As the data processed by the Barts BioResource falls under Article 9 of the GDPR, all of our processing is automatically deemed high risk.
It is important to establish that only data pertaining to consented participants will be subjected to the full data processing; however, it is the nature of current clinical systems that data may initially be extracted for non-consented patients. Should this be the case, the first processing step will be to delete the records of such patients securely. We will ensure to the greatest extent possible that datasets are processed to only include consented (or exclude non-consented) participants at the earliest possible stage.
The Barts BioResource and Barts Health NHS Trust will be the data processors at this stage. The “Barts BioResource Information Govenance (IG) Policy” outlines the safeguards in place to ensure that individuals processing data do so lawfully – they are obliged in addition to undertake all requirements stipulated by Barts Health NHS Trust. These safeguards include signature of a confidentiality form and undertaking Good Clinical Practice (GCP) training. As discussed elsewhere, movement of pseudonymised data to an external platform for sharing will trigger a revised Data Privacy Impact Assessment (DPIA) which will address this concern in detail.
At present there are no international transfers of Barts BioResource data. For all future data access, approved researchers and institutions will be required to complete our comprehensive Material Transfer Agreement (MTA). In the first instance, the intention is to provide computational access to pseudonymised data, rather than direct transfer of pseudonymised data, however, should this be deemed essential, it is covered in the MTA.