Italian demo study – variant calling on nuclear-encoded mitochondrial genes_6

Federated European Genome-phenome Archive (FEGA) – Italian Node Data Access Committee (DAC) Policy Version: 1.0 Approved by: Italian FEGA Node Coordination Board Effective date: [7 october 2025] Review frequency: Every one year 1. Purpose and Scope The Data Access Committee (DAC) of the Italian FEGA Node is the body responsible for the evaluation, approval, and monitoring of data access requests concerning genomic and clinical datasets made available through the Federated European Genome-phenome Archive (FEGA). This policy defines the principles, criteria, and procedures to ensure that data access occurs in compliance with: European legislation (GDPR, EHDS, research and innovation regulations); National, international, and EU laws; FAIR principles (Findable, Accessible, Interoperable, Reusable); Ethical standards; Any applicable Data Protection Impact Assessment (DPIA); Security standards established in the Terms of Use (ToU), Acceptable Use Policy (AUP), Data Transfer Agreement (DTA), and Data Processing Agreement (DPA). 2. Guiding Principles Lawfulness: Every DAC decision must comply with the GDPR, the Italian Privacy Code, and the provisions of the EHDS Regulation. Ethics and Respect for Individuals: Data use must be limited to research, healthcare, or public health purposes, avoiding any form of discrimination or stigmatization. Transparency: The DAC’s evaluation criteria, decisions, and procedures must be properly documented and communicated to applicants. Fairness: Equal opportunities for access must be guaranteed to public and private researchers, both national and international, based on equivalent scientific and ethical requirements. Security: Data must only be made accessible within secure environments (Secure Processing Environments – SPE). 3. Composition of the DAC The DAC shall be composed of: A Chair; Scientific members (experts in genomics, bioinformatics, and clinical sciences); A Legal/Ethical member. The composition must ensure multidisciplinary balance, transparency, and independence, and appointments must be duly documented. 4. DAC Responsibilities and the Submitter Organisation Each genomic dataset stored and shared under controlled access in FEGA must be associated with a DAC designated by the Submitter Organisation. The DAC evaluates access requests based on consent, national ethical conditions, and applicable policies. The Submitter Organisation retains overall responsibility as the data controller and appoints the DAC through internal procedures involving institutional functions (e.g. DPO, Legal Office, ELSI Officer), including those governing access to ELIXIR-IT services. A DAC may be responsible for multiple datasets. 5. Data Use Conditions and Data Use Ontology (DUO) Each dataset must be annotated with DUO codes, specifying permitted uses and sharing conditions. No access request may be approved until all data use and management conditions are formalized in a signed Data Access Agreement (DAA). When access involves the use of services provided by ELIXIR-IT, the user must comply with the access procedures defined therein and accept the ToU, AUP, and Privacy Policy. 6. Data Access Agreement (DAA) / Data Transfer Agreement (DTA) The DAA is an individual agreement governing each access request and defines the specific obligations relating to dataset use and data management by the requester. Typically, the DAA takes the form of a Data Transfer Agreement (DTA), under which the requester assumes responsibilities similar to those of a data controller. For datasets shared within the scope of the GDPR, a model compliant with the Regulation shall be used. 7. Data Access Request Management Process The data access approval process includes: The requester contacts the DAC responsible for the dataset of interest. The DAC evaluates the declared purpose and research context, including compatibility with the ethical and consent conditions associated with the dataset. Drafting and negotiation of the DAA, involving internal offices of the Submitter Organisation (DPO, Legal Office, Research Support Office). Signature and archiving of the DAA within the Submitter Organisation, or of any other documentation required to access the resources. Authorization of data release by the competent FEGA Node, in accordance with the agreed terms. 8. Alignment with ELIXIR Policies and Standards Access requests must also comply with ELIXIR’s policies and data access models, particularly when datasets and resources are part of the ELIXIR infrastructure. Although ELIXIR as an international organization is not directly subject to the GDPR, ELIXIR-IT policies and the ELSI Policy ensure compliance with data protection and ethical standards. ELIXIR’s access policies require the signing of an access agreement, acceptance of ToU, AUP, and Privacy Policy, and, where applicable, the execution of Data Transfer Agreements (DTAs) with both data providers and users to ensure that data processing is consistent with consent, ethics, and security requirements. 9. Security, Monitoring, and Compliance Checks Data must be accessed exclusively within Secure Processing Environments (SPE). The DAC may perform post-access audits to ensure compliance with contractual obligations. In the event of violations, access may be suspended or revoked. The DAC must produce an annual aggregated report summarizing received, approved, and rejected access requests. 10. Policy Updates and Continuous Review This policy is subject to periodic review (at least biennially) to ensure alignment with evolving legislation, technical standards, and ELIXIR, FEGA, and EU policies. Any updates must be communicated to applicants, partner institutions, and relevant stakeholders.