Data Sharing & Protection Policy
Our mission is to seek fundamental knowledge about rare diseases and genetic disorders, with an emphasis on their physical manifestation in facial morphology. Our ultimate goal is enhancing innovative medical research, facilitating accelerated and improved patient diagnosis and supporting more efficient development and administration of life-saving therapeutics. Our Data Sharing & Protection Policy supports this mission by promoting the broad and responsible sharing of phenotype and genotype data collected and submitted by our Members, which to the best of our knowledge are certified physicians, researchers and other healthcare providers, while providing the utmost protection of patient privacy. Sharing will amplify the scientific value of data and complement multiple research efforts conducted world-wide for the benefit of science and of – patients with urgent and unmet medical needs.
The protection of patients’ privacy and confidentiality is paramount, and this Data Sharing & Protection Policy reflects our continued commitment to responsible data stewardship, which is essential to uphold the public trust in medical research. Therefore, personal identifiers such as name, date of birth, address, and social security number are not collected by us and Members should avoid sharing such data with us or other Members through our products and services. The collected data may however include facial images, clinical observations, test results, family history and other demographic information, which may be shared on an individual-level, in accordance with the access designation, as more fully described below, and in accordance with applicable HIPAA EU data protection and privacy regulations. Individual-level data is coded in our data repositories and a corresponding unique case identifier number is provided to the submitting Member.
Tiered System for Data Collection and Sharing
Our Phenotype Data Sharing & Protection Policy is a three-tiered system for collecting, storing and sharing the data, based on the following incremental access rights designated by Members:
- Private Access (default): for data gathered and transmitted by each of our Members, processed by our technology and stored privately and securely;
- Controlled Access: for data made available only for review by our network of Members for professional information and educational purposes, as well as sharing comments and observations; and
- Open Access, for data made available to the public without restrictions, subject to applicable HIPAA and EU data protection and privacy regulations.
In accordance with our three-tiered system, data will be stored in three separate designated data repositories, corresponding to the access level indicated by Members. Our data repositories are hosted in secure sites and apply the appropriate technical protection measures necessary to comply with data security, confidentiality, and privacy laws and regulations. We audit our security policies and technical measures periodically to ensure compliance with applicable HIPAA and EU data protection and privacy regulations.
The three data repositories are:
- Data designated as Private Access will be stored in a data repository partitioned in a way that allows only the submitting Member and other Members actively selected by the submitting Member to access, review and retrieve such data. Except when the submitting Member actively selects to share these data with other specific Members, such data will not be shared with any third party on an individual-level and may only be shared on an aggregate-level (such as general statistics across multiple data sets or subsets) to ensure that no patient’s personal health information (PHI) is publicly disseminated nor re-identified.
- Data designated as Controlled Access will be stored in a data repository accessible only to other Members. Such data may be shared on an individual-level only with other Members and may not be disseminated publicly on an individual-level. It may, however, be shared on an aggregate-level.
- Data designated as Open Access will be stored in a separate data repository. Such data may be retrieved and shared on an individual- and aggregate-level with third parties without restrictions through a written request for data access submitted to and reviewed by us on a case by case basis. We have the right to monitor, retrieve, store, review and use all data, regardless of privacy level designated by Members, only to the extent actually required to ensure the proper operation and maintenance of our products and services.
Access to data by FDNA personnel for maintenance and support purposes is limited strictly on a “need-to-access” basis and requires compliance with rigid internal authorization policies. In addition, all data stored in our repositories are used to train and improve our technology automatically for the continued development thereof.
Designating data at either Private, Controlled or Open Access should be consistent with the original informed consent or permission under which the data were collected and submitted. It is each Member’s responsibility to determine whether a patient consent or permission is required or advisable in order to disclose, process, retrieve, transmit, and view the PHI, based on the laws and regulations of the Member’s jurisdiction and/or the policies of the Member’s institution. If applicable, it is the Member’s responsibility to obtain and maintain such consents or permissions. Click here to download a sample patient informed consent.
By uploading data to our products and services, Members certify and assure that the data has been collected in a legal and ethically appropriate manner and that patients’ identifiable PHI, which are not the minimum necessary to accomplish the intended purpose of such use, disclosure or request, respectively, have been removed or de-identified before submission. Members should indicate whether the data will be submitted to a Private, Controlled or Open Access data repository and assure that: The data submission is consistent with applicable laws, regulations, and institutional policies, specifically such laws and regulations which are in effect in the patient’s jurisdiction; Data submission and subsequent data sharing (if applicable) are consistent with the informed consent or permission; Risks to individuals and their families associated with data submitted to the designated data repositories were considered; and, to the extent relevant and possible, risks to groups or populations associated with data submitted to designated data repositories were considered. If no indication is made, data will be designated as Private Access by default.
Data Withdrawal or Change in Access Designation
An access level may be increased by a Member, provided the consent obtained from the patient supports such change. If, at any time, a patient revokes his or her consent in whole or in part, the respective data may be removed from the data repository completely or transferred to another data repository, as applicable. To change the access designation or withdraw data from our repositories, Members may contact us in writing via e-mail sent to firstname.lastname@example.org and clearly indicate the case identifier number and nature of the change. We will apply the change within 10 business days and certify such change in writing to the requesting Member. It is important to note that data already shared or disseminated in accordance with the original access designation before requesting a change in designation has been received and processed by us, may not be retrieved.
Requests for Data Access
Data stored in our designated repositories may be accessed either on an individual- or aggregate-level, based on the submitting Members’ designation of such data, the corresponding informed consents or permissions and applicable laws and regulation. Requests for access to data are reviewed by us on a case by case basis. Decisions are based primarily on conformance of the purpose described in the access request to the data use with the values and missions described in this Policy, as well as on the scope of data requested and the identity of the requesting entity. Generally, data will be shared with any entity or individual with a valid reason to request such data and will be limited to the minimum necessary to accomplish the intended purpose of such use. Third parties approved to access data from our repositories are expected to abide by terms and conditions specified in a separate agreement signed with us in accordance with HIPAA and EU data protection and privacy regulations, including:
- Using the data only for the approved purpose;
- Protecting data confidentiality;
- Following all applicable laws, regulations, and policies for handling such data;
- Not attempting to identify individual participants from whom the data were obtained;
- Not selling any of the data obtained from our data repositories;
- Not sharing any of the data obtained from our data repositories with individuals or entities other than those listed in the data access request;
- Complying with security practices that outlines expected data security protections (e.g., physical security measures) to ensure that the data are kept secure and not released to any person not permitted to access the data.
If requests for access to data are submitted by entities or individuals for non-commercial / non-profit purposes only, we will consider, based on certain criteria, such as the identity of the requester, the purposes listed in the request and the scope of data requested, granting access to such data on a non-profit basis, and in certain cases, on a pro-bono basis (bearing all costs ourselves), and, as necessary, in accordance with applicable HIPAA and EU data protection and privacy regulations.
Anyone accessing datasets from our designated data repositories, whether on an individual- or aggregate-level, will be required to acknowledge our contribution in all resulting oral or written presentations, disclosures, or publications.
last update: April 15, 2016