RARE-X Research Program – Data Protection Procedures
All research projects/data requestors seeking RARE-X data are required to sign and adhere to the following documents to ensure compliant, responsible data sharing.
Global Genes puts the utmost importance on protecting people’s data and this responsibility is at the core of all we do. To best serve in our role as data stewards, we have a team of data protection experts to help ensure that the management of data meets the high legal and ethical standards that are required by governing bodies.
RARE-X is Global Genes’ research data collection, access, and analysis program. A foundational aspect of the program is adhering to data protection processes that align with the EU/EAA and UK General Data Protection Regulations (GDPR). The documentation we require for data access is designed to support those processes and regulations.
(1) Researcher Data Use Agreement (DUA)
(2) Data Access Request (DAR)
(3) Researcher Data Protection Agreement (DPA)
Here is an overview of each of these documents.
Researcher Data Use Agreement (DUA)
Purpose:
This document is the agreement between Global Genes and an Institution on how research data controlled by Global Genes will be shared with researchers who are associated with that institution.
It is signed by an authorized representative of the institution and Global Genes.
Key Points
(1) Institutions are responsible for the data shared with researchers who are part of that institution.
(2) Institutions identify a “Requestor Investigator”, the principal researcher and employee of the institution.
(a) This person will have the authority to create and modify a Data Access Request (DAR) and request access to research data for specific researchers that report to the Requestor Investigator or are employees of the institution.
(3) If there are collaborators from a different institution, the DUA specifies that those collaborators and those other institutions will need a separate institution DUA with Global Genes as well.
(4) The DUA defines that a DAR will have a standard term of 1 year, that can be extended if written approval is requested and given.
(5) The DUA requires that if the Requestor Investigator leaves a project, the project must be closed or a new Requestor Investigator be authorized by the institution to issue a DAR associated with the research data.
(6) The DUA would have 1 or more Data Access Requests (DAR).
(7) The DUA must have a related Data Protection Agreement (DPA).
(8) Authorized Representatives for Institutions are required to be employees of the institution with legal ties to that institution.
Data Access Request (DAR)
Purpose
This document is a legal agreement between Global Genes and an Institution that identifies the research project scope and purpose.
Key Points
(1) A Requestor Investigator appointed by an institution can create and sign a DAR. They can also modify a DAR. This modification would require a signature.
(2) The DAR defines the research data use and the list of researchers associated with the Requestor Investigator or who are employees of the institution.
(3) The DAR has a start date and the standard term of access is 1 year. This can be extended.
(4) DAR(s) must have a related Data Protection Agreement (DPA)
Researcher Data Protection Agreement (DPA)
Purpose
A DPA is an agreement between Global Genes and an institution that defines the EU/EAA General Data Protection Regulation (GDPR) and UK GDPR requirements of Global Genes as a “Data Controller”, an institution that is authorizing research as a “Joint Controller”. The clauses define the responsibilities of the data controllers to protect individuals’ personal data and to allow them to exercise their rights under the laws.
Key Points
(1) A requirement for data subjects to consent to the collection of their data for specific purposes, and to protect it wherever it is moved and with whom it is shared is core to the DPA.
(2) By accessing Global GenesRARE-X Data the requestor assumes the responsibility of a “Joint Controller” for the duration of the DPA.
(3) Global Genes is required to have a DPA signed with any organization with whom it shares personal data of those covered by either GDPR or other data protection regulations.
(4) Global Genes maintains a standard privacy/security program based on GDPR for all data subjects regardless of where they live because Global Genes currently collects data from RARE-X data subjects in 59 countries as well as data from an additional 53 countries (total 112 countries) across the organization. Many countries have privacy laws based on GDPR.
(5) The EU does not allow for the clauses of the DPA to be changed.
(6) The Annex I of the DPA must align with DUA and the Research data use description in a DAR.
(7) Annex II (regarding data security) of a DPA can be modified but there are 2 options provided that do not require review by Global Genes. The first option assumes that the RARE-X data is not downloaded from The Broad Institute for any reason and its security safeguards are always protecting the data.
Data Processor Data Protection Agreement (DPA)
Purpose
Global Genes is also required to have a DPA with organizations that “process” data on behalf of Global Genes. Research projects are required to have a DPA with any organization that processes data on their behalf.
Key Points
(1) “Processing” includes any activity of collecting, using, storing, or sharing the data.
(2) A key difference between the Researcher DPA and the Data Processor DPA is that the Data Processor works on behalf of Global Genes and is limited to the processing defined by Global Genes.
(3) Examples of processors are Across Healthcare, The Broad Institute, and any organization that tokenizes the RARE-X data to allow matching with data in other research repositories.