Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

License handling/enforcement #600

Open
sebastian-raubach opened this issue Apr 17, 2024 · 1 comment
Open

License handling/enforcement #600

sebastian-raubach opened this issue Apr 17, 2024 · 1 comment

Comments

@sebastian-raubach
Copy link
Member

As it stands the studies and trials endpoints include information about any license that may be associated with the data.

The question then becomes, does anyone who pulls data from these studies or trials need to actively accept those license terms before they can access the data? Or is the assumption that by pulling data that has a license associated with it you implicitly accept the license terms?

As an example, Germinate requires a license to be accepted before any data that's part of the trial/study associated with the license can be accessed.

Obviously, I'm not a lawyer, so I'm not sure what the requirements are for accepting license terms before data consumption.

So I thought I'd highlight this issue and raise some open questions. I'd be interested to hear what others think and how others currently handle this situation.

  • Do license terms need to be enforced and manually accepted?
  • Should pulling the data from a trial/study with a license implicitly accept the license terms?
  • How do other systems currently handle licenses both within and outwith BrAPI?
  • When no human is involved in the data exchange, would an automated process legally be allowed to accept a license and pull the data?
  • Do we need a dedicated license entity with its own endpoints for CRUD operations and assigning licenses to trials/studies?
  • Should information about the data license be added to any observations endpoint or is it sufficient that it's included in any linked study/trial?
  • When migrating data from one system to another, is it ensured that license terms are maintained? What if the license restricts data migration for some reason?
@daveneti
Copy link

Good questions. I would say the best you can do is add the general license information to a single endpoint. E.g. serverInfo? Then it becomes a security issue.

For public data (no authentication), in the place where you publish the server URL you have a expllict disclamer that you are accessing the data under this/these license(s). One license for all the data or a license per program or trial.

For restricted data (authentication), you would have needed to have accepted a license or MTA or some legal document before hand and the programs / trials / studies you have access to from the endpoint will depend on the this agreement and be associated with your user name.

I would not recommend the approach of having different licenses for different observations in the endpoints. I would also keep the licensing at the highest level possible, e.g. all data, by program or by trial. 'By study' would only be needed if you allow studies across trials (see #594).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daveneti @sebastian-raubach