Working practices for NBIS experts in support projects with human data

It is the PI’s responsibility (as the representative of his/her employer) to ensure that the personal data is handled according to existing laws and regulations.
The NBIS expert (as the representative of his/her employer) that processes the data on behalf of the PI, also has a legal responsibility to handle the data according to existing laws and regulations.
The PI shall instruct the NBIS expert how the data shall be handled. This includes the procedures that the PI has established for handling the personal data in a secure way, and the instructions outlined in any processing agreements.
The PI shall inform the NBIS expert about any limitations of use for the data that might be specified in ethical approvals and/or informed consents.
The NBIS expert must not handle the data in any way that goes outside of the instructions and any limitations of use.
In the case of a data breach, accidental or otherwise, this must be immediatly reported to the PI.
Findings outside the scope of the study (secondary findings) should never be looked for by the NBIS expert, and should always be reported to the PI if accidentally found.
The default mode of operation is that large-scale sensitive personal data should be analysed at the national computer cluster specifically dedicated to sensitive personal data, Bianca.
If an NBIS expert plans to analyse sensitive personal data elsewhere, they must get the approval from the PI to process the personal data outside Bianca. Please also consult with the NBIS data manager (data@nbis.se). Note that working with sensitive data outside of Bianca is highly discouraged, and needs a documented motivation!

General processing agreements

NBIS is working on establishing general processing agreements with other Swedish universities. A list of established agreements is available.

The instructional content of these agreements is listed here (translated from the Swedish text in the agreements).

Purpose: The purpose of the processing of personal data is to analyse bioinformatic research questions in biomedical research projects. Some administrative processing of personal data will also be done as projects are initiatied at NBIS.
Categories of individuals: The categories of registered individuals that are affected are voluntary participants in biomedical research projects, as well as staff related to the administration of the projects.
Types of personal data: The types of personal data transferred are: pseudonymised biological, and phenotypical data, or other metadata that is of relevance for the research question.; Furthermore, administrative contact information (e.g. name and email address) for staff involved in the adminstration of the projects.
Sensitive personal data: The sensitive personal data that the processing concerns can be genetic, and phenotypic information or other metadata that can be information regarding health.
Processing: The processing of the personal data entails, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination.; Handling of the sensitive personal data is done through processing and analysis of genomic and phenotypic data according to established scientific methods.; The Controller gives the Processor access to the personal data in a compute environment with an appropriate level of security that will be provided by the Controller himself, or via another Processor. The data analysis is done in this compute environment. In exceptional cases, the analysis is performed outside of the provided compute environment if the Controller has agreed to this.; Upon the instruction of the Controller the Processor can assist with the deposition of the sensitive personal data to other systems than those in which the Controller have granted the Processor access to the personal data.