/Docs/G/GA4GH/Data-Privacy-and-Security/Form/0.md
Source views: Source JSON(ish) on GitHub (VSCode) Doc views: Document (&k=r00t): Visual Print Technical: OpenParameters Xray
(Sec = (Ti = Global Alliance for Genomics and Health: Data Privacy and Security Policy)
(sec = (Preamble.Sec = (Preamble.Ti = Preamble)
(Preamble.sec = (Preamble.0.sec = )
(Preamble.xlist = - (Preamble.secs = (Preamble.1.sec = This document is the Global Alliance for Genomics and Health’s ((_GA4GH = GA4GH)
’s) Data Privacy and Security Policy. It applies to (_data = data)
sharing in the context of both clinical practice and health research involving humans. This (_policy = policy)
builds on the mission of the (_GA4GH = GA4GH)
and provides greater detail to the GA4GH Framework for Responsible Sharing of Genomic and Health-Related Data (the “(_Framework = Framework)
”).)
- (Preamble.2.sec = Compliance with this (_policy = policy)
facilitates the (_processing = processing)
of (_data = data)
in a way that promotes and protects privacy and security in a proportionate manner. It also facilitates compliance with the obligations and norms set by international and national laws (including tribal, indigenous, and aboriginal laws), regulations, policies, and interoperable standards. Guidance covering specific aspects such as withdrawal of consent for (_processing = processing)
(_data = data)
, benefit sharing, and return of individual results are outside the scope of this (_policy = policy)
.)
)
)
(Preamble.00.sec = )
)
)
- (Context.Sec = (Context.Ti = Context)
(Context.sec = - (Context.Purpose.Sec = (Context.Purpose.Ti = Purpose)
(Context.Purpose.sec = - (Context.Purpose.Base.Sec = (Context.Purpose.Base.Ti = Purpose)
(Context.Purpose.Base.sec = Supplementing the (_Framework = Framework)
and complementing the GA4GH Security Technology Infrastructure, the purpose of this (_policy = policy)
is to provide principled and practical guidance for (_processing = processing)
(_data = data)
in a way that protects and promotes the security, integrity, and availability of (_data = data)
and services, and the privacy of individuals, families, and communities whose (_data = data)
are processed.)
)
- (Context.Purpose.Principle.Sec = (Context.Purpose.Principle.Ti = Principle)
(Context.Purpose.Principle.sec = (Context.Purpose.Principle.0.sec = To achieve this purpose, there is a need to:)
(Context.Purpose.Principle.xlist = - (Context.Purpose.Principle.secs = (Context.Purpose.Principle.1.sec = Ensure (_data_subject = data subject)
s are informed, as far as is practicable, about the manner in which their (_data = data)
are being used and for what purposes (which may include broad purposes); (_data = data)
protection and security measures and risks; and their rights in relation to their (_data = data)
;)
- (Context.Purpose.Principle.2.sec = Respect (_data_subject = data subject)
s’ expectations, interests, and rights in relation to their (_data = data)
;)
- (Context.Purpose.Principle.3.sec = Protect against the risk of unauthorized access, use, change, disclosure, or destruction of (_data = data)
; and)
- (Context.Purpose.Principle.4.sec = Promote the availability of and access to (_data = data)
.)
)
)
(Context.Purpose.Principle.00.sec = )
)
)
)
)
(Context.Interprete.Sec = (Context.Interprete.Ti = Interpretation)
(Context.Interprete.sec = (Context.Interprete.0.sec = )
(Context.Interprete.xlist = (Context.Interprete.Olist = - (Context.Interprete.Secs = (Context.Interprete.secs = (Context.Interprete.1.sec = This (_policy = policy)
is intended to be flexible enough to adapt to different contexts, cultures, and countries, as well as different technologies that can impact the privacy and security of (_data = data)
. This (_policy = policy)
also should be interpreted in a manner that acknowledges different levels of risk tolerance and community cultural practices and, where appropriate, different contexts of (_data = data)
(_processing = processing)
.)
- (Context.Interprete.2.sec = To encourage broad application, this (_policy = policy)
adopts the normative term “should” in most instances of the procedural guidance in section II. However, it is acknowledged that depending on the context, certain parts of the procedural guidance may be required or in contrast, be discretionary under law, regulation, or another instrument.)
- (Context.Interprete.3.sec = This (_policy = policy)
distinguishes privacy from security. Privacy is treated as a fundamental value and right that protects all aspects of the lives of individuals, families, and communities, and that establishes reasonable limits to (_processing = processing)
(_data = data)
. Security refers to the process of protecting (_data = data)
from unauthorized access, use, change, disclosure, and destruction. It also includes the protection from data corruption throughout its lifecycle by considering appropriate network security, physical security, and file security. While the privacy and security aspects of this (_policy = policy)
might be addressed to different persons and organizations with diverse responsibilities, this (_policy = policy)
should be read as a whole and with the overarching objective of ensuring that these crucial elements work together to deliver responsible sharing and (_processing = processing)
of (_data = data)
.)
)
)
)
)
(Context.Interprete.00.sec = )
)
)
(Context.Def-Plural.Sec = (Context.Def-Plural.Ti = Definitions)
(Context.Def-Plural.sec = (Context.Def-Plural.0.sec = )
(Context.Def-Plural.xlist = (Context.Def-Plural.Olist = - (Context.Def-Plural.Secs = (Context.Def-Plural.secs = (Context.Def-Plural.1.sec = (Def.sec = (Def.Intro.sec = The following definitions are intended to align with the (_Framework = Framework)
, GA4GH Security Technology Infrastructure, and other GA4GH policies. They are not intended as a substitute for definitions found in relevant laws or regulations.)
- (Def.anonymized_data.sec = “(_anonymized_data = anonymized data)
” means (_data = data)
that are rendered anonymous in such a way that the (_data_subject = data subject)
is not or is no longer identifiable.)
- (Def.controlled_access.sec = “(_controlled_access = controlled access)
” means a (_data = data)
access model whereby qualified researchers apply for (_data = data)
access and their research plans are reviewed, often by a committee. Also known as managed or restricted access.)
- (Def.data.sec = “(_data = data)
” means genomic and health-related data. These include data on the health status of individuals and data on non-medical determinants of health, such as health behaviors, living and working conditions, personal resources, and environmental factors. These also include data relating to the genetic characteristics of an individual which have been either inherited or acquired during prenatal development, as they result from an analysis of a biological sample from the individual concerned, in particular chromosomal, DNA, or RNA analysis, or analysis of any other element enabling equivalent information to be obtained.)
- (Def.data_breach.sec = “(_data_breach = data breach)
” means a security incident that has affected the confidentiality, integrity, or availability of (_data = data)
, including accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, (_data = data)
.)
- (Def.data_privacy_impact_assessment.sec = “(_data_privacy_impact_assessment = data privacy impact assessment)
” means a formal process designed to help (_data_steward = data steward)
s systematically analyze, identify, and minimize the (_data = data)
privacy risks of a project or plan.)
- (Def.data_protection_officer.sec = “(_data_protection_officer = data protection officer)
” means an expert in (_data = data)
protection within an organization who ensures, in an independent manner, that an organization applies relevant laws, regulations, and guidelines protecting individuals’ (_data = data)
.)
- (Def.data_steward.sec = “(_data_steward = data steward)
” means an entity responsible for assuring the quality, integrity, and access arrangements of (_data = data)
from the moment of (_data = data)
collection, and for managing the (_metadata = metadata)
that preserves context and associated business rules, including privacy and security attributes consistent with applicable law, institutional policy, and individual permissions.)
- (Def.data_subject.sec = “(_data_subject = data subject)
” means the individual whose (_data = data)
have been collected, generated, held, used, or shared.)
- (Def.data_user.sec = “(_data_user = data user)
” means individuals or organizations who are authorized by (_data_steward = data steward)
s or other competent persons or organizations (e.g. research ethics committees, (_data = data)
access committees) to access and use (_data = data)
for an authorized, bona fide purpose. (_Data_user = Data user)
s are secondary users of (_data = data)
that are distinct from the primary (_data = data)
generating research team.)
- (Def.Framework.sec = “(_Framework = Framework)
” means the GA4GH Framework for Responsible Sharing of Genomic and Health-Related Data.)
- (Def.GA4GH.sec = “(_GA4GH = GA4GH)
” means the Global Alliance for Genomics and Health.)
- (Def.identifiable_data.sec = “(_identifiable_data = identifiable data)
” means (_data = data)
that may reasonably be expected to identify an individual, alone or in combination with other (_data = data)
.)
- (Def.IAM.sec = “Identity and Access Management ((_IAM = IAM)
)” means a set of business processes and supporting technologies that enable the creation, maintenance, use, and revocation of digital identity. (_IAM = IAM)
includes identity proofing, credential issuance, rights authorization, identity authentication, and privilege revocation. (_IAM = IAM)
practices make sure that the right people gain access to the right services and (_data = data)
at the right time, as well as making it safe, secure, and simple to change access rights, group memberships, and other (_key = key)
attributes as users and systems grow, change, are added, or are removed.)
- (Def.key.sec = “key” means a piece of (_data = data)
that an encryption algorithm uses to determine exactly how to unscramble (_pseudonymized_data = pseudonymized data)
.)
- (Def.logical_access.sec = “(_logical_access = logical access)
” means control measures used for identification, authentication, authorization, and accountability in digital systems, programs, processes, and information.)
- (Def.metadata.sec = “(_metadata = metadata)
” means (_data = data)
that provides information about other (_data = data)
.)
- (Def.organizational_member.sec = “(_organizational_member = organizational member)
s” means the organizations that are a member of the (_GA4GH = GA4GH)
.)
- (Def.policy.sec = “(_policy = policy)
” means, unless otherwise specified, the GA4GH Data Privacy and Security Policy.)
- (Def.processing.sec = “(_processing = processing)
” means any operation or set of operations which is performed on (_data = data)
or on sets of (_data = data)
, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.)
- (Def.pseudonymized_data.sec = “(_pseudonymized_data = pseudonymized data)
” means (_data = data)
which have been processed in such a manner (e.g. by assigning one or more random codes) that the (_data = data)
can no longer be attributed to a specific (_data_subject = data subject)
without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the (_data = data)
are not attributed to an identified or identifiable natural person. Also known as coded (_data = data)
.)
- (Def.registered_access.sec = “(_registered_access = registered access)
” means a (_data = data)
access model whereby qualified researchers apply for (_data = data)
access to one dataset or multiple datasets at once by providing details of their identity for authentication and agreeing to terms and conditions of (_data = data)
use during the registration process.)
- (Def.REWS.sec = “(_REWS = REWS)
” means the Regulatory and Ethics Work Stream of the (_GA4GH = GA4GH)
.)
- (Def.security_risk_assessment.sec = “security risk assessment” means an objective analysis of the effectiveness of the current security controls that protect an organization’s (_data = data)
.)
- (Def.supervisory_authority.sec = “(_supervisory_authority = supervisory authority)
” means the public authority (or authorities) in a jurisdiction responsible for monitoring the application of the administrative measures, laws, and regulations adopted within their jurisdiction pursuant to privacy, (_data = data)
protection, and (_data = data)
security.)
- (Def.vulnerable_population.sec = “(_vulnerable_person = vulnerable person)
s/populations” means individuals or groups that have a greater likelihood of being denied adequate satisfaction of some of their legitimate claims to (i) physical integrity, (ii) autonomy, (iii) freedom, (iv) social provision, (v) impartial quality of government, (vi) social bases of self-respect, or (vii) communal belonging.(FtNt.1.Xnum = 1)
)
)
)
- (Context.Def-Plural.2.sec = Words imparting the singular number shall include the plural and vice versa.)
)
)
)
)
(Context.Def-Plural.00.sec = )
)
)
(Context.Audience.Sec = (Context.Audience.Ti = Intended Audience)
(Context.Audience.sec = It is expected that this (_policy = policy)
will be useful to all persons and organizations providing, storing, accessing, managing, or otherwise using (_data = data)
, and in particular the (_organizational_member = organizational member)
s of the (_GA4GH = GA4GH)
. These persons and organizations include, but are not limited to, researchers, research institutions, research participants and patient communities, research ethics committees and (_data = data)
access committees, journal editors and publishers, research funding agencies, (_data = data)
protection supervisory authorities, hospitals, clinicians, industry, ministries of health, and public health organizations.)
)
)
)
(Guide.Sec = (Guide.Ti = Data Privacy and Security Procedural Guidance)
(Guide.sec = - (Guide.Privacy.Sec = (Guide.Privacy.Ti = Data privacy)
(Guide.Privacy.sec = (Guide.Privacy.Intro.sec = Privacy is a fundamental value and right of human societies. It extends to all aspects of the lives of individuals: the social, cultural, religious, political, physical, and the informational. Its protection also promotes other core human values and human rights. However, privacy is not an absolute right. Privacy protection involves the delicate balance of considerations at individual, familial, and societal levels. The following guidance assists in determining such balances relative to the protection of the core interest at stake and the Foundational Principles at the core of the (_Framework = Framework)
.)
- (Guide.Privacy.Lawful.Sec = (Guide.Privacy.Lawful.Ti = Lawfulness of data processing)
(Guide.Privacy.Lawful.sec = All (_data = data)
should be processed in accordance with all applicable laws, regulations, norms, and guidelines and should only be disclosed in situations where consent has been provided, or there is a legal or legitimate interest/appropriate need for that disclosure/use. )
)
- (Guide.Privacy.Risk.Sec = (Guide.Privacy.Risk.Ti = Data privacy risks and safeguards)
(Guide.Privacy.Risk.sec = - (Guide.Privacy.Risk.Disclosure.sec = Assessments of (_data = data)
privacy risks should include disclosure risks, and any harms reasonably likely to occur in the event of disclosure. These disclosures may result in individual or group discrimination, stigmatization, profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights. The reputational risks for persons or organizations of allowing particular uses of (_data = data)
should also be considered.)
- (Guide.Privacy.Risk.Safeguard.sec = Data privacy safeguards should be proportionate to the sensitivity, nature, and possible benefits, risks, and uses of the (_data = data)
. Such safeguards may include (_controlled_access = controlled access)
, pseudonymization, and anonymization of (_data = data)
, and quantitative techniques such as differential privacy, k-anonymity, ℓ-diversity, and t-closeness.)
- (Guide.Privacy.Risk.Contract.sec = Data processing agreements (also known as data transfer, data use, and data sharing agreements) between persons and/or organizations are an important privacy safeguard.)
- (Guide.Privacy.Risk.CompelledDisclosure.sec = Consideration should be given to adopting mechanisms that address compelled disclosure requests by state authorities of (_identifiable_data = identifiable data)
and that prevent unauthorized access by third parties.)
)
)
- (Guide.Privacy.Consent.Sec = (Guide.Privacy.Consent.Ti = Consent and other lawful bases)
(Guide.Privacy.Consent.sec = - (Guide.Privacy.Consent.Base.sec = (_Data = Data)
should be used strictly in accordance with the (_data_subject = data subject)
’s (or their legal representative’s) consent for (_processing = processing)
, and/or the terms and conditions of authorization for lawful (_processing = processing)
by competent bodies or institutions (e.g. terms and conditions set by research ethics committees, waivers of consent), and in compliance with international and national laws (including tribal, indigenous, and aboriginal laws), regulations, general ethical principles, and best practice standards that respect conditions on downstream uses of the (_data = data)
.)
)
)
- (Guide.Privacy.Re-Identification.Sec = (Guide.Privacy.Re-Identification.Ti = Re-identification)
(Guide.Privacy.Re-Identification.sec = (Guide.Privacy.Re-Identification.0.sec = )
(Guide.Privacy.Re-Identification.xlist = - (Guide.Privacy.Re-Identification.secs = (Guide.Privacy.Re-Identification.1.sec = Any attempt to re-identify individuals or to generate information (e.g. facial images or comparable representations) that could allow the identities of research participants to be readily ascertained, should be strictly prohibited (and subject to sanction) unless where expressly authorized by law.)
- (Guide.Privacy.Re-Identification.2.sec = Reasonable steps should be taken to prevent the identity of (_data_subject = data subject)
s being leaked or determined through indirect means such as (_metadata = metadata)
, URLs, and message headers.)
)
)
(Guide.Privacy.Re-Identification.00.sec = )
)
)
- (Guide.Privacy.DataQuality.Sec = (Guide.Privacy.DataQuality.Ti = Data quality)
(Guide.Privacy.DataQuality.sec = - (Guide.Privacy.DataQuality.Base.sec = In order to promote responsible and valuable sharing, (_data = data)
and any associated (_metadata = metadata)
should be, to the greatest extent reasonably possible, accurate; verifiable; unbiased; current; stored in systems that enhance security, interoperability, and replicability; and in compliance with commonly accepted standards for (_data = data)
and (_metadata = metadata)
annotation.)
- (Guide.Privacy.DataQuality.Maintain.sec = Regular quality assessments of datasets should be conducted. )
)
)
- (Guide.Privacy.DiscloseToPublic.Sec = (Guide.Privacy.DiscloseToPublic.Ti = Identifiable (_data = data)
disclosure to the public)
(Guide.Privacy.DiscloseToPublic.sec = - (Guide.Privacy.DiscloseToPublic.Base.sec = Subject to any applicable laws and/or the terms and conditions of authorization for lawful (_processing = processing)
by competent bodies or institutions (e.g. research ethics committees), (_identifiable_data = identifiable data)
should only be disclosed publicly in a publication or other format if: (1) (_data_subject = data subject)
s have provided their explicit consent to public disclosure of their (_identifiable_data = identifiable data)
and have been made aware of any reasonably foreseeable risks associated with the disclosure, and the disclosure is necessary for the purpose concerned; (2) (_data_subject = data subject)
s have knowingly made their (_identifiable_data = identifiable data)
public by their own explicit actions or permissions; or (3) disclosure serves a public interest, is necessary for the purpose concerned, and adequate safeguards are in place.)
)
)
- (Guide.Privacy.DataSustainability.Sec = (Guide.Privacy.DataSustainability.Ti = Data sustainability)
(Guide.Privacy.DataSustainability.sec = (Guide.Privacy.DataSustainability.0.sec = )
(Guide.Privacy.DataSustainability.xlist = - (Guide.Privacy.DataSustainability.secs = (Guide.Privacy.DataSustainability.1.sec = Where appropriate and in accordance with the (_data_subject = data subject)
’s (or their legal representative’s) consent for (_processing = processing)
, and/or the terms and conditions of authorization for lawful (_processing = processing)
by competent bodies or institutions, and subject to appropriate safeguards, (_data = data)
should be retained for future (_processing = processing)
through both archiving and using appropriate indexing and retrieval systems.)
- (Guide.Privacy.DataSustainability.2.sec = A plan should be established for the possible discontinuance of a database or initiative, and in particular should establish, if possible, whether the (_data = data)
will be archived or transferred to another database for use in future initiatives. If such archiving or transfer to another database is foreseen, the plan should make clear that (_data = data)
will continue to be shared with (_data_user = data user)
s subject to ongoing governance oversight through e.g. a research ethics committee and/or data access committee. The lawful basis for the archiving or transferring of (_data = data)
to another database for use in future initiative (e.g. (_data_subject = data subject)
consent) should be verified.)
)
)
(Guide.Privacy.DataSustainability.00.sec = )
)
)
(Guide.Privacy.Access.Sec = (Guide.Privacy.Access.Ti = Controlled access and registered access)
(Guide.Privacy.Access.sec = - (Guide.Privacy.Access.Base.sec = Requests by (_data_user = data user)
s for access to (_data = data)
should demonstrate to those managing access requests (e.g. (_data_steward = data steward)
s, research ethics committees, and/or (_data = data)
access committees), at a minimum: (1) legitimate interest in and intended use(s) of the (_data = data)
; (2) accessibility of the (_data = data)
only to authorized individuals; (3) a reasonable and specified time period of (_data = data)
access; and (4) destruction of the (_data = data)
after agreed use.)
)
)
(Guide.Privacy.DataBreach.Sec = (Guide.Privacy.DataBreach.Ti = Data breach)
(Guide.Privacy.DataBreach.sec = (Guide.Privacy.DataBreach.Report.sec = A (_data_breach = data breach)
involving the disclosure of (_data = data)
by a (_data_user = data user)
should be reported to the (_data_steward = data steward)
without undue delay. Consideration should be given to reporting a (_data_breach = data breach)
to a competent (_supervisory_authority = supervisory authority)
and, if applicable, the (_data_protection_officer = data protection officer)
and the relevant research ethics committee for the primary study, in addition to the (_data_steward = data steward)
if no such requirement otherwise exists.)
(Guide.Privacy.DataBreach.HighRisk.sec = When a (_data_breach = data breach)
involving the disclosure of (_data = data)
is likely to result in a high risk to the rights or interests of (_data_subject = data subject)
s, such a breach should be reported without undue delay by the (_data_steward = data steward)
or a key contact person (e.g. (_data_protection_officer = data protection officer)
, principal investigator, communication or cohort contact officer) to (_data_subject = data subject)
s in the affected database by means of a public communication or similar measure whereby the (_data_subject = data subject)
s have an opportunity to be informed in an equally effective manner.)
)
)
(Guide.Privacy.Accountability.Sec = (Guide.Privacy.Accountability.Ti = Accountability)
(Guide.Privacy.Accountability.sec = - (Guide.Privacy.Accountability.Base.sec = All persons and organizations are accountable for promoting and protecting (_data = data)
privacy and security, including when (_data = data)
are shared with (_data_user = data user)
s, repositories, and service providers.)
- (Guide.Privacy.Accountability.Tracking.sec = Data stewards should keep track of all whereabouts of the (_data = data)
and the persons and/or organizations with access to the (_data = data)
.)
- (Guide.Privacy.Accountability.Personnel.sec = Data stewards should clearly identify the individuals within their organization who are responsible for (_data = data)
privacy, (_data = data)
management, and reporting procedures (including a contact person or contact point for complaints). Appropriate and regular training for the identified individuals to discharge these duties should be provided.)
- (Guide.Privacy.Accountability.Practice.sec = Data stewards should track relevant new laws, regulations, policies, expectations, and best practices, sharing these with responsible individuals within their organization or entity, and with (_data_user = data user)
s as appropriate.)
- (Guide.Privacy.Accountability.Communicate.sec = Where relevant, ongoing communication links should be maintained between (_data_steward = data steward)
s, (_data_user = data user)
s, and research ethics committees and/or (_data = data)
access committees.)
)
)
(Guide.Privacy.Transparency.Sec = (Guide.Privacy.Transparency.Ti = Transparency)
(Guide.Privacy.Transparency.sec = - (Guide.Privacy.Transparency.Policy.sec = Policies and practices with respect to the privacy and security management of (_data = data)
and access arrangements should be made publicly available. Plain language summaries of these policies and practices and access arrangements should also be made public.)
- (Guide.Privacy.Transparency.Inform.sec = General information should be made openly available on an ongoing basis to (_data_subject = data subject)
s as a group about how their (_data = data)
are being used and for what purposes.)
- (Guide.Privacy.Transparency.Use.sec = For (_data = data)
that are not anonymized, a procedure should be established to provide individual (_data_subject = data subject)
s, if they so request, information about how their (_data = data)
are being used and for what purposes.)
)
)
(Guide.Privacy.Complaint.Sec = (Guide.Privacy.Complaint.Ti = Complaints or inquiries)
(Guide.Privacy.Complaint.sec = - (Guide.Privacy.Complaint.Base.sec = Procedures should be established to receive and respond to complaints or inquiries about policies and practices relating to the privacy and security of (_data = data)
or (_data = data)
access requests. The procedures should be easily accessible and simple to use and should involve a commitment to deal with all complaints in a timely fashion.)
)
)
(Guide.Privacy.VulnerablePopulation.Sec = (Guide.Privacy.VulnerablePopulation.Ti = Vulnerable populations)
(Guide.Privacy.VulnerablePopulation.sec = - (Guide.Privacy.VulnerablePopulation.ImpactStatement.sec = Persons or organizations that seek to process (_data = data)
from (_vulnerable_population = vulnerable population)
s should consider conducting, as far is practicable, a (_vulnerable_population = vulnerable population)
-specific (_data_privacy_impact_assessment = data privacy impact assessment)
regarding the use and sharing of such (_data = data)
.)
- (Guide.Privacy.VulnerablePopulation.ThirdPartyAccess.sec = Persons or organizations that seek to process (_data = data)
from (_vulnerable_population = vulnerable population)
s should consider working with them to develop a (_data = data)
access protocol that governs requests by third parties for research requiring the (_processing = processing)
of such (_data = data)
, unless there is an established vehicle in place.)
)
)
)
)
(Guide.Security.Sec = (Guide.Security.Ti = Security)
(Guide.Security.sec = (Guide.Security.Intro.sec = Security is concerned with organizational, technical, and physical measures and standards to effectively manage risks to the sensitivity and integrity of (_data = data)
and the availability of resources and services. Due regard should be paid to the GA4GH Security Technology Infrastructure, which complements this (_policy = policy)
. The following guidance promotes safe and effective (_data = data)
sharing environments.)
- (Guide.Security.Organize.Sec = (Guide.Security.Organize.Ti = Organizational measures)
(Guide.Security.Organize.sec = - (Guide.Security.Organize.Base.sec = As human errors are among the most difficult errors to control, organizations should, with ongoing commitment of adequate resources: (1) develop, monitor, and enforce policies (consistent with this (_policy = policy)
) to secure (_data = data)
; (2) appoint a security officer responsible for implementing and enforcing security policies and practices, and responsible for monitoring them through standards, procedures, and baselines; (3) implement internal and external security reviews and audits; and (4) implement and require ongoing training and education of personnel on privacy and security policies and best practices.)
- (Guide.Security.Organize.MinimizeDate.sec = The number of copies of (_data = data)
(as backup or otherwise) stored by persons or organizations should be kept to the minimum necessary to ensure adequate protection of the (_data = data)
in the event of primary copy (_data = data)
loss.)
- (Guide.Security.Organize.IAM.sec = Each organization should implement Identity and Access Management ((_IAM = IAM)
) policies, procedures, and technologies to verify the identity of each individual to whom access rights are to be granted, and to ensure that each individual is given access to all of (and only) the type and volume of (_data = data)
and services required for a specified period of time. (_IAM = IAM)
includes identity proofing, credential issuance, rights authorization, identity authentication, and rights revocation. As part of the (_IAM = IAM)
policies, organizations should maintain a list of persons having access to (_data = data)
and the list should be reviewed regularly and authenticated.)
- (Guide.Security.Organize.Federation.sec = Organizations that agree to recognize and accept authenticated identities and security attributes issued by other organizations (“federated identity”) have the responsibility of assuring the trustworthiness of the issuers, as well as the currency and authenticity of asserted identities. The (_GA4GH = GA4GH)
Authentication and Authorization Infrastructure (AAI) standard may be used to federate identity authentication and service authorization.)
- (Guide.Security.Organize.Accountability.sec = Consequences for (_data_breach = data breach)
es should be clearly stipulated and enforced (see also the GA4GH Accountability Policy).)
- (Guide.Security.Organize.Cloud.sec = In the context of cloud computing, companies providing cloud computing services to store, analyze, or warehouse (_data = data)
should have good management infrastructure and robust (_data = data)
encryption capabilities. The responsibility is on the (_data_user = data user)
/organization to ensure this infrastructure is compliant with local laws and regulations when uploading (_data = data)
to the cloud. Organizations should ensure that cloud service providers have independently audited against comprehensive and internationally recognized and respected information security standards, such as those promulgated by the International Organization for Standardization (ISO) and Statement on Standards for Attestation Engagements (SSAE). Organizations should also ensure that cloud service providers have up-to-date third party audit certifications and are maintained throughout the duration of the cloud service.)
)
)
- (Guide.Security.TechMeasure.Sec = (Guide.Security.TechMeasure.Ti = Technical measures)
(Guide.Security.TechMeasure.sec = - (Guide.Security.TechMeasure.AccessToSystem.sec = Physical and (_logical_access = logical access)
to computer systems and networks should be restricted to authorized individuals, and access granted only for those information assets and functions required to perform the user’s assigned duties.)
- (Guide.Security.TechMeasure.Anonymization.sec = Whenever possible, (_data = data)
should be pseudonymized or anonymized at the earliest possible opportunity.)
- (Guide.Security.TechMeasure.KeyManagement.sec = Where (_data = data)
are pseudonymized, an organization may assign a (_key = key)
to enable the (_data = data)
to be re-identified. The assigned (_key = key)
should not be derived from or related to the associated individual, should not be used for any other purpose, and should not disclose the mechanism used for re-identification. The direct identifiers associated with (_key = key)
s should be isolated on a separate dedicated server/network without external access. A defined procedure and auditable mechanism for reversing the (_pseudonymized_data = pseudonymized data)
to (re)attribute to the (_data = data)
to a specific (_data_subject = data subject)
should be in place.)
- (Guide.Security.TechMeasure.Disaster.sec = Emergency-management and disaster-recovery plans and safeguards should be implemented, including regular back-ups.)
- (Guide.Security.TechMeasure.CompatibleSecurity.sec = Technical measures to secure (_data = data)
should comply with the relevant guidance and regulations (e.g. for clinical trials) and should aim to be interoperable with (_data = data)
sharing systems and software.)
- (Guide.Security.TechMeasure.Log.sec = Every system that accesses, stores, or transmits (_data = data)
should record an audit log of all security-relevant events. Audit trails should be reviewed regularly, and all suspicious events should be investigated. Where possible, automated, enterprise-wide, audit trail monitoring, with alerts for misuse and algorithms to amend or terminate access, should be implemented. Audit logs should be maintained for a minimum of one year, or as otherwise required by applicable law, and carefully protected.)
- (Guide.Security.TechMeasure.Configuration.sec = Configuration management of all hardware and software (including operating systems) should be implemented. Every change should be reviewed for potential privacy and security impacts.)
- (Guide.Security.TechMeasure.Threat.sec = Organizations should take recommended actions to protect (_data = data)
and services from known and emerging threats, which would include monitoring sources of security threat information and installing security-critical upgrades as soon as they become available and have passed quality assurance testing within the organization.)
- (Guide.Security.TechMeasure.Patch.sec = Organizations should protect (_data = data)
from new security vulnerabilities in any software used over the lifespan of a project involving the (_data = data)
. Such consideration should include ensuring that security patches to the software are promptly applied and that any vulnerabilities for which security patches cannot be applied in a timely way will be subject to scrutiny regarding alternative security safeguards.)
- (Guide.Security.TechMeasure.Test.sec = Organizations should routinely test their security systems, and periodically (e.g. yearly) engage an independent third party to perform security assessment and penetration testing.)
)
)
- (Guide.Security.PhysicalMeasure.Sec = (Guide.Security.PhysicalMeasure.Ti = Physical measures)
(Guide.Security.PhysicalMeasure.sec = - (Guide.Security.PhysicalMeasure.IT.sec = Computers, network equipment, media, and facilities used to collect, access, store, process, transport, or transmit (_data = data)
must be continuously protected using appropriate physical, technical, and procedural safeguards that limit access to authorized individuals.)
- (Guide.Security.PhysicalMeasure.Disaster.sec = Physical security measures should be in place to protect (_data = data)
from natural hazards such as floods, fires, or earthquakes.)
- (Guide.Security.PhysicalMeasure.Hardware.sec = Hardware used for sharing (_data = data)
should be tamper-resistant.)
)
)
)
)
)
)
(Implement.Sec = (Implement.Ti = Implementation Mechanisms and Amendments)
(Implement.sec = - (Implement.AdherentApplyMeasure.sec = All persons and organizations supporting this (_policy = policy)
should take all reasonable and appropriate measures, whether of a regulatory, contractual, administrative, or other character, to give effect to this (_policy = policy)
and promote its implementation, monitoring, and enforcement. Procedures and policies should be transparent and accessible. Attention should be paid to the interrelation of this (_policy = policy)
with other (_GA4GH = GA4GH)
policies (e.g. Consent Policy, Ethics Review Recognition Policy, Accountability Policy).)
- (Implement.GA4GH-DSWS.sec = The GA4GH Data Security Work Stream will ensure that the technical standards and practices recommended in the GA4GH Security Technology Infrastructure are consistent with, and help enforce, this (_policy = policy)
.)
- (Implement.Amend.sec = Any entity or individual supporting this (_policy = policy)
may propose one or more amendments to the present (_policy = policy)
by communicating the amendments to the (_GA4GH = GA4GH)
’s Regulatory and Ethics Work Stream ((_REWS = REWS)
). The (_REWS = REWS)
shall publicly circulate such amendments for comments and possible inclusion in this (_policy = policy)
.)
- (Implement.GA4GH-REWS.sec = The (_REWS = REWS)
, in collaboration with (_organizational_member = organizational member)
s and other (_GA4GH = GA4GH)
Foundational and Technical Work Streams, will track the adoption of this (_policy = policy)
and its application. The (_REWS = REWS)
will also routinely review the (_policy = policy)
’s provisions, be aware of advances in basic research and technology, and ethical and legal developments, and attempt to ensure that this (_policy = policy)
is fit for purpose.)
)
)
(Acknowledge.Sec = (Acknowledge.Ti = Acknowledgements)
(Acknowledge.sec = This (_policy = policy)
was developed by the Regulatory and Ethics Work Stream of the (_GA4GH = GA4GH)
, and is the result of the collaborative work, comments, and input of many individual and organizational contributors.)
)
)
)