Your role: Data access committee member

According to the GA4GH DACReS Policy, a Data Access Committee is defined as: a body comprised of one or more members who are responsible for overseeing access to genomic and associated data for research subsequent to the primary purpose for which the data were collected, where requested by internal and external applicants to one or more repositories.

DACs may oversee multiple distinct datasets or repositories. They may govern access by researchers within a particular institution, as well as external requestors from other institutions, sectors, or countries. DACs may grant direct access to datasets sent digitally in secure form to data users or that are stored in secure computing environments (e.g. a data safe haven).

DACS may also grant indirect access to data (i.e. model-to-data where data users submit algorithms to run on secure data sets that remain hidden).

1+MG Data access governance principles

Data access committee workflows

Data access committee resources

• User portal

  • The European User Portal is being developed under the European Genomic Data Infrastructure project. The access management system within it will be designed to give a single entry point for user to request access and authenticate in the user portal, and to make the link to Identity and Access Management (IAM) provider.

ELSI docs related to DACs

• Data governance for research use (version after feedback 1+MG Group)

  Policy for the data inclusion in 1+MG, the data access procedures and requirements for data use; for research use only – data governance for other data use to follow.

  This outlines the conditions for data privacy, security, and usage for the 1+MG. These conditions include limitations on data use, duty of confidentiality, retention periods, personal data breach reporting obligations, and reporting incidental findings of health relevance to individuals and family members. The text also covers intellectual property (IP) and commercialization, publication, archiving, and the return of enriched data to data holders. There are also requirements for a secure processing environment, which must be performant, flexible, sustainable, and secure for data users.

• Transparency and consent guidance

  Minimum standards and recommendations to be considered for information sheets and for obtaining consent for secondary use of data.

  This discusses the concept of consent in the context of reusing data. It explains that obtaining consent for data reuse can be a complex process and requires clear communication about the purpose and scope of the reuse. The document highlights the importance of respecting individuals’ rights to control their personal information and making sure that they understand the potential risks and benefits of data reuse. It also notes that obtaining consent may not always be possible or practical, and in these cases, other safeguards should be in place to protect individuals’ privacy and ensure the ethical use of data.

• Secondary use and further processing

  Analysis of the differences between secondary use and further processing as defined in the GDPR and the possibility of building the legal basis under Art. 6.1 on further processing. The link above refers to the peer-reviewed article.

  The document discusses various aspects of data processing under the GDPR, specifically in relation to further processing of personal data for research purposes. It explains that a downstream data controller who collects data for a specific and lawful purpose is performing a primary processing activity, and it does not matter if the purpose of this processing is related to the purpose for which the data were collected. The original controller who does further processing by sharing the data for the downstream controller’s purpose should consider compatibility of the collection purpose and the downstream purpose. The document also explains that further processing for research purposes can be presumed to be compatible, and it is possible to rely on the same legal basis for compatible further processing as the original data collection, but this requires justifying the chosen legal basis. It also provides an application of these concepts to data sharing in research. It categorizes different scenarios, such as direct data sharing by a research organization to a data user or data sharing by a research organization to a data permit authority, as either further processing or primary processing. It concludes that processing by data users for their intended use (such as research) is primary processing.

• Policy for special (vulnerable) subjects and groups (provisionally adopted by 1+MG Group)

  Recommendations on how to consider the vulnerability and rights of special subjects such as children and special groups subject to vulnerability

  The document provides guidance for researchers and research ethics committees (RECs) on ethical considerations related to collecting, using, and storing data and biological samples for research purposes. The guidance includes recommendations for obtaining informed consent from research subjects, including vulnerable populations, and for protecting the rights and welfare of individuals who are not able to consent. The document also addresses the collection and use of data and samples from deceased individuals, and provides guidance on the inclusion of data in the 1+ Million Genomes (1+MG) initiative, including considerations related to vulnerable populations and the communication of incidental findings. Overall, the document emphasizes the importance of ethical conduct in research and the need to prioritize the welfare and rights of research subjects.

Maturation of data access roles and tools

The B1MG Maturity Level Model(MLM) contains several indicators to help evaluate and advance data access procedures