Governance of genomic data

Background

A core component of the Melbourne Genomics program 2016 to 2019 was to implement a common system for the management of clinical genomic data¹. The GenoVic system was developed to support genomic testing and, in doing so, support the integration of genomic medicine into routine clinical care.

Developed by Melbourne Genomics Health Alliance for implementation by the Alliance members, GenoVic provides a common system to manage, analyse and interpret genomic information². As a system shared between members and aiming to enable data sharing across members, it is essential GenoVic has a set of agreements, policies and processes in place for the management and effective use of data.

Project description

The objective: to develop and implement robust and ethical governance of genomic data that is compliant with regulatory frameworks and maintains patient trust.

This project developed agreements, policies and processes for best-practice information management:

• To ensure consistent and appropriate use and stewardship of high-quality genomic data

• To address data governance from initial data capture, via processing through laboratories to its use by clinicians and researchers

All 10 Melbourne Genomics Health Alliance members were involved: The Royal Melbourne Hospital, The Royal Children’s Hospital, The University of Melbourne, WEHI, Murdoch Children’s Research Institute, CSIRO, the Australian Genome Research Facility, Peter MacCallum Cancer Centre, Austin Health and Monash Health.

Activities

Data governance has been a major component of the Melbourne Genomics data and technology work.

Over the four years (2016 to 2019), activities have evolved but can be broadly grouped as follows.

Data Governance Framework

In mid-2016, the GenoVic project team consulted with all Melbourne Genomics members and an external consultant to develop a Data Governance Framework.

This document provided a useful first step in understanding the data governance landscape and what supporting capabilities would be needed to manage data effectively in a shared system for genomics in clinical care. It established the data to be managed, business requirements, a proposed framework, the data governance model (‘who to govern’, ‘what to govern’, ‘how to govern’) and an implementation approach.

The Data Governance Framework also define data governance principles that guide all further work:

“We all respect the rights of the patient and work collaboratively for better health outcomes through ensuring information is secure³, used to its full extent⁴, fit-for-purpose⁵ and valued⁶.”

Privacy

Melbourne Genomics has assessed the potential impacts on patients and other individuals whose identifying personal information will flow through GenoVic.

Expert external lawyers conducted a Privacy Impact Assessment. They examined the collection, use, disclosure, storage and security of personal information when GenoVic is used by the Melbourne Genomics members, as well as members’ compliance with applicable privacy laws in doing so.

Data security

The security of GenoVic has been integral to the selection of vendor products and the design of how these components are brought together. Security requirements and activities were informed by the Information Security Policy.

GenoVic is only available through secured pathways, for both users and connected systems in the member organisations – using industry-standard encryption and security protocols. GenoVic sits across two highly secure Amazon Web Services (AWS) datacentres in Sydney, and AWS tools are used to provide industry-leading security.

Additionally:

• Penetration testing was conducted; this included testing web-accessible components and the Genomic Orchestration Service (GOS). No major vulnerabilities were detected.

• GOS underwent a full secure code review with a focus on identifying any vulnerabilities. No major vulnerabilities were detected.

• A Data Breach Management process was developed and tested via a simulated data breach.

Data governance for clinical testing

An agreement was developed for laboratories using GenoVic to manage their clinical genomic testing. This agreement is between Melbourne Genomics Health Alliance and the testing organisation. The Alliance agrees to provide access to the GenoVic system to support management and storage of genomic data for clinical testing. In return, the testing organisation agrees that the clinically generated data stored in GenoVic can be shared in future according to data sharing policies including adherence to patient consent. This agreement incorporates GenoVic’s Principles of Operation.

As part of the process of onboarding laboratories to GenoVic, the project team supported them to:

• Complete an information management maturity assessment

• Appoint data governance stewards

• Execute the agreement

Data governance for clinical and research use

The Melbourne Genomics project team conducted significant consultation within the Alliance to determine how clinical genomic data will be shared between, and potentially outside, of the Alliance for research. More recently, consultation has also been commenced to determine governance and processes required to support sharing of genomic data in GenoVic for clinical reuse⁷.

Development of the GenoVic Data Access and Sharing Policy was informed by experience of sharing Flagship data. This policy defines requirements to enable access and sharing of data in GenoVic, including legislative and regulatory compliance, patient consent obligations, and roles and responsibilities.

The policy is enforced by a draft GenoVic Data Access and Sharing Agreement, a mechanism to ensure data is used responsibly and appropriately. Terms of Reference and Standard Operating Procedures for a Data Access Committee have been drafted.

This work will continue to the stage of execution and technical implementation with further funding⁸.

Outcomes

• The data in GenoVic is secure and protected

• Victorian patients can trust that their data is maintained in accordance with all relevant privacy regulations

• Data governance processes for the participating laboratories have been established

• A set of agreements, policies and processes for management and effective use of the data are ready pending funding for implementation of data sharing

Lessons learnt

• Data governance of clinically generated genomic data is an area largely without precedent internationally. Consequently, considerably more effort than anticipated was required to understand the implications, stakeholder concerns, and requirements of sharing clinically generated genomic data for research and in the future for clinical reuse also.

• There is significant variability in data governance maturity generally across the Melbourne Genomics members.

• Capturing patient consent (to share their data) in a genomic system is complicated and much of the challenge occurs with laboratory systems.

• Insights from implementing data governance for the Melbourne Genomics shared system, GenoVic, may be useful in planning of genomic systems where data sharing is intended.