Security Overview

The European Genome-phenome Archive (EGA) houses consented human data under controlled access. Access decisions are handled by the relevant Data Access Committee (DAC), which autonomously manages requests through the DAC Portal. This document provides an overview of EGA’s practices in ensuring the security of data stored at EGA. As security is a prime concern of the EGA, the EGA is a member of the Global Alliance for Genomics and Health (GA4GH) Data Security work stream. The EGA contributes and helps develop the recommendations outlined the GA4GH Security Technology Infrastructure document, which defines guidelines, best practices, and standards for building and operating an infrastructure that promotes responsible data sharing in accordance with the GA4GH Privacy and Security Policy.

Accessing data in the EGA involves several steps. First, users need to create an EGA account. Once logged in, they can request access to data controlled by a DAC through the EGA website (see documentation). The DAC oversees these requests through the DAC Portal, and if approved, grants the necessary permissions to the user's EGA account, allowing them to access and download all relevant data and metadata for the requested dataset(s).

The key points of EGA security strategy are:

1 Regular Risk Assessment

• The EGA regularly identifies and assesses risk related to the following:
  • Breach of confidentiality,
  • Breach of privacy or autonomy,
  • Malicious or accidental corruption or destruction of data archived at EGA,
  • Disruption of services provided by the EGA.

2 Risk mitigation

• The EGA implements and maintains safeguards to minimise the risks identified above in accordance with the 6 control objectives listed in Appendix 1 and outlined in the GA4GH Security and Infrastructure document.
• If a breach is discovered, the EGA applies a defined protocol to minimise damage.

3 Identity and authorisation management

• The EGA authenticates the identity of individuals or software accessing controlled access data held at the EGA.
• The EGA ensures an appropriate level of assurance (LoA) is applied to the identity consistent with the risk associated with that individual, such as multi-factor authentication for DACs.
• The EGA provides the minimum access rights and privileges consistent with the user’s identity, allowing access consistent with the GA4GH Privacy and Security Policy, as determined by the appropriate DAC.

4 Audit Logs

• The EGA maintains a set of logs recording:
  • Changes to user access rights,
  • Data access requests,
  • Resource usage.

5 Cryptography, communication security, and data integrity

• The EGA ensures data transmission integrity using a hash function.
• All data transmitted to or from the EGA is end-to-end encrypted.
• All data at EGA is stored using strong encryption.
• Encryption keys are not stored in the same system as the encrypted data.
• All data archived at EGA must be accompanied by a signed submission statement ensuring appropriate consent or ethical approval has been obtained, and is in accordance with all applicable laws and regulations.

The EGA has a defined protocol defining the response in the event of a security breach, and is continuing to work with the GA4GH Data Security Work Stream to help define best practice and associated standards for breach responses.

Appendix 1

GA4GH Control Objectives

• Control Objective 1: Implement technology safeguards to minimise the risk of unauthorised access, use, or disclosure of confidential and private data.
• Control Objective 2: Implement technology safeguards to minimise the risk of discovery, access, and use of individuals’ clinical and genomic data, and individual identities, other than as authorised by applicable jurisdictional law, institutional policy, and individual consents.
• Control Objective 3: Implement technology safeguards to minimise the risk of accidental or malicious corruption or destruction of data.
• Control Objective 4: Implement technology safeguards to minimise the risk of disruption, degradation, and interruption of services enabling access to data.
• Control Objective 5: Implement technology safeguards to minimise the risk of potential security attacks and misuse of authorised accesses and privileges.
• Control Objective 6: Implement technology safeguards to promptly detect the failure to attain the above control objectives and to respond with proper countermeasures.

Appendix 2

Refer to the document below to learn more about EGA long-term data preservation policy and procedures at EMBL-EBI.

• Long-term data preservation