E.8.3 Data Access Compliance Office Policies and Procedures

E.8.3 Data Access Compliance Office (ICGC DACO) Terms of Reference, Policies and Procedures

Version 2.2 April 2022 

Download as pdf  Apply for Access  

1. Purpose

The purpose of the DACO is to manage access to ICGC’s controlled data through application requests (DACO Application for Access to the Controlled Data). Researchers submit their access requests directly to the DACO, who in turn reviews these access requests to ensure compliance with ICGC policies.  Compliance includes, but is not limited to, policies concerning the purpose and relevance of the research, the protection of donors, and the security of donors’ data. These practices facilitate responsible sharing of genomic and associated data and the development of harmonized standards for data access. Specifically: 

• ICGC ARGO observes purposeful, proportionate and responsible use and sharing of genomic and health-related data. 
• A primary aspiration of DACO is the balance between ICGC policies and goals of data sharing. 
• Wherever possible DACO adheres to global standards and guidelines for data access and responsible sharing, specifically the Global Alliance for Genomics and Health’s Framework for Responsible Sharing of Genomic and Health Related data (2014) and the GA4GH Data Access Committee Guiding Principles and Procedural Standards.

ICGC DACO reviews applications for accessing ICGC Controlled Data in both the ICGC ARGO Data Platform and the ICGC 25K Portal.

2. Background

While committed to open data sharing, the International Cancer Genome Consortium (ICGC) adopted a controlled access model for potentially re-identifiable and personal data as a response to privacy risk concerns for research participants. The Data Access Compliance Office (DACO) was created as an independent body to review access requests for ICGC’s controlled data.  Operational since July 2010, the DACO evaluates projects to ensure that they comply with the goals and policies of the ICGC.  Over 1500 new applications submitted by scientists from more than 37 countries have been reviewed by the DACO in the past 11 years. The office’s procedures, the application process and the online submission system have evolved over the years to adapt to the increasing number of applications.

3. DACO Governance

As of February 2022 The Data Access Compliance Office is governed and administered by the University of Glasgow.  The University as Data Controller (Regulation (EU) 2016/679 (General Data Protection Regulation) governs ICGC operations and management, including data access through the DACO, and data processing through the Data Coordination Centre and associated Regional Data Processing Centres. The duties of the processors are specified in a contract with the University of Glasgow as Data Controller. 

The DACO does not have a formal committee structure. It exists as an overarching authority with a range of consultants who oversee proposals on an as needed basis. These consultants have expertise in ethics and law, data management, AI and emerging technologies, computational methods and clinical experience and are called to review sessions as applications require them. 

The DACO office consists of two key positions: 

• Data Access Officer: is the University delegate authorised to sign and execute the Data Access Agreement. The Data Access Officer passes the final decision on verdicts passed, related policies, and maintains the general operations of the DACO.
• DACO Administrator: acts as the administrator for the DACO email and the online portal. They are responsible for the reception of submissions, communications with researchers, and all related documentation.  The DACO administrator and DACO officer work closely together. 

The DACO also reports monthly to the ICGC ARGO Management Committee on metrics and where additional review is required on applications. 

4. Eligible Project Guidelines

The DACO provides controlled access to public and private researchers (PIs) that apply for access and that access conditions are the same for both types of researchers.  The application must be completed and submitted through the online submission system. Generally, qualification requirements for applicants are:

1. The Applicant must be an independent researcher affiliated with a legal entity (e.g. university professor, researcher in a private company, independent researchers able to apply for federal research grants, etc.), and they must review and sign the finalised application.
2. A qualified Institutional Representative of a legal entity has the administrative power to legally commit that entity to the terms and conditions of the Data Access Agreement (e.g. Vice-President Research, a Research Director, or a Contracts Officer for the entity), and must review and sign the finalised application.
3. The Applicant must submit a summary of the research project. The project will be checked for conformity with the goals and policies of ICGC including, but not limited to, policies concerning the purpose and relevance of the research, the protection of the donors and the security of the donors’ data.
4. The Applicant must submit a lay summary of the project which may be posted on the ICGC ARGO website or used in reporting metrics. For tips on writing a lay summary, consult the lay summary guide, which includes before and after examples of real lay summaries.
5. The Applicant must submit at least 3 qualifying publications of which they were an author/co-author.
6. If ethics approval for use of ICGC Controlled Data is required in the Applicant’s country/region, an ethics approval letter must be included with the application.
7. All required sections of the application must be completed legitimately and all terms agreed upon.

A project and its authorized users are approved for access to the data for 2 years, or sooner upon completion of a final report if a study ceases. If a user wishes to extend the term of the agreement they may do so by submitting a Renewal Application. Authorizations to access controlled data will be broad, so that authenticated users will get permission to obtain access to controlled data generated from all samples studied by any participating ICGC project. 

5. Users Involved in the Application 

The following are a list of the users involved in an application and their requirements.

1. Applicant/Principal Investigator: Must be independent researchers who are affiliated with a legal entity (e.g. university professor, researcher in a private company, independent researchers able to apply for federal research grants, etc.).
2. Institutional Representative: A qualified representative of a legal entity who has the administrative power to legally commit that entity to the terms and conditions of the Data Access Agreement (e.g. Vice-President Research, a Research Director, or a Contracts Officer for the entity).
3. Collaborators: All investigators, collaborators, research staff at the Applicant’s institute (including post-docs) and students (including graduate students), who will have access to the ICGC Controlled Data in order to work on the research project
4. Application Submitter: The user who manages and submits the DACO application form. This could be the same person as the Applicant/Principal Investigator.

6. Ethical Approval

ICGC ARGO bears no responsibility for ethical approval and maintaining appropriate ethical approval (if so required) is the responsibility of the PI. If Ethical approval is required in an applicant's jurisdiction, it must be current for the duration of the approved Data Access Period and adequately disclosed on the DACO application. Applicants should confirm requirements for ethical approval to use ICGC Controlled Data by contacting the relevant local institutional review board / research ethics committee (IRB/REC) to clarify the matter.

7. DACO Review Process

All decisions, except for approval, will be accompanied with a detailed justification. The objective is to standardize the review of submitted applications. Generally,  DACO assesses applications across 3 Core components of the application, which consist of: 

• Qualification of users:  Confirming bonafide researchers with real and current affiliations, credible institutions and track records. 
• Feasibility and scientific merit: clear descriptions of objectives, scientific rationale, planned outputs and how ICGC Controlled data will be used. 
• Ethical considerations: Potential ethical issues and adherence to ICGC policies, including confirming the project poses minimal risk of re-identifying participants. 

8. Data Access Approval Period and Renewals

Data Access Approval Period

The DACO approval expires after 2 years of access. Access to ICGC Controlled Data remains conditional upon respecting the terms and conditions of the Data Access Agreement. An annual agreement must be made by the applicant and a bi-annual renewal must be completed in order to access/use controlled data beyond that two-year time period.

Users are notified in sequence of expiry with the following actions: 

1. Both 90 days and 45 days before expiry, the applicant will receive an email notifying them that they are eligible to renew. If the project remains active, the user may wish to renew beyond the 2 years. 
2. If applicants do not renew in this time period and their access expires, the project team loses access. 
3. The applicant will be notified that they are still able to renew for 90 days after expiry by logging in and clicking on the “renew” button. 
4. Renewals are received at the DACO office and managed by the standard process of review, consultation (if required), request revisions (if required), approval or rejection. Once an application is approved the applicant receives the notification email notifying them of their new expiry date and the project team re-gains access to controlled data for an additional 2 years.
5. If a renewal submission is not received within the 90 days post-expiry time frame, the application is closed forever in this state, but is still accessible to view upon log-in. 

Annual Attestation

ICGC recognises the importance of ensuring compliance with data access policies, therefore an annual attestation is required for all project teams.

45 days prior to the 1-year mark after approval, the applicant will receive an email reminder to complete the attestation. If the applicant does not attest by the 1-year mark, access to ICGC Controlled Data will be paused for all members of the project team. Once an applicant has attested to the terms, access will resume for the remainder of the 2-year access period.

9. DACO Reporting Requirements and Transparency

• The DACO office will report activities and metrics to the Management Committee on a monthly basis as per the DACO Monthly Report Template. 
• Annually the office will report to the Executive Board upon instruction.
• A copy of the Annual report will be published on the ICGC ARGO website for public viewing. 
• Data users will be published on the ICGC ARGO public website monthly. 

10. Security Incidents and Data Breach

Management of data security is detailed in the ICGC Security Best Practices for Controlled-Access Data (link). In addition, all users of ICGC data must familiarise themselves with the ICGC ARGO Data Breach Policy. All security incidents (even those not resulting in a data breach) must be reported without delay, where the incident will be investigated and managed as per the policy.  

11. Administrative Access

Nominated individuals within the ICGC community require administrative access for purposes of auditing, monitoring, ensuring compliance and quality control of data. Administrative access will require completion of a standard application with relevant sections completed as needed, which will be reviewed and governed by the terms and conditions outlined in the Data Access Agreement.

12. Appeals Process

All decisions (excluding approvals) are accompanied by detailed justification. Applicants may request a review of a rejection decision by emailing daco@icgc-argo.org, quoting their name and application number, and associated details around the request for review. DACO will review appeals requests and provide a written response within 30 days of receiving the request. If further review is required, DACO may consult the Management Committee for further advice.

13. Sanctions Policy

Failure to comply with terms and conditions of the Data Access Policies may result in access being removed or access terminated for any reason (including upon breach of the terms of the data access agreement). Failure to comply with these requirements may also carry financial or legal repercussions. Any misuse of controlled data is taken very seriously and other sanctions may apply including notification of organisations or other federal agencies.

14. Retention of Data

DACO and its affiliates will retain data related to DACO applications and processing for 10 years in line with the purposes for data processing. If you would like to inquire about data held about you please contact secretariat@icgc-argo.org.

15. Requirement of Lay Summaries

All applications to ICGC require an accompanying lay language summary of their research and proposed use of ICGC Controlled data.  A lay Summary is simply the ability to convey the details and significance of research to non-experts. In the context of ICGC ARGO, a lay summary is an overview of a research project described in a way that can be easily understood by those without prior experience of the project or broader subject of cancer genomics. A well-written lay summary allows the public and broader scientific and clinical communities to understand the research and its goals, impact and applications. Lay summaries as one avenue to communicate with the broader community forms part of the fundamental principles of ICGC ARGO. We have a strategic commitment to public engagement and making data widely available; beyond scientific publications and into the patient and public communities. 

We have developed guidelines for researchers: How to Write a Lay Summary, which can be accessed through our website.  

16. User Guide and Submission Instructions

The application must be completed and submitted through the online submission system. A detailed user guide and submission instructions can be found on the ICGC DACO Documentation Page.