Working practices in NBIS support projects with human data
NBIS experts frequently engage in projects handling omics (and other) data derived from humans. Such data are typically legally considered sensitive personal data, and there are specific laws and regulations for how such data should be handled. Below is some information as well as practical guidelines on how NBIS experts should work with sensitive personal data, and what is expected from the project Principal Investigator (PI).
The reasoning behind these guidelines and references to relevant sections of the legislation are described in more detail on the human data legal reference page.
The PI, as well as everyone with access to sensitive personal data, are responsible for following current laws and regulations, and NBIS will not assume legal responsibility for advice provided in these guidelines.
What is sensitive personal data?
- Any data that directly or indirectly can be associated with a living person is considered personal data.
- Some personal data are regarded as sensitive, e.g. data related to health. This explicitly includes all genetic data (both RNA and DNA, and both somatic and germline information), and is likely to also apply to many other omics data.
- Personal data should always be pseudonymised, but the data will still remain sensitive in legal terms.
- Aggregated data (like population frequencies) might not be considered sensitive anymore, but a decision has to be taken on a case-to-case basis.
Who is responsible for the data?
- The person who decides how and why the personal data should be processed is responsible for ensuring that the processing is done according to the law. That person is called the Controller (of personal data). The Controller is typically the university employer of the PI, and the PI should act as a representative of her university employer and is responsible for ensuring that personal data is handled correctly in her projects.
Ethical permits and Informed consents
- Before the start of a support project, the PI must share the ethical permit(s) and informed consent text(s) for the study with the NBIS expert. The PI is also responsible for clearly explaining to the NBIS expert the conditions for what can and cannot be done to the data according to the above documents.
- Note that the ethical permits and the consent forms must cover all the datasets made readable to the NBIS expert (e.g. all the datasets stored in a granted Bianca project, see below).
- Tip! Ask the PI to add the ethical permit(s) and informed consent texts to the project catalog on Bianca, preferably also with a short summary of the limitations/boundaries of use of the data. The NBIS data manager (firstname.lastname@example.org) can help the PI write this summary.
How do NBIS experts access and analyse sensitive personal data?
- Large-scale sensitive personal data can be analysed at the national computer cluster specifically dedicated to sensitive personal data, Bianca. If an NBIS expert plans to analyse sensitive personal data elsewhere, we suggest that they first consult with the NBIS data manager (email@example.com), as well as inform and get approval from the PI on how they plan to process the personal data outside Bianca. Note that working with sensitive data outside of Bianca is highly discouraged, and needs a strong documented motivation!
- The PI of the study formally grants access to the data by adding the NBIS expert to the relevant Bianca project in Supr (https://supr.snic.se/).
- Findings outside the scope of the study (secondary findings) should never be looked for by the NBIS expert, and should always be reported to the PI if accidentally found. It is advisable that the PI has a strategy regarding if and how such information should be acted on vis-a-vis the research subjects.
NOTE! Not all researchers can yet immediately use Bianca, due to lack of central contracts (“personuppgiftsbiträdesavtal”) between the Swedish universities. Central contracts are being worked on and will hopefully be signed during the spring 2018. In urgent cases, contact UPPMAX/SNIC to set up a contract for your particular study (firstname.lastname@example.org).
How do I publish sensitive personal data?
- Currently there is no central publishing or long-term storage service available for sensitive personal data from Sweden. For now, our advice is to properly organise and store datasets used in a publication, so that they can be properly shared on request in compliance with the requirements of the scientific journal. A persistent doi (Digital Object Identifier) can be set to any stored dataset, pointing to the PI of the study. The doi can later be re-pointed once the dataset is uploaded to a global repository (see below). The NBIS data manager can help with this (email@example.com).
- NBIS is building a local federated version of the European Genome-phenome Archive (EGA) in Sweden (EGA-SE), allowing for the publication of sensitive personal data within a legal framework. EGA-SE aims to start admitting datasets during the first half of 2019. Note that EGA and EGA-SE provide publishing with restricted access to data, with a robust process to ensure that data are only released to other researchers after approval by the data owner.
Information about the GDPR
If you have further questions regarding sensitive personal data, you are welcome to contact the NBIS data manager (firstname.lastname@example.org).