Alongside our technical infrastructure, GHGA has developed a robust and appropriate legal and data protection structure. We describe the legal and data protection concept for GHGA, and how its development was shaped by the legal and data protection obligations under which GHGA operates in this white paper.
We also created of a number of documents to define how data is to be processed safely. The key documents for people interested in submitting data to GHGA are presented below.
The Data Protection Framework provides an overall description of the data protection approach of GHGA. It also serves as a baseline for data protection for the institutions involved in operating GHGA. This framework is a living document which will evolve as our service changes.
A Data Processing Contract is agreed between GHGA Central and institutions that submit data. It sets out how GHGA may process the data, and what the Data Submitters’ responsibilities are. It has been designed to conform with Art. 28 GDPR.
The Terms of Use for GHGA define the services offered by the GHGA Consortium and the performance levels of those services that users can expect. They also define the conditions that apply to users when using GHGA.
The national consortium GHGA aims to enable researchers to share human genome and omics data for research purposes, thus accelerating research. To this end, GHGA provides a secure infrastructure for data storage and the tools to share data securely. Researchers or institutions storing data at GHGA remain responsible for the data. It is up to the responsible data controllers to decide which other researchers are granted access to the data they store in GHGA. The institutions involved in GHGA cannot use the data without authorisation either. GHGA only acts on the instructions of the data controllers (in accordance with the GDPR, GHGA works as a data processor).
GHGA only receives and stores pseudonymised data - i.e. data sets in which directly identifying information such as names have been removed. Consequently, we cannot assign data sets to individual persons within the archive.
If patients or other affected persons wish to exercise their rights in relation to the storage or use of their data, e.g. request the deletion of data, please contact the institution that collected the data directly. The responsible controller will then instruct GHGA to act.