/Docs/G/GA4GH/Data-Privacy-and-Security/Form/0.md
  Source views: Source JSON(ish) on GitHub (VSCode)   Doc views: Document (&k=Context.r00t): Visual Print Technical: OpenParameters Xray
Context
  1. Purpose
    • Purpose
      Supplementing the Framework and complementing the GA4GH Security Technology Infrastructure, the purpose of this policy is to provide principled and practical guidance for processing data in a way that protects and promotes the security, integrity, and availability of data and services, and the privacy of individuals, families, and communities whose data are processed.
    • Principle
      To achieve this purpose, there is a need to:
      1. Ensure data subjects are informed, as far as is practicable, about the manner in which their data are being used and for what purposes (which may include broad purposes); data protection and security measures and risks; and their rights in relation to their data;
      2. Respect data subjects’ expectations, interests, and rights in relation to their data;
      3. Protect against the risk of unauthorized access, use, change, disclosure, or destruction of data; and
      4. Promote the availability of and access to data.
  2. Interpretation
    1. This policy is intended to be flexible enough to adapt to different contexts, cultures, and countries, as well as different technologies that can impact the privacy and security of data. This policy also should be interpreted in a manner that acknowledges different levels of risk tolerance and community cultural practices and, where appropriate, different contexts of data processing.
    2. To encourage broad application, this policy adopts the normative term “should” in most instances of the procedural guidance in section II. However, it is acknowledged that depending on the context, certain parts of the procedural guidance may be required or in contrast, be discretionary under law, regulation, or another instrument.
    3. This policy distinguishes privacy from security. Privacy is treated as a fundamental value and right that protects all aspects of the lives of individuals, families, and communities, and that establishes reasonable limits to processing data. Security refers to the process of protecting data from unauthorized access, use, change, disclosure, and destruction. It also includes the protection from data corruption throughout its lifecycle by considering appropriate network security, physical security, and file security. While the privacy and security aspects of this policy might be addressed to different persons and organizations with diverse responsibilities, this policy should be read as a whole and with the overarching objective of ensuring that these crucial elements work together to deliver responsible sharing and processing of data.
  3. Definitions
    1. The following definitions are intended to align with the Framework, GA4GH Security Technology Infrastructure, and other GA4GH policies. They are not intended as a substitute for definitions found in relevant laws or regulations.
      • anonymized data” means data that are rendered anonymous in such a way that the data subject is not or is no longer identifiable.
      • controlled access” means a data access model whereby qualified researchers apply for data access and their research plans are reviewed, often by a committee. Also known as managed or restricted access.
      • data” means genomic and health-related data. These include data on the health status of individuals and data on non-medical determinants of health, such as health behaviors, living and working conditions, personal resources, and environmental factors. These also include data relating to the genetic characteristics of an individual which have been either inherited or acquired during prenatal development, as they result from an analysis of a biological sample from the individual concerned, in particular chromosomal, DNA, or RNA analysis, or analysis of any other element enabling equivalent information to be obtained.
      • data breach” means a security incident that has affected the confidentiality, integrity, or availability of data, including accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data.
      • data privacy impact assessment” means a formal process designed to help data stewards systematically analyze, identify, and minimize the data privacy risks of a project or plan.
      • data protection officer” means an expert in data protection within an organization who ensures, in an independent manner, that an organization applies relevant laws, regulations, and guidelines protecting individuals’ data.
      • data steward” means an entity responsible for assuring the quality, integrity, and access arrangements of data from the moment of data collection, and for managing the metadata that preserves context and associated business rules, including privacy and security attributes consistent with applicable law, institutional policy, and individual permissions.
      • data subject” means the individual whose data have been collected, generated, held, used, or shared.
      • data user” means individuals or organizations who are authorized by data stewards or other competent persons or organizations (e.g. research ethics committees, data access committees) to access and use data for an authorized, bona fide purpose. Data users are secondary users of data that are distinct from the primary data generating research team.
      • Framework” means the GA4GH Framework for Responsible Sharing of Genomic and Health-Related Data.
      • GA4GH” means the Global Alliance for Genomics and Health.
      • identifiable data” means data that may reasonably be expected to identify an individual, alone or in combination with other data.
      • “Identity and Access Management (IAM)” means a set of business processes and supporting technologies that enable the creation, maintenance, use, and revocation of digital identity. IAM includes identity proofing, credential issuance, rights authorization, identity authentication, and privilege revocation. IAM practices make sure that the right people gain access to the right services and data at the right time, as well as making it safe, secure, and simple to change access rights, group memberships, and other key attributes as users and systems grow, change, are added, or are removed.
      • “key” means a piece of data that an encryption algorithm uses to determine exactly how to unscramble pseudonymized data.
      • logical access” means control measures used for identification, authentication, authorization, and accountability in digital systems, programs, processes, and information.
      • metadata” means data that provides information about other data.
      • organizational members” means the organizations that are a member of the GA4GH.
      • policy” means, unless otherwise specified, the GA4GH Data Privacy and Security Policy.
      • processing” means any operation or set of operations which is performed on data or on sets of data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
      • pseudonymized data” means data which have been processed in such a manner (e.g. by assigning one or more random codes) that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the data are not attributed to an identified or identifiable natural person. Also known as coded data.
      • registered access” means a data access model whereby qualified researchers apply for data access to one dataset or multiple datasets at once by providing details of their identity for authentication and agreeing to terms and conditions of data use during the registration process.
      • REWS” means the Regulatory and Ethics Work Stream of the GA4GH.
      • “security risk assessment” means an objective analysis of the effectiveness of the current security controls that protect an organization’s data.
      • supervisory authority” means the public authority (or authorities) in a jurisdiction responsible for monitoring the application of the administrative measures, laws, and regulations adopted within their jurisdiction pursuant to privacy, data protection, and data security.
      • vulnerable persons/populations” means individuals or groups that have a greater likelihood of being denied adequate satisfaction of some of their legitimate claims to (i) physical integrity, (ii) autonomy, (iii) freedom, (iv) social provision, (v) impartial quality of government, (vi) social bases of self-respect, or (vii) communal belonging.1
    2. Words imparting the singular number shall include the plural and vice versa.
  4. Intended Audience
    It is expected that this policy will be useful to all persons and organizations providing, storing, accessing, managing, or otherwise using data, and in particular the organizational members of the GA4GH. These persons and organizations include, but are not limited to, researchers, research institutions, research participants and patient communities, research ethics committees and data access committees, journal editors and publishers, research funding agencies, data protection supervisory authorities, hospitals, clinicians, industry, ministries of health, and public health organizations.