News

A new access tier for genomic and health-related data


August 8th 2018
academic papers, beacon, data sharing, open science, policy, press release, privacy and security, regulatory and ethics, research
Network Cyber Computer Cyber Security Online

Network Cyber Computer Cyber Security Online

In an article recently published in the European Journal of Human Genetics, members of the Global Alliance for Genomics and Health (GA4GH) propose a new model for data access termed “registered access.” This tier between open access and controlled access aims to increase and improve access to genomic data for use in research. It thereby furthers the impact those data can have on health and medicine and reinforces the human right to benefit from scientific advancement. The model is being piloted within the ELIXIR-Beacon network.

“Registered access builds on the strengths of the controlled access model, but it simplifies and streamlines the access process in a way we feel is suitable to the current research environment,” said lead author Stephanie Dyke, an ethics and policy researcher at McGill’s Montreal Neurological Institute and co-chair of the GA4GH Researcher Identities task team. “The landscape is changing — the number and scale of genomic datasets is growing and the number of researchers and other professionals, such as clinical care providers, who need to access those datasets is increasing. These potential data users need to seamlessly bring datasets from different sources together while maintaining important consent and privacy protections.”

Mikael Linden, the task co-leader of ELIXIR AAI, the ELIXIR service for researcher authentication and authorisation, added that the model allows for a greater focus on research: “Controlled access requires researchers to wait for their data access applications to be approved before commencing their investigations, which can cause a significant delay. If a researcher’s bona fide status has already been verified forregistered access, there is no lead-time, thereby reducing administration barriers and leaving more time for the actual research.”

Currently, data may exist in an open access tier, meaning they are publicly available on the World Wide Web, or in in a controlled access tier, meaning they are available to qualified researchers only for a specific project that has gone through a review process. In contrast, registered access would permit user access to a data environment after electronically verifying his/her identity and role (e.g., bona-fide researcher, clinical care professional) and obtaining an attestation of his/her agreement to a standard set of data usage responsibilities.

“All researchers should very easily be able to register, but they will need to agree to a standard set of good data use practices — the attestation.” said Dyke.

The work builds on previous research by a subset of the authors into the three-step approach: authorization, attestation, and authentication. Ideally, users make an attestation and register only once but their credentials are authenticated before each of their requests to access a data set are authorized.

“This model supports role-based access control, which is well established in other fields, including government and industry and can be implemented using existing technology standards widely used around the globe,” said Dixie Baker, a Senior Partner with Martin, Blanck & Associates, co-chair of the GA4GH Data Security Work Stream, and an author on the paper.

Work to standardize the technical details of the automation process and how registered access claims are represented is currently underway within GA4GH. The authors propose a user’s status is verified either by their home institution, or through proof of a professional license (for clinical care providers), or by another registered researcher. This approach is now being piloted within the  ELIXIR-Beacon network, a GA4GH Driver Project.

“The model allows us to make ELIXIR data that is not consented for open access discoverable to the broader research community,” said Ilkka Lappalainen, Deputy Head of ELIXIR Finland and an author on the paper.

Registered access represents one of several aspects being explored by the GA4GH Work Streams to enable secure, privacy-protective data sharing to advance human health and medicine. For example, the GA4GH Researcher Identities Task Team is also developing a standard “library card” for genomic data which could allow researchers to use their registered access status across many resources.

“The GA4GH DURI Work Stream and the Data Security Work Stream are actively evolving the Library Card standards and GA4GH security protocols to support standardizing implementations that use the registered access tier,” said Moran Cabil, Senior Software Product Manager at the Broad Institute of MIT and Harvard, co-chair of the GA4GH Data Use task team, and an author on the paper.

Additional GA4GH Driver Projects are evaluating how registered access can be adopted within their data environments. Adoption across multiple projects will allow the broader community to evolve this important concept to accommodate the needs of different data custodians.

“Registered access is an important step for enabling and streamlining collaborative, international research across a federation of data repositories,” said Bartha Knoppers, Director of the Centre of Genomics and Policy at McGill University, co-chair of the GA4GH Regulatory and Ethics Work Stream, and an author on the paper.

NOTE: Research published by members of the GA4GH community does not necessarily reflect a approval as a GA4GH standard, a formal process which consists of five stages (proposed, submitted for approval, under review, approved, retired) and includes peer, security, and ethics reviews. Once approved, GA4GH specifications will be posted publicly with adequate documentation.