choose to delegate access while uploading your data). 

Note that IDDO/WWARN researchers wanting to use your data in their studies go through exactly the same process to access data as external researchers: the IDDO Data Access Committee is independent of IDDO, and any IDDO/WWARN members or study group leads wanting to use data held in IDDO’s repositories apply to use data in the usual way. The IDDO data team will not pass on your data to internal IDDO researchers for use in their studies, and these requests go through the standard data access request process. 

Please see the ‘Accessing Data’ FAQs above for more about Data Access Committee versus Contributor controlled processes, and have a look at the data journey at IDDO to find out more about what happens to your data, and the data access process.  

Delegating data reuse requests to the IDDO Data Access Committee is generally a more efficient option that encourages more open and collaborative data re-us., After five years, we contact data controllers for contributor-controlled datasets, to ask if they still want to continue with the contributor-controlled option or switch to the Data Access Committee-controlled option. We will not implement this switch without checking with you first if you choose the contributor-controlled option, and you have the option to continue with the contributor-control indefinitely. We will however check with you if you want to continue with this option every five years. 

We follow the UK Information Commissioner Office’s and European Union General Data Protection Regulations definitions. As such, the Data Controller is the institution/organisation who sponsors a trial or collects the data. It is not an individual researcher/scientific group leader/principal investigator (PI). 

Though the terms are often used interchangeably, we use GDPR guidance to define these terms:  

  • Data Controller: the institution (legal body) that sponsored the trial/study and collected the data, therefore owning the data legally and abides by the Terms of Submission;
  • Data Contributor: the person submitting data to the IDDO repository and signing on behalf of the institution they represent; 

IDDO doesn’t simply upload data that has been submitted to its repositories: instead, we process data (received in a wide variety of formats) into a standardised forms that meet CDISC STDTM standards. Without this standardisation, the data is much less usable, and this data curation is a major part of what we do at IDDO: it enables greater data accessibility, interoperability and reusability.  

Depending on the complexity and amount of data, this curation can take several months which is why your data will not be immediately available in IDDO’s inventories straight after you submit it. If you are submitting data to meet specific funder/publisher requirements, please do take this delay into account. Under IDDO’s Terms of Submission, we do not transfe raw (uncurated) data to researchers. 

Yes, absolutely: you continue to own and have full legal rights to your data, and can use it as you wish, including using it in publications of your own. We do ask you to cite any specific IDDO/WWARN analysis or other tools that you use in the publication. 

Email us at info@iddo.org with any questions. 

Data governance

The Data Controller owns the data. IDDO acts as a Data Processor under GDPR and can only process data as instructed by the Data Controller .  

Note that the Data Controller is the organisation/institution who collected the data, rather than a specific named researcher/lead scientist. 

No. While data stripped of all personal identifiers would no longer be subject to UK and European Union General Data Protection Regulations, such data would also be useless for research.  

At IDDO, we instead find a balance between data privacy and research utility by pseudonymising data: you can find out more about our de-identification procedures by emailing dataaccess@iddo.org 

The risk of re-identifying pseudonymised data is never zero, but we try and manage data privacy risks through an interlocking framework of multiple components: data security and data governance guidelines, legally-binding agreements and independent oversight, driven by ethical principles for data reuse. This is compliant with the risk-management approach required by GDPR. 

As the entity who collected data from patients as part of their study, it is the Data Contributor/Controller who is ultimately responsible for patient consent, ethics approvals and data subject rights for the data in their study. Nevertheless, IDDO implements a number of checks on ethics for the data it processes: 

 

IDDO processes

 

Data Controllers are asked to confirm that these rights have been respected and that they have consent from study participants when they submit data to IDDO, as part of our terms of submission. This issue is also part of our Data Use Agreement which data recipients need to sign, and is also one of the points considered by the IDDO Data Access Committee. Finally, IDDO is subject to regular review from the Oxford Tropical Research Ethics Committee, who regularly check if that data processing and secondary analyses are exempt from ethics review that would apply to primary data collection. 

The Data Contributor/Controller is the institution that was responsible for data collection, not the particular researcher, including group/scientific leads or principal investigators (PIs).  We may need to consult with specific researchers for specific datasets, but they do not legally ‘own’ the data. 

No. Under IDDO’s =Data Access Guidelines, we do not share or transfer raw (uncurated) data to researchers, including internal IDDO researchers. 

Currently, IDDO does not link the clinical data it holds with other data types such as imaging or genomics in other repositories. However, we are actively exploring the security and feasibility of doing so. At the moment, when IDDO transfers data to a third party, individual records are given randomly generated IDs specific to that dataset, preventing linking with other IDDO datasets or with raw data. 

The IDDO DAC is independent of IDDO and assess the ethical feasibility and scientific relevance of studies independently of IDDO. The DAC operates under specific Terms of Reference (with the aim of balancing ethical and scientific considerations with facilitating data access wherever possible). Find out more about the IDDO Data Access Committee.   

Indefinitely, but a contributor can make a formal written request should they want IDDO to remove their data from the Repository, in line with the right to erasure under GDPR. 

Yes, even if the person is from a different institution. If someone is at the same institution then they can upload data under the authority of that institution – the upload process happens as normal. If someone is uploading data on behalf of someone else at another institution (e.g. the PI) then this can happen provided that:  

(a) a copy of the signed Terms of Submission from (Data Controller) is uploaded as supporting documentation;  

(b) the person uploading the data has all of the information required to hand (I.e. they are familiar with the study and all institutional contacts). 

Data governance is led by the IDDO Senior Operations and Development Manager, with support from the Data Governance Officer. We also work with legal experts as required to support continuous review of internal processes and revision of the relevant documentation for full compliance. 

If you have questions about data governance, please email info@iddo.org. 

IDDO aims to enable the disease research agenda being shaped by the knowledge and priorities of those in disease-endemic region (where participant data comes from). More than half of the data requests for our repositories come from researchers in lower and middle income countries and we provide the technical and governance infrastructure to enable research to happen as identified and prioritised by researchers in disease-endemic settings.   

IDDO/WWARN Study group members

Data submitted as part of a study group goes through the same data journey and process as any other data, including the laborious process of data curation and harmonisation, and signing our standard Terms of Submission for data. Data deletion is therefore not standard: it would need to be discussed and agreed prior to and as one of the conditions specified when you submit your data. 

However, as with any other data contributors, you retain ownership and legal rights over your own data – IDDO is a data processor under GDPR As an organisation dedicated to enabling data reuse, we encourage anyone sharing data to allow data to retained longer-term, but as the data controller, you can ask that your data is deleted once your study group aims/review are completed. See our short animation on why data reuse is important.  

Note that anyone requesting and using the data in IDDO repositories is obliged to invite the data contributors to participate in their research, but contributors aren’t obligated to participate. 

Data recipients also need to cite relevant digital object identifiers (DOIs) (including DOIs for specific datasets), which means that any published studies using your datasets will be identifiable.  

Any additional conditions you set about sharing your data will also be passed on to data requestors. 

If you have contributed data to a study Group analysis, you will have the opportunity to participate in the IPD meta-analysis, including contributing to the development of the statistical analysis plan, and writing and/or editing any resulting manuscript/s. At the start of a study group collaboration, the study group will collectively decide on the total number of authors who will be included on the publication that results from the group’s efforts.   

Usually, the Data Contributor of each dataset used in the publication nominates two individuals to contribute to the study group (the inclusion of additional individuals may be justified in large, complex, multi-centre studies). Those who fulfill the International Committee of Medical Journal Editors guidelines for authorship will be listed as authors on any publication that results from the study. Depending on the nature and size of the study group, the group may decide on the most appropriate authorship model. For WWARN study groups, this would typically be named the WWARN XX IPD meta-analysis study group, with or without a named writing committee  

Contributors whose data are used in an IPD meta-analysis, but who do not participate actively in the study design, analysis or manuscript preparation, will be acknowledged as Study Group Collaborators in the publication byline, as described in the US National Library of Medicine MEDLINE® authorship fact sheet. 

Yes, absolutely: you continue to own and have full legal rights to your data, and can use it as you wish, including using it in publications of your own. We do ask you to cite any specific IDDO/WWARN analysis or other tools that you use in the publication. 

 

All contributors whose data are included in the Study Group analysis have the opportunity to participate in the IPD meta-analysis. They can contribute to the development of the statistical analysis plan and participate in writing or editing resulting manuscripts. 

The Study Group makes the decision on the total number of authors at the start of the collaboration. Typically, the Data Contributor of each dataset nominates two individuals to contribute to the study group. Additional individuals may be justified in large, complex, multi-centre studies. 

The authorship model for publications resulting from Study Group IPD meta-analyses is typically determined by the Study Group itself. This determination is usually made at the outset of the collaboration. The Study Group will follow the guidelines set by the International Committee of Medical Journal Editors (ICMJE) for authorship eligibility and criteria. Depending on the nature and size of the Study Group, the team may decide on the most appropriate authorship model. For WWARN Study Groups, this would typically be named as the WWARN XX IPD meta-analysis study group, with or without a named writing committee. 

Contributors whose data are used in the IPD meta-analysis but who do not actively participate in study design, analysis, or manuscript preparation are acknowledged as Study Group Collaborators in the publication by-line, following the US National Library of Medicine MEDLINE® authorship fact sheet guidelines.