9.1. Disclosure Review Board (DRB)
The MCC Disclosure Review Board was established in 2013 with three primary responsibilities (Annex 7):
- To develop, review and approve guidelines and procedures (including modifications thereto) for data activities;
- To review and approve proposals related to data disclosure; and
- To notify the MCC Incident Response team in the event of an identified, specific disclosure risk (spill, breach, etc.) and follow MCC protocol for risk management.
9.2. DRB Submission and Review Process
The contractor responsible for the data activity will prepare the Data Package for DRB review, which involves a multi-step process (Annex 8):
- Set Date – Contractor and M&E Project Manager (M&E PM) agree on expected DRB review date as early as possible to confirm scheduling in line with the contract and work plan. Given the DRB review process, this should be scheduled at least 1-2 months before the contract expires.
- PM Review – Contractor should submit the full Data Package to the M&E PM. The M&E PM should review the Metadata, Data Package Worksheet, and Transparency Statement for clarity and completeness. This may require one or more rounds of revision based on the M&E PM requests for clarity and completeness.
- M&E Technical Review – The M&E PM and the M&E DRB members will conduct a technical review and provide feedback to the contractor on the proposed data de-identification process. This may require a second round of revision to the package based on feedback on documentation clarity and completeness, as well as the proposed de-identification strategy.
- Submission for DRB review – Following revisions based on the technical review, contractors should re-submit the full Data Package (including public-use and/or restricted-access data) to the M&E PM for submission to the DRB at least 2 weeks prior to the agreed DRB review date.
For a DRB review, the contractor will present an overview of the study, the proposed data de-identification approach and other necessary activities for data sharing, and respond to any questions from the DRB. A decision whether or not to share the data may be made during the meeting or may require additional follow up by the contractor. Depending on the context and risks, the DRB may determine it is not possible to de-identify a dataset sufficiently to allow for public and/or restricted-access use. All DRB decisions are documented in the DRB minutes.
If any feedback/revisions are required following DRB review, the contractor will revise and resubmit the full data package to the M&E PM with documented responses to DRB feedback to ensure timely, updated review and clearance of the full package prior to public (or other) posting.
9.3. Public-use Data Sharing
Once cleared by the DRB, any public data will be immediately posted, and available for direct download from the MCC Evaluation Catalog.
9.4. Restricted-access Data Sharing
MCC currently does not have a restricted-access data sharing mechanism. All data prepared for restricted-access use will be held by MCC until a data sharing mechanism is established. This data will then be reviewed again in accordance with an established restricted-access data sharing protocol.
9.5. No access Data
The DRB may determine that the data de-identification efforts of the contractor are insufficient to adhere to promises of confidentiality and therefore the de-identified data cannot be made accessible through either public-use or restricted-access. In such cases, the Transparency Statement will be updated to reflect the DRB decision.
“No Access” data that has already been submitted to MCC will be treated as Identifiable Data as per Section 3.3.
9.6. Identifiable Data Sharing
MCC’s data sharing practice primarily involves the sharing of public-use data. However, there are cases in which MCC may facilitate access to identifiable data, particularly if there is a critical business need for access to the data before the data can be prepared for public-use (such as an input into a Cost-Benefit Analysis Model) and the sharing of such data conforms with the applicable informed consent. Any request to share identifiable data must be submitted to the DRB using Annex 9 Identifiable Data Sharing Form. The DRB may, in its discretion, permit access to such data after reviewing the request.