scRNA-seq of total bone marrow and T cells from multiple myeloma long-term survivors

Data access policy for the Mulitple myeloma long-term survivor scRNA and bulk RNA datasets

DATA ACCESS AGREEMENT Between : Heidelberg University Hospital, represented by the Board of Directors of the University Hospital, Project Leader: Prof. Dr. med. Michael Hundemer, Im Neuenheimer Feld 672, D-69120 Heidelberg, Germany -Data Producers/Heidelberg University Hospital- and -USER- These terms and conditions govern access to the managed access datasets (details of which are set out in Appendix I) to which the User Institution has requested access. The User Institution agrees to be bound by these terms and conditions. Definitions Authorised Personnel: The individuals at the User Institution to whom the Heidelberg University Hospital grants access to the Data. This includes the User, the individuals listed in Appendix II and any other individuals for whom the User Institution subsequently requests access to the Data. Details of the initial Authorised Personnel are set out in Appendix II. Data: The managed access datasets to which the User Institution has requested access. Data Producers: Heidelberg University Hospital and the collaborators listed in Appendix I responsible for the development, organisation, and oversight of these Data. External Collaborator: A collaborator of the User, working for an institution other than the User Institution. Project: The project for which the User Institution has requested access to these Data. A description of the Project is set out in Appendix II. Publications: Includes, without limitation, articles published in print journals, electronic journals, reviews, books, posters and other written and verbal presentations of research. Research Participant: An individual whose data form part of these Data. Research Purposes: Shall mean research that is seeking to advance the understanding of genetics and genomics, including the treatment of disorders, and work on statistical methods that may be applied to such research. User: The principal investigator for the Project. User Institution(s): The Institution that has requested access to the Data. Data Producers Details: Heidelberg University Hospital Im Neuenheimer Feld 672 D-69120 Heidelberg Germany Phone: +49 6221 56-0 Fax: +49 6221 56-5999 Email: international.office@med.uni-heidelberg.de 1. The User Institution agrees to comply with all applicable regulations, especially the General Data Protection Regulation (GDPR), to only use these Data for the purpose of the Project (described in Appendix II) and only for Research Purposes. The User Institution further agrees that it will only use these Data for Research Purposes which are within the limitations (if any) set out in Appendix I. 2. The User Institution agrees to preserve, at all times, the confidentiality of these Data. In particular, it undertakes not to use, or attempt to use these Data to compromise or otherwise infringe the confidentiality of information on Research Participants. Without prejudice to the generality of the foregoing, the User Institution agrees to use at least the measures set out in Appendix I to protect these Data. 3. The User Institution agrees to protect the confidentiality of Research Participants in any research papers or publications that they prepare by taking all reasonable care to limit the possibility of identification. 4. The User Institution agrees not to link or combine these Data to other information or archived data available in a way that could re-identify the Research Participants, even if access to that data has been formally granted to the User Institution or is freely available without restriction. 5. The User Institution agrees only to transfer or disclose these Data, in whole or part, or any material derived from these Data, to the Authorised Personnel. Should the User Institution wish to share these Data with an External Collaborator, the External Collaborator must complete a separate application for access to these Data. 6. The User Institution agrees that the Data Producers, and all other parties involved in the creation, funding or protection of these Data: a) make no warranty or representation, express or implied as to the accuracy, quality or comprehensiveness of these Data; b) exclude to the fullest extent permitted by law all liability for actions, claims, proceedings, demands, losses (including but not limited to loss of profit), costs, awards damages and payments made by the Recipient that may arise (whether directly or indirectly) in any way whatsoever from the Recipient’s use of these Data or from the unavailability of, or break in access to, these Data for whatever reason and; c) bear no responsibility for the further analysis or interpretation of these Data. 7. The User Institution agrees to follow the Fort Lauderdale Guidelines ( https://commonfund.nih.gov/sites/default/files/WellcomeReport0303.pdf) and the Toronto Statement (http://www.nature.com/nature/journal/v461/n7261/full/461168a.html). This includes but is not limited to recognising the contribution of the Data Producers and including a proper acknowledgement in all reports or publications resulting from the use of these Data. 8. The User Institution agrees not to make intellectual property claims on these Data and not to use intellectual property protection in ways that would prevent or block access to, or use of, any element of these Data, or conclusion drawn directly from these Data. 9. The User Institution can elect to perform further research that would add intellectual and resource capital to these data and decide to obtain intellectual property rights on these downstream discoveries. In this case, the User Institution agrees to implement licensing policies that will not obstruct further research and to follow the OECD’s (Organisation for Economic Co-operation and Development) Guidelines for the Licensing of the Genetic Inventions (2006) (https://www.oecd.org/sti/emerging-tech/36198812.pdf) 10. The User Institution agrees to destroy/discard the Data held, once it is no longer used for the Project, unless obliged to retain the data for archival purposes in conformity with audit or legal requirements. 11. The User Institution will notify the Heidelberg University Hospital within 30 days of any changes or departures of Authorised Personnel. 12. The User Institution will notify the Heidelberg University Hospital prior to any significant changes to the protocol for the Project. 13. The User Institution will notify the Heidelberg University Hospital as soon as it becomes aware of a breach of the terms or conditions of this agreement. 14. Either party may terminate this agreement by 30 days written notice to the other party . If this agreement terminates for any reason, the User Institution will be required to destroy any Data held, including copies and backup copies. This clause does not prevent the User Institution from retaining these data for archival purpose in conformity with audit or legal requirements. 15. The User Institution accepts that it may be necessary for the Data Producers to alter the terms of this agreement from time to time via a written amendment to this agreement signed by an authorized representative of the parties. As an example, this may include specific provisions relating to the Data required by Data Producers other than Heidelberg University Hospital. In the event that changes are required, the Data Producers or their appointed agent will contact the User Institution to inform it of the changes and the User Institution may elect to accept the changes or terminate the agreement. 16. If requested, the User Institution will allow data security and management documentation to be inspected to verify that it is complying with the terms of this agreement. 17. The User Institution agrees to distribute a copy of these terms to the Authorised Personnel. The User Institution will procure that the Authorised Personnel comply with the terms of this agreement. 18. This agreement (and any dispute, controversy, proceedings or claim of whatever nature arising out of this agreement or its formation) shall be construed, interpreted and governed by the laws of Germany and shall be subject to the exclusive jurisdiction of the courts of Heidelberg, Germany. Agreed for User Institution Signature: Name: Title: Date: Principal Investigator I confirm that I have read and understood this Agreement. Signature: Name: Title: Date: Agreed for the Data Producers / Heidelberg University Hospital: Signature: Name: Prof. Dr. Michael Hundemer Title: Project Leader Date: APPENDIX I – DATASET DETAILS APPENDIX II ––PROJECT DETAILS APPENDIX I – DATASET DETAILS (to be completed by the data producer before passing to applicant) Dataset reference (EGA Study ID and Dataset Details) EGA StudyID: EGA DatasetID: EGAD0 Name of project that created the dataset : Names of other data producers/collaborators: Specific limitations on areas of research Health/Medical/Biomedical Research Use (DUO:0000006) Research Ethics Approval Required (DUO:0000021) user specific restriction (DUO:0000026) non-commercial use only (DUO:0000046) not for profit, non-commercial use only (DUO:0000018) research specific restrictions (DUO:0000012) data use permission (DUO:0000001) Legal basis for Data sharing: The User and User institution shall be responsible for the acquired personal data as defined in the General Data Protection Regulation (GDPR) (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02016R0679-20160504). The GDPR is a binding law, which is publicly available. The wording and content of the law cannot be changed via an agreement. We ask the user and user institution to especially consider Article 24 and 25 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are state of the art measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented. For user institutions outside the EU in the absence of a decision pursuant to Article 45(3) GDPR standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR should be concluded preferably. Minimum technical and organisational measures required: Measures suitable for preventing unauthorised persons from gaining access to data processing equipment with which personal data are processed or used. Access control measures for building and room security include automatic access control systems, the use of chip cards and transponders, access control by gatekeepers and alarm systems. Servers, telecommunications equipment, network technology and similar equipment must be protected in lockable server cabinets. In addition, access control should be supported by organisational measures (e.g. service instructions which provide for the locking of the offices during absence). Measures suitable to prevent data processing systems (computers) from being used by unauthorised persons. User identification with password for operating systems and software products used, screen saver with password. Up-to-date Anti-Virus-Software and firewalls on client computers and servers. Server hardening, intrusion detection systems and encryption of data media or data files. Use of VPN for remote accesses. Ssh-based client-server communication. Central management of user rights and permissions. File access: Data can be held in unencrypted files on an institutional compute system, with Unix user group read/write access for one or more appropriate groups but not Unix world read/write access behind a secure firewall, for a limited period of time (up to 3 month) for primary analysis. They can be again decrypted if primary analysis has to be repeated. The hard drives of Laptops holding these data must be encrypted. If held on USB keys or other portable hard drives, the data must be encrypted. Measures to ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, altered or removed without authorisation during processing, use and after storage. Access control can be ensured, among other things, by means of suitable user authorization concepts that enable differentiated control of access to data. In doing so, it is important to differentiate both the content of the data and the possible access functions to the data. Furthermore, suitable control mechanisms and responsibilities must be defined to document the granting and withdrawal of authorizations and to keep them up to date (e.g. upon hiring, change of job, termination of employment). Special attention should always be paid to the role and possibilities of administrators. Logging of user and administrator access and retrieval of the data should be supported. Further measures should include data protection management by an internal / external data protection officer and incident response management should be in place to prevent the uncontrolled distribution of data during the period when data has to be store unencrypted for analysis. APPENDIX II – PROJECT DETAILS (to be completed by the Requestor) Details of dataset requested i.e., EGA Study and Dataset Accession Number EGA StudyID: EGA DatasetID: Brief abstract of the Project in which the Data will be used (500 words max) All Individuals who the User Institution to be named as registered users Name of Registered User Email Job Title Supervisor* All Individuals that should have an account created at the EGA Name of Registered User Email Job Title