Working practices for NBIS experts in support projects with human data

General processing agreements

NBIS is working on establishing general processing agreements with other Swedish universities. A list of established agreements is available.

The instructional content of these agreements is listed here (translated from the Swedish text in the agreements).

Purpose
The purpose of the processing of personal data is to analyse bioinformatic research questions in biomedical research projects. Some administrative processing of personal data will also be done as projects are initiatied at NBIS.
Categories of individuals
The categories of registered individuals that are affected are voluntary participants in biomedical research projects, as well as staff related to the administration of the projects.
Types of personal data
The types of personal data transferred are: pseudonymised biological, and phenotypical data, or other metadata that is of relevance for the research question.

Furthermore, administrative contact information (e.g. name and email address) for staff involved in the adminstration of the projects.

Sensitive personal data
The sensitive personal data that the processing concerns can be genetic, and phenotypic information or other metadata that can be information regarding health.
Processing
The processing of the personal data entails, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination.

Handling of the sensitive personal data is done through processing and analysis of genomic and phenotypic data according to established scientific methods.

The Controller gives the Processor access to the personal data in a compute environment with an appropriate level of security that will be provided by the Controller himself, or via another Processor. The data analysis is done in this compute environment. In exceptional cases, the analysis is performed outside of the provided compute environment if the Controller has agreed to this.

Upon the instruction of the Controller the Processor can assist with the deposition of the sensitive personal data to other systems than those in which the Controller have granted the Processor access to the personal data.