Working practices for NBIS experts in support projects with human data
- It is the PI’s responsibility (as the representative of his/her
employer) to ensure that the personal data is handled according to
existing laws and regulations.
- The NBIS expert (as the representative of his/her employer) that
processes the data on behalf of the PI, also has a legal
responsibility to handle the data according to existing laws and
regulations.
- The PI shall instruct the NBIS expert how the data shall be handled.
This includes the procedures that the PI has established for
handling the personal data in a secure way, and the instructions
outlined in any processing agreements.
- The PI shall inform the NBIS expert about any limitations of use for
the data that might be specified in ethical approvals and/or
informed consents.
- The NBIS expert must not handle the data in any way that goes
outside of the instructions and any limitations of use.
- In the case of a data
breach, accidental or
otherwise, this must be immediatly reported to the PI.
- Findings outside the scope of the study (secondary findings) should
never be looked for by the NBIS expert, and should always be
reported to the PI if accidentally found.
- The default mode of operation is that large-scale sensitive personal
data should be analysed at the national computer cluster
specifically dedicated to sensitive personal data,
Bianca.
- If an NBIS expert plans to analyse sensitive personal data
elsewhere, they must get the approval from the PI to process the
personal data outside Bianca. Please also consult with the NBIS data
manager (data@nbis.se). Note that working
with sensitive data outside of Bianca is highly discouraged, and
needs a documented motivation!
General processing agreements
NBIS is working on establishing general processing agreements with
other Swedish universities. A list of established
agreements is available.
The instructional content of these agreements is listed here
(translated from the Swedish text in the agreements).
- Purpose
- The purpose of the processing of personal data is to analyse
bioinformatic research questions in biomedical research projects.
Some administrative processing of personal data will also be done as
projects are initiatied at NBIS.
- Categories of individuals
- The categories of registered individuals that are affected are
voluntary participants in biomedical research projects, as well as
staff related to the administration of the projects.
- Types of personal data
- The types of personal data transferred are: pseudonymised biological,
and phenotypical data, or other metadata that is of relevance for the
research question.
-
Furthermore, administrative contact information (e.g. name and
email address) for staff involved in the adminstration of the
projects.
- Sensitive personal data
- The sensitive personal data that the processing concerns can be
genetic, and phenotypic information or other metadata that can be
information regarding health.
- Processing
- The processing of the personal data entails, collection, recording,
organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination.
-
Handling of the sensitive personal data is done through processing
and analysis of genomic and phenotypic data according to established
scientific methods.
-
The Controller gives the Processor access to the personal data in a
compute environment with an appropriate level of security that will
be provided by the Controller himself, or via another Processor. The
data analysis is done in this compute environment. In exceptional
cases, the analysis is performed outside of the provided compute
environment if the Controller has agreed to this.
-
Upon the instruction of the Controller the Processor can assist
with the deposition of the sensitive personal data to other systems
than those in which the Controller have granted the Processor access
to the personal data.