What to Share and How: Building a Reproducible “Share Package”

Define the scope up front. The default modern package for secondary analysis typically contains:

• Analysis datasets (ADaM): ADSL (subject-level), ADTTE/ADLB/ADAE/etc., with variables needed to reproduce primary and key secondary analyses; include define.xml and a human-readable analysis data guide.
• Programs and shells: analysis scripts (e.g., SAS/R) that generate the primary endpoints and pivotal TFLs; mock shells with footnote rules; program manifests listing versions, random seeds, and expected outputs.
• Provenance & environment: a runbook documenting the sequence (data load → derivations → analysis → TFLs), software versions (and packages/libraries), OS, and any required macros; checksum files for datasets and outputs.
• Redacted CSR and protocol/SAP with change histories, tying estimands to derivations and TFLs.
• Data dictionary mapping analysis variables to definitions and controlled terminologies (MedDRA/WHO-DD versions).

Traceability is non-negotiable. Every number in a pivotal table should be traceable to an analysis variable; every analysis variable should trace back to SDTM and, ultimately, to source. Include lineage maps and, for complex derivations, concise pseudo-code excerpts. The goal is a “single glide path” a reviewer can follow without vendor assistance.

Re-runability beats screenshots. Where feasible, provide executable workflows (e.g., make files or R scripts) so requesters can regenerate key outputs. Avoid “frozen outputs only” models that force manual checks. If full re-runs are considered too permissive, consider locked containers (Docker images) or virtual desktops in a secure enclave that mount the data and code without export of raw data.

Handling randomization and seeds. Store PRNG types and seeds used for imputations, bootstrap CIs, and simulations so re-runs match within tolerance. Seeds belong to the analysis environment—not to subject records—and should be documented in the manifest.

Unit, code, and QC artifacts. Share critical unit tests (e.g., denominator checks, visit window logic), QC logs from double-programming of primary endpoints, and reconciliation reports (e.g., KM median in tables equals figure median). These meta-artifacts speed independent verification and communicate discipline.

When full IPD cannot leave the building. Provide synthetic datasets statistically equivalent to the originals for methods development, plus a requester test harness that runs on the synthetic data. Upon successful code checks, allow execution against real data inside a secure enclave and return only aggregate outputs cleared by rule (e.g., no small cell sizes, no row-level downloads).

File formats and accessibility. Favor non-proprietary or widely accessible formats (CSV/Parquet for tables, PDF/RTF for CSRs, R/SAS scripts for code). Supply readme files and “getting started” notes. Provide timezone context—store local time plus UTC offset for all analysis-cut and execution timestamps—to enable cross-region reconstruction in audits by FDA/EMA/PMDA/TGA.

Protecting Participants: Anonymization, Governance, and Lawful Access

Privacy by design. Sharing must protect identities while retaining scientific utility. Create an anonymization plan that distinguishes direct identifiers (removed) from quasi-identifiers (transformed: generalization, top/bottom-coding, date shifting, category aggregation). Keep clinical meaning intact—e.g., maintain relative timing by shifting all dates per subject while preserving intervals; document the offset method.

Risk-based anonymization. Calibrate the re-identification risk using metrics such as k-anonymity, l-diversity, and t-closeness. For small rare-disease cohorts, consider stricter generalization or statistical disclosure control (noise addition, micro-aggregation) and suppress potentially unique combinations. Differential privacy can be used for specific aggregates but is rarely applied directly to complete IPD; note any utility trade-offs if you choose it.

GDPR, HIPAA, and regional overlays. In the EU/UK, treat participant-level data as personal data even after transformation if re-identification risk remains plausible; justify your residual risk and legal basis (consent, public interest, or legitimate interest with safeguards) and record in your DPIA. In the U.S., HIPAA de-identification (Safe Harbor or Expert Determination) applies when the covered entities are involved but is not the whole story for clinical trials; maintain a conservative posture and marry HIPAA with sponsor privacy policies and registry obligations. Across APAC, align with local privacy acts while reflecting expectations of PMDA/TGA; coordinate with the WHO’s public-health perspective for global sharing initiatives.

Redaction vs anonymization of documents. For CSRs and appendices, redact PHI and confidential commercial information systematically; maintain a redaction log explaining each decision. Keep a clean copy internally for inspection under confidentiality, and a redacted public copy for broader posting when policy allows.

Access channels and controls. Choose one or more models:

• Public posting (open access): appropriate for aggregate outputs (TFLs, synopses, lay summaries) and, in some programs, redacted CSRs.
• Managed access portals (e.g., independent review platforms): requesters submit a proposal, a Data Use Agreement (DUA), and analysis plan; access is granted in a secure enclave with non-downloadable IPD.
• Collaborative agreements: for complex or sensitive datasets, provide controlled remote compute with collaborative oversight, enabling co-authorship and method transfer.

Data Use Agreements that work. DUAs should cover purpose, permitted analyses, publication rules (including negative results), prohibition of re-identification attempts, sharing onward, IP considerations for code, and obligations to destroy or return derivatives. Include a citation clause for trial identifiers and a requirement to register secondary analyses when appropriate.

Decision timelines and fairness. Publish target service levels (e.g., acknowledgment within 10 business days; decision within 60) and the composition of your Data Access Committee (DAC), including conflict-of-interest policies. Provide clear appeal routes and anonymized summaries of accepted/declined requests to demonstrate equity and avoid selection bias.

Proving Transparency in Practice: Evidence, KPIs, Pitfalls, and a Ready-to-Use Checklist

Inspection-ready evidence bundle. Maintain a rapid-pull index that surfaces within minutes for regulators and external auditors:

• Transparency policy and governance charter, aligned to ICH principles and referencing agency expectations at the FDA, EMA, PMDA, TGA, and the WHO.
• Share package template with contents list, example redactions, anonymization plan, and utility assessment.
• Provenance & reproducibility: manifests (datasets, programs, seeds, software versions), lineage diagrams, and a “one-click” runbook for primary outputs.
• Privacy documentation: DPIA/HIPAA expert determination, risk metrics, redaction logs, and DUA templates.
• Access governance: DAC SOPs, decision logs with local time + UTC offsets, service-level reports, and anonymized request outcomes.
• Registry compliance: registration dates, results-posting timestamps, and links to lay summaries.

Program-level KPIs that show control.

• Timeliness: % of trials registered before first patient in; % with results posted within mandated windows.
• Reproducibility: independent rerun match rate for primary analyses using the share package (target 100% within rounding/seed tolerance).
• Privacy risk: proportion of datasets meeting target k-anonymity thresholds; number of small-cell suppressions needed per domain.
• Access equity: median days to decision; acceptance rate by requester type/region; appeals resolved within SLA.
• Disclosure breadth: % of pivotal CSRs with redacted public versions; % of studies with analysis code shared.

Common pitfalls—and durable fixes.

• Retrospective scrambling: trying to create traceability after lock. → Build provenance and re-runability into DMP/SAP; version everything; capture configuration snapshots at each data cut.
• Over-redaction that destroys scientific utility. → Pilot anonymization on a sample; measure utility loss; tune generalization to retain effect estimates and event timing patterns.
• Ambiguous DUAs leading to scope creep. → Use plain language, examples of permitted/not-permitted uses, and publication rules; require protocol IDs in any outputs.
• Closed software ecosystems blocking reproduction. → Provide open-source-friendly scripts or containerized environments; avoid licenses that prevent academic re-use.
• Inconsistent coding versions (MedDRA/WHO-DD) across datasets and documents. → Auto-inject dictionary versions into data guides and TFL footnotes; align with define.xml.
• Time zone confusion in decision and access logs. → Record local time + UTC offset everywhere; harmonize daylight saving handling.

One-page checklist (study-ready transparency plan).

• Protocol/SAP specify what will be shared (datasets, code, CSR/summary), when, and via which channel (public, managed portal, enclave).
• ADaM datasets complete with define.xml, analysis data guide, and lineage to SDTM; seeds and software versions captured.
• Executable workflow present (scripts or container) to regenerate primary TFLs; QC logs and unit tests included.
• Anonymization plan approved; risk metrics documented; redaction log prepared; DPIA/HIPAA determinations on file.
• DUA template finalized; DAC membership and SOPs published; decision SLAs and appeal path defined.
• Registry entries up to date; results and lay summaries posted within timelines.
• Access logs (with UTC offsets) and metrics dashboards active; periodic reports to governance/QA.
• Outbound references included to FDA, EMA, PMDA, TGA, ICH, and WHO.

Bottom line. Transparency is a design decision. When sponsors plan for registries, redaction/anonymization, reproducible analysis packages, and equitable access from the start—and document everything with audit-ready provenance—independent scientists can verify results, patients and investigators see value in participation, and regulators across the FDA, EMA, PMDA, TGA and the ICH community can rapidly trust what is presented, aligned with the public-health mission of the WHO.