Beyond 1 Million Genomes (B1MG) D2.4 Report on data access and governance framework
- 1. UNILU
- 2. BBMRI-GR
- 3. ECRIN
- 4. BBMRI-NL
Description
Task 2.4 of Work Package (WP) 2 focuses on the development of a Data Access and Use Governance Toolkit Framework. Such a framework oversees the data linking and data management and checks the compliance with ethical and data protection requirements while it considers the responsibilities of different stakeholders. To achieve this, it is necessary to identify the critical elements for an efficient and transparent governance that allows to set up a digital infrastructure that will enable the cross-border linking of genomic and other health data for research in Europe.
The recommendations were developed specifically for use in a large-scale pan-European research infrastructure that aims to operate in a harmonised fashion where data, quality, IT infrastructure and data governance are harmonised in a way that creates a federated virtual infrastructure. Towards the user, the infrastructure is to appear homogeneous whereas the maximum possible freedom is given to the participating countries. We have targeted our recommendations towards the need of the 1+ Million Genome (1+MG) initiative where countries want to make data available based on a joint Declaration. The 1+MG initiative has a wider scope of secondary use, including also healthcare reuse and policy development. While our focus in the project is on the research use, occasionally, we have also still taken the broader scope into account.
In task 2.4, the input from all other three tasks of WP2 was used to develop a set of specifications and guidelines needed to allow efficient cross-border access and use of genomes for research in compliance with legal and ethical requirements. The following documents form part of our Data Access and Use Governance Toolkit Framework:
1. A data governance, describing a legally and ethically responsible approach for data inclusion into the infrastructure, a data access governance for research and a data use governance.
2. A guidance for transparency and consent, covering both legal and ethical requirements. This document builds on a document compiled in the task 2.2 on minimal standards and best practice guidelines for consent forms.
3. A recommendation on a practical approach to the management of the generated intellectual property (IP) rights that emanate from cross-border access and use of personalised medicine data in a pan-European genome initiative.
4. A recommendation on the IT infrastructure that establishes a data protection by design and default approach to support the data governance and to provide sufficient security for the data.
5. A recommendation for an information management to accompany the data governance.
6. As an appendix, a recommendation on a 1+MG - EHDS alignment based on the comparison between the proposed data governance of 1+MG and the draft European Health Data Space (EHDS) Regulation proposal published in May 2022.
Below the scope of the different tools are described. The full recommendations and other relevant aspects, can be found further in this document.
Data governance for research
Following the 1+MG Declaration, one of the goals of the 1+MG Initiative is to establish a European research cohort of over 1 million genomes. The Initiative will be structured as a federated network that connects genomic data resources and supporting infrastructures within Member Countries. This federated approach ensures that authority, responsibility, and resources are primarily based within the Member Countries, and that Member Countries have a certain flexibility over how to implement their national networks. To ensure the 1+MG cross-border, federated network truly functions as a “virtual” European research cohort, a clear governance framework must be established with the following aims:
1) to ensure efficiency and feasibility of cross-border access processes and therefore procedures that scale;
2) to promote clarity over general data access and re-use rights, applicable data-specific access and use conditions, and access procedures; and
3) to ensure compliance with applicable laws and ethical principles, particularly those relating to transparency and the protection of data subjects.
Data access by researchers based outside the EEA is explicitly considered in the “Scope of the 1+MG” policy. However, this special case will be addressed in a separate policy document once the “standard” data governance is agreed and can subsequently be integrated into the overall 1+MG data governance.
Transparency and consent guidance
Recommendations are made that 1+MG adopt 1) minimum requirements (MUST); 2) best practices (SHOULD); and 3) points-to-consider (non-directive). If a minimum requirement is missing, this may mean that a Data provider cannot legally or ethically make data available through 1+MG, or can only do so subject to special data and access and use conditions. Best practices may also constitute national legal requirements in some countries.
The recommendations are informed by the legal requirements of the GDPR, the interpretive guidance of the European Data Protection Board (EDPB), research ethics principles and guidelines, as well as legal data governance principles, such as those outlined in the Data Governance Act, and implemented in the 1+MG Data Governance Policy. Ethical requirements are in particular based on the International Ethical Guidelines for Health-related Research Involving Humans by CIOMS. Justifications and explanations are provided. Legal consent requirements depend on the legal basis selected under the GDPR Art. 6 and the legitimation under Art. 9. The guidance provided is applicable for all legal bases, but always points out where a consent legal basis under the GDPR may lead to additional requirements, a stricter regime with respect to information related to consent, scope of the consent, interpretation of what counts as
“freely given” as well as in consequences of withdrawal. Requirements for consent as a legal basis may also depend on national laws. National advisory bodies (e.g., ethics committees) are expected to provide additional, nationally-tailored guidance. It is the ultimate responsibility of the organisations involved in collecting data to identify and comply with all norms applicable to their activities.
This guidance is agnostic to different collection and sequencing contexts across Europe, including: population databases, genomic research projects, precision medicine clinical trials, genomic medicine initiatives, as well as clinical care (such as predictive, diagnostic or confirmatory genome sequencing). The guidance is designed for any organisation who plans to make data collected in a primary context available through a repository for research projects, where the details of these projects cannot be fully identified at the time of the data collection (or even at the time of the transfer to the repository). Some practical implementation examples are provided to facilitate application of the guidelines in specific contexts.
As 1+MG has not yet determined all aspects of its organisation structure, data governance and legal framework, some key information elements have not yet been fully defined. These elements are relevant to provide transparency and to obtain a valid informed consent. 1+MG is working to clarify these elements so that concrete wording or even a 1+MG specific part of the information sheet, where applicable, can be provided as an appendix in future versions of these guidelines.
Practical approach towards the management of the generated IP rights
This recommendation aims to establish a practical approach to the management of the generated intellectual property (IP) rights that emanate from cross-border access and use of personalised medicine data in a pan-European genome initiative. It navigates the different IP rights that arise in the context of a pan-European genome initiative, including the copyright on data, patent on inventions and trade secret protection.
The report also critically assesses the Open Innovation scheme, presenting the pros and cons of adopting such an approach.
The recommendation includes a checklist with all the information on IP rights that should be included in data transfer agreements, facilitating researchers who are involved in cross-border research projects.
It is necessary to reconcile IP rights as a means to encourage research with the public interest which is served through advancing innovation. This could be achieved through the adoption of appropriate governance and contractual access arrangements.
Data protection by design and default (DPbDD) recommendations for the IT infrastructure
DPbDD means that the compliance with these principles must be considered already when the processing is planned and not mapped afterwards (“by design”). The “by default” means that the default state of a system should be “closed” or “protected” and only those data necessary for the purpose should be processed. Disclosure should be an active step that has to be planned in compliance with the above principles.
The current document recommends a list of requirements that the 1+MG IT infrastructure should fulfil. “IT infrastructure” in the covers here all information and communication technology support of the operations of 1+MG. This goes beyond the management of data access and the provision of an analysis platform for data use and also includes information and workflow management of 1+MG.
We compiled recommendations that consider the specific situation of 1+MG and follow the journey of the data within the initiative. The recommendations also reflect the envisaged data governance, which must be supported by suitable IT tools to become feasible and efficient. The analysis of the different stages will be organised according to the data protection principles of the GDPR to allow an easier demonstration of compliance and subsequently performance of a DPIA and auditing of 1+MG infrastructure implementations.
Data protection by design and default recommendations for the information management
Data protection compliant data management includes the management of relevant information on how data can be used but also requires the information on the actors along the data life cycle with their responsibilities and contacts, information on the data use itself, information about organisational and technical safeguards, including the management of such safeguards such as for pseudonymisation and secondary pseudonymisation. Accountability means that the measures taken must be auditable, which again sets up certain requirements for the documentation around the entire life cycle of data in the 1+MG.
The considerations on information management build on the mission of 1+MG, the data governance implementing DPbDD workflows, requirements of the GDPR and practical considerations that link the various needs. The definition of relevant structured and (where applicable) machine readable information is an important input for the design of the IT infrastructure. The current version is a first draft that will further develop with e.g. the decisions on the data governance. It should also be considered to be complemented by information requirements relevant from the user’s perspective. The 1+MG Working Groups for Standards (WG3), Interoperability and Secure IT environment (WG5) and ELSI (WG2) must work closely together to define how such information management can be implemented in 1+MG.
Recommendations on a 1+MG - EHDS alignment based on the comparison between the proposed data governance of 1+MG and the draft EHDS Regulation
This document has been added as an appendix as it is not strictly part of the toolbox for the implementation and was not part of task 2.4. However, the publication of the proposal for a European Health Data Space (EHDS) as a Regulation by DG SANTE highlighted the need for additionally analysing the interactions, synergies and possibilities for integration were analysed. For this analysis, the document goes through the different elements of the 1+MG data governance and compares the different approaches. A summary of the conclusions is provided but also a detailed point by point listing of the comparison including references to the relevant articles.
Files
202305 B1MG D2.4 - Report on data access and governance framework.pdf
Files
(1.3 MB)
Name | Size | Download all |
---|---|---|
md5:140b6d6b872c3ecd82e8b45ee75af9fd
|
1.3 MB | Preview Download |