DUO for IT-Security requirments at requesters site

[NixBio]

Due to GDPR in Europe the DAC (EGA: DATA Access Committee) should validate if the data requester/requesting institution has certain IT-security measures in place.

Therefore we have to make sure that the following measures apply e.g.:

• state of the art and up to date measures for IT and data security
• access control to prevent unauthorised persons from gaining access to data/premises/machines used for analysis
• user identification (permission based file system access)
• organisational measure (e.g. instructions for locking offices, devices)
• destruction policy of data once no longer used
• method for encryption of primary genetic data after usage period, primary data only on encrypted devices if portable
• server hardening, intrusion detection system, anti-virus, firewalls
• data protection officer
• incident management
• further points: see TOMs in GDPR

One could define a DUO term: GDPR compliance requested. The requester institution does not necessarily have to have an official certificate, but as long as it fulfills the requirements, access could be granted, given, respective contracts are in place. (We use this contract: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32004D0915&from=EN)

Thanks for considering my request for discussion. Kind Regards Nick

[mcourtot]

Discussed at DUO call on May 19th 2021: This term is not in scope for DUO and we have talked to the Data Access Committee Review Standard (DACReS) group which will handle it; eventually the DACReS/REWS will have guidance for data access we can point to. cc @solideoglori