Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Our Strategic Road Map defines strategies, standards, and policy frameworks to support responsible global use of genomic and related health data.
Discover how a meeting of 50 leaders in genomics and medicine led to an alliance uniting more than 5,000 individuals and organisations to benefit human health.
GA4GH Inc. is a not-for-profit organisation that supports the global GA4GH community.
To guide our collaborative, globe-spanning alliance, GA4GH relies on a Standards Steering Committee and an Executive Committee.
The Funders Forum brings together organisations that offer both financial support and strategic guidance.
The EDI Advisory Group responds to issues raised in the GA4GH community, finding equitable, inclusive ways to build products that benefit diverse groups.
Distributed across four Host Institutions, our staff team supports the mission and operations of GA4GH.
Curious who we are? Meet the people and organisations across six continents who make up GA4GH.
More than 500 organisations connected to genomics — in healthcare, research, patient advocacy, industry, and beyond — have signed onto the mission and vision of GA4GH as Organisational Members.
These core Organisational Members are genomic data initiatives that have committed resources to guide GA4GH work and pilot our products.
This subset of Organisational Members whose networks or infrastructure align with GA4GH priorities has made a long-term commitment to engaging with our community.
Local and national organisations assign experts to spend at least 30% of their time building GA4GH products.
Anyone working in genomics and related fields is invited to participate in our inclusive community by creating and using new products.
Wondering what GA4GH does? Learn how we find and overcome challenges to expanding responsible genomic data use for the benefit of human health.
Study Groups define needs. Participants survey the landscape of the genomics and health community and determine whether GA4GH can help.
Work Streams create products. Community members join together to develop technical standards, policy frameworks, and policy tools that overcome hurdles to international genomic data use.
GIF solves problems. Organisations in the forum pilot GA4GH products in real-world situations. Along the way, they troubleshoot products, suggest updates, and flag additional needs.
NIF finds challenges and opportunities in genomics at a global scale. National programmes meet to share best practices, avoid incompatabilities, and help translate genomics into benefits for human health.
Communities of Interest find challenges and opportunities in areas such as rare disease, cancer, and infectious disease. Participants pinpoint real-world problems that would benefit from broad data use.
Find out what’s happening with up to the minute meeting schedules for the GA4GH community.
See all our products — always free and open-source. Do you work on cloud genomics, data discovery, user access, data security or regulatory policy and ethics? Need to represent genomic, phenotypic, or clinical data? We’ve got a solution for you.
All GA4GH standards, frameworks, and tools follow the Product Development and Approval Process before being officially adopted.
Learn how other organisations have implemented GA4GH products to solve real-world problems.
Help us transform the future of genomic data use! See how GA4GH can benefit you — whether you’re using our products, writing our standards, subscribing to a newsletter, or more.
Help create new global standards and frameworks for responsible genomic data use.
Align your organisation with the GA4GH mission and vision.
Want to advance both your career and responsible genomic data sharing at the same time? See our open leadership opportunities.
Join our international team and help us advance genomic data use for the benefit of human health.
Share your thoughts on all GA4GH products currently open for public comment.
Solve real problems by aligning your organisation with the world’s genomics standards. We offer software dvelopers both customisable and out-of-the-box solutions to help you get started.
Learn more about upcoming GA4GH events. See reports and recordings from our past events.
Speak directly to the global genomics and health community while supporting GA4GH strategy.
Be the first to hear about the latest GA4GH products, upcoming meetings, new initiatives, and more.
Questions? We would love to hear from you.
Read news, stories, and insights from the forefront of genomic and clinical data use.
Attend an upcoming GA4GH event, or view meeting reports from past events.
See new projects, updates, and calls for support from the Work Streams.
Read academic papers coauthored by GA4GH contributors.
Listen to our podcast OmicsXchange, featuring discussions from leaders in the world of genomics, health, and data sharing.
Check out our videos, then subscribe to our YouTube channel for more content.
View the latest GA4GH updates, Genomics and Health News, Implementation Notes, GDPR Briefs, and more.
Discover all things GA4GH: explore our news, events, videos, podcasts, announcements, publications, and newsletters.
5 Oct 2020
The concept of a data ‘controller’ is central to the operation of the GDPR because it allocates responsibility for compliance with data protection rules. In the genomics context, determining who is a joint data controller can be complicated.
The concept of a data ‘controller’ is central to the operation of the GDPR because it allocates responsibility for compliance with data protection rules. The GDPR also foresees joint data controllers, who have the additional challenge of coordinating their respective responsibilities, in particular towards data subjects. In the genomics context, determining who is a joint data controller can be complicated.
In recent Guidelines 07/2020 on the concepts of controller and processor in the GDPR, the European Data Protection Board (EDPB) emphasises that joint controllers must have ‘decisive influence’ over both the purposes and ‘essential means’ of processing. Essential means include: the type(s) of data to be processed, the duration of processing and categories of people who may access the data. This may be apparent from a formal common decision. However, as a series of decisions by the Court of Justice of the European Union (CJEU) demonstrated, joint controllership can occur in much less obviously connected scenarios. This has included situations where actors did not have access to any personal data themselves and where they merely created an ‘opportunity’ for, ‘made it possible’ for, or ‘organised, coordinated and encouraged’ processing by others.
The EDPB rationalise these as ‘converging decisions’, whereby the processing is inextricably linked and would not be possible without both parties’ participation. Importantly, this doesn’t require complete agreement about the purposes and means. Having different purposes may suffice if they are complementary and different entities may determine the means of processing at different stages to different degrees.
How does this apply in practice?
In a genomics research collaboration, where each institution inputs personal data into a common platform and agrees how they should be processed, all institutions will be joint controllers. In other scenarios, where the parties have different but sufficiently closely linked or complementary purposes for processing, joint control could also arise. For example, if a genomic data platform allows users to set their own parameters for analysis (such as which variants should be investigated) but requires them to share the results of their analysis with the platform, both the platform owner and users may be considered joint controllers of that processing.
However, not all linked activity will lead to joint controllership. In some cases a party will instead be merely a ‘processor’, with more limited responsibilities (e.g., to keep data secure). For example, if they help to determine technical aspects of processing (for example, how data should be aggregated or safeguarded) but they have no influence over the research question, the people who can access the data, or, any other essential means, they will be considered a processor not a joint controller. In other cases, parties may be joint controllers but only for specific aspects of the overall processing. For example, a healthcare institution that provides genomic data to a central research database but has no influence over subsequent research nor receives any results in return, will be a joint controller for the transfer and storage of uploaded personal data but not for the subsequent research.
An assessment of joint controllership is likely to be influenced by the context. In the case law described above, the CJEU has taken a broad approach to joint controllership to ensure adequate protection of data subjects’ fundamental rights in contexts where there is inadequate transparency and responsibility for processing of personal data. By contrast, genomics collaborations are not generally characterised by an absence of responsibility for, or, transparency about the processing of personal data, and many will be supported by formal arrangements as recommended by the EDPB.
It is important that genomics actors appreciate that:
Relevant GDPR provisions
Colin Mitchell, Johan Ordish, and Alison Hall work for the PHG Foundation, a think tank with a special focus on genomics and personalised medicine that is a part of the University of Cambridge.
See all previous briefs.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.