Legal and Ethical Framework for BiobankCloud

Introduction
The point of departure for the BiobankCloud is that no data containing personal information related to identifiable persons will be processed. However, it is a principle of the BiobankCloud platform not to process any data where the data subject has not given his/her informed consent when so required. The cloud will handle two types of data, descriptive meta-data and omics-data. All data used will be either at an aggregated level, anonymized or coded in order to prevent any identification. At this point, only data from Charité, Germany will be used.

The law applicable to the data processed is defined in the EU Data Protection Directive. The point of departure is that the applicable law follows the law of applicable to the controller. Key concepts to this regard will be explained below.

Defining the Controller and Processor
The owner of the data, in our case Charité, will remain the controller in the meaning of the Data Protection Directive, and the BiobankCloud will be the processor.

In Article 2.d of the Data Protection Directive, the controller is defined as ‘the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data’. A processor is ‘the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller’ (Article 2.e).

The key element in deciding who the controller is, therefore, becomes who ‘determines the purposes and means of the processing of personal data’. The person able to take these decisions will also be responsible for ensuring that the processing of the data is in compliance with the Directive, Article 17.2 of the Data Protection Directive. According to Article 17.1 of the Data Protection Directive, the Member States are to provide that the controller must implement appropriate technical and organizational measures to protect personal data. In many cases, there will be more than one controller, and the requirements will have to be upheld by each of them individually. If the controller does not conduct the processing him/herself but leaves this to a processor, Article 17.3 stipulates that the processing of data must be governed by a contract or legal act binding the processor to the controller and stipulating, that the processor shall act only on instructions from the controller and in conformity with the measure set out by the Member States in accordance to Article 17.1. If the processor uses sub-contractors to carry out the tasks set out by the controller, these same conditions apply to the sub-contractor.

According to the Article 29 Working Party Group, being a controller is primarily the consequence of the factual circumstance that an entity has chosen to process personal data for its own purpose. The BiobankCloud users who want to upload and analyse its data in the BiobankCloud decide the purpose of the processing. This implies we should consider the user as the controller, since it is only the user who can decide on the purpose of the biobank samples and the data connected to it, and further, who is able to collect the necessary consents from the donors. In regards to the criteria ‘means of the processing’, the BiobankCloud will provide the resources and tools for data store and analysis, from which the user can choose when uploading and analysing his/her data. The ‘means of processing’ is therefore decided by the user.

For the sake of establishing a transparent and reliable chain of command between controller and processors, the BiobankCloud should take care to allocate all responsibilities stemming from the Data Protection Directive in a clear and concise manner (Article 29 Working Party Group). The agreements entered into by the BiobankCloud with the users wishing to upload and analyse data, at this stage Charité in Germany, should therefore state the division of labour between the parties, making clear that it is the user, Charité, that continues to be the controller of the data, and that the BiobankCloud platform is the processor. If, in the future, any sub-contractors will be involved, these must also be bound by the same division of labour, by means of contracts.

Applicable law
According to Article 4.1.a of the Data Protection Directive, it is the place of establishment of the controller that is decisive for pointing out the law applicable on the processing of the data. The principles set out above regarding aggregated, anonymized and coded data must therefore be applied within the context of German law. This will be the responsibility of the controller.

German law will be applicable to the processor, who is bound to uphold the measures set out by the Germany according to Article 17.1 of the Data Protection Directive. The Article 29 Working Party Group has concluded that this requires coordinated supervision by the competent Data Protection Authorities. From the part of the BiobankCloud project, this also means that all members of the consortium running the BiobankCloud platform will have to adhere to the supervision not only from the competent authority in their respective Member State, but also the German Data Protection Authority.

Informed consent
All data processed in the cloud will have to be consented in accordance with relevant legal requirements applicable to the controller. In the case where data has been collected a long time ago, where the data subject is diseased, or in the case of data on anonymous cell lines, even non-consented use of data may occur, if it conforms.

It is the responsibility of the controller, Charité in Germany, to secure that all data subjects whose data is uploaded to the BiobankCloud platform have given their consent, or that an exemption is applicable, all according to German law.

However, in the future other organizations and researchers from other European countries may be interested in using the BiobankCloud platform. In this case, specific national laws should apply to the controller. New regulations regarding consent should be added to the BiobankCloud ethical framework with the help of the BiobankCloud Ethical Board.