Outsourcing genomic data: trust in the untrusted

Griet Verhenneman (KU Leuven)

Presented at the 6ht European Conference on Health Law edition. Bergen, Norway date:27-29 September 2017.

Medical centers are looking for storage and computation solutions beyond local data centres to store genomic data. Can they outsourcing to a third party, for example a cloud provider? Third parties are untrusted due to a lack of control, transparency and legal certainty, while genomic data require trust.

The General Data Protection Regulation (EU) 2016/679 imposes a series of general obligations for the outsourcing of genomic data processing in the context of prevention, diagnosis or treatment and in the context of clinical trials. The WITDOM project showed that while technical measures can be adopted by the service provider, organizational responsibilities will remain with the medical centre. Through six stages the medical centre has to ensure awareness, protection and compliance: 1) a processing analysis to reflect on intentions; 2) a pre-outsourcing analysis to evaluate the impact of the outsourcing; 3) contractual conditions to delineate responsibilities; 4) potentially an informed consent to addresses the relationship between the medical centre and data subject; 5) internal organizational procedures for adherence to data subjects’ rights and 6) alert procedures for adequate and timely response.

Organizational processes combined with technical solutions to advance availability, confidentiality, data isolation and encryption in transit and at rest can render untrusted services trustworthy.