Genotype data for clinical efficacy and biomarker analysis of neoadjuvant atezolizumab in operable urothelial carcinoma in the ABACUS trial

Data access policy for ABACUS

Data Sharing Policy 1. Scope The policy applies to all data collected as part of the ABACUS Clinical Trial (NCT02662309), whether to be shared outside of the Centre of Experimental Cancer Medicine (CECM) Clinical Trials Team or within Barts Cancer Institute with those not directly involved in the research, whether or not the data remain wholly within the defined secure area, and control, of the CECM. This document does not apply to trial teams accessing the data while it remains in the CECM Servers. 2. Facilitating data sharing The CECM will facilitate appropriate data sharing to maximize the value of research data. In common with other academic institutions, the lawful basis on which Queen Mary University of London relies to processes data is Article 6(1)(e) of the GDPR which describes processing of personal data that is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. Therefore, any data shared will be required to fulfil this requirement. Requestors are expected to use the data to generate new knowledge and understanding with the intention to publish research findings for wider scientific community and eventual public benefit, and to demonstrate this in their application to access the data. In any publications, the requestor should acknowledge the contribution of the original study team in accordance with academic standards. Requesters should be employees of a recognised academic institution, health service organisation or commercial research organisation with experience in medical research; and should be able to demonstrate their ability to carry out the proposed study e.g. through their own, or supervisor’s, peer review publications. Where the requestor is an employee of a commercial organisation the CECM encourages the requestor to work in equitable partnership with academic researchers and conform to the same data sharing principles and practices as that required of the academic community. The CECM will share data in a timely and responsible manner, recognising that original study investigators should have a period of exclusivity before key trial data are made available to other researchers. Researchers wishing to access ABACUS data are encouraged to approach the study investigator, in this case Prof T. Powles (t.powles@qmul.ac.uk), prior to approaching the Data Access Committee for more information about the study, to ensure the data is appropriate for their purpose and avoid duplication of research effort. If the study investigator is no longer in post, the Data Access Committee will appoint a member of CECM staff to facilitate access to relevant documentation about the data. 3. Mode of data sharing Data may be shared either by transferring the data out of the CECM secure servers or by granting the recipient researcher access to the data while it remains on the CECM secure servers. A Data Sharing Agreement is required for the former, and a Data Access Request for the latter. The Data Access Request is a simplified form of the Data Sharing Agreement, which removes the need for institutional sign off, and descriptions relevant to transfer and storage of the data. The data custodian(s) (usually the trial Chief Investigator(s)) or the lead recipient researcher will be responsible for justifying the purpose of sharing a particular dataset(s) and the data custodian will delegate responsibility to the CECM IT & Data Management Team for implementing the sharing. Data will only be shared with organisations that have adequate data security policies and procedures in place. These will be clarified in the specific Data Sharing Agreement. 4. Information for Patients Anonymised individual patient data can be shared without specific consent, as the Data Protection Act 2018 does not cover anonymised data. However, participants should be told if researchers intend to keep the data participants provide for use beyond a specific research study and if data may be shared anonymously with others in the future. We recommend that the following statement is included in the consent form and the patient information leaflet for research studies, if appropriate. “I understand that the information collected about me will be used to support other research in the future, and may be shared anonymously with other researchers.” 5. Anonymisation of Data Anonymising data is a process that balances producing safe data with reduced utility of the data, recognising that whether data are anonymised or not, is a function of both the data and the data environment. Fully anonymising the data, such that the risk of disclosing information referring to individuals is negligible, is required in order for the data to be exempt from the Data Protection Act. For the purposes of this policy, anonymous data will refer to data that fulfils these criteria. In other situations, some anonymisation work may still be carried out to reduce unnecessary risk but the data cannot be considered to be outside the Data Protection Act. Such data may still be shared subject to appropriate safe guards as laid out in this policy. 6. Resource implications Preparation of the data for sharing may require significant CECM resources in order to appropriately anonymise the data and prepare the data for sharing, including providing appropriate documentation. The burden is likely to be higher for archived studies, or where no CECM staff are currently assigned to the study, or where full anonymisation is required. The CECM will assess resource implications and may charge data requestors for services if necessary. Such charges will not be seeking to generate income, simply to recover costs. The CECM Clinical Trials Operations Manager will ensure sufficient resources are available to undertake work required, prior to signing the Data Sharing Agreement or Data Access Request Form. When data are accessed within Barts Cancer Institute requestors will be required to undergo appropriate training, which includes Information Governance training in line with CECM policies, and a charge may be levied for access accounts. Where funders are willing to support data sharing activity, the CECM recommends Chief Investigators consider including the statistician and data management time for preparing a data sharing pack in the funding application. This will contain well structured data dictionaries, blank case report forms, and associated documentation. Documentation will highlight fields that are considered to pose a risk to identification and provide summary data for these fields. The data sharing pack can be made available, on request. 7. ABACUS Data Access Committee The ABACUS Data Access Committee comprises of the Chief Investigator, the CECM Clinical Trials Operations Manager, the ABACUS Statistician, the ABACUS Clinical Research Fellow, a Genentech Scientist and an imCORE representative namely the USMA Biomarker Leader / GI & GU Cancers. It is expected that members will have undergone training or have experience in data sharing. Members of the committee are encouraged to attend training events and national or international meetings on data sharing. The Chair should be experienced in data sharing issues. Membership of the committee will be reviewed annually and updated as required. The Data Access Committee will review the application to ensure that 1. a valid reason has been provided to access the data and that the data requested is relevant and necessary to fulfil the stated purpose 2. appropriate steps have been taken to minimise risk of identifying participants, taking into account whether consent for data sharing was sought from the research participants 3. where data are to be removed from CECM, data security policies and procedures of the recipient organisation, including country of data recipient (if sharing abroad), and any other applicable regulatory requirements are adequate. The Data Access Committee will consider both the data and the environment together when assessing the risk of re-identification, recognising that manipulating the data may adversely affect the utility of the data. The committee will recommend a decision to approve or not the data sharing request and will communicate the decision with explanation to the requestor in a timely manner. Where the application has been rejected, the committee will describe what modifications are required to enable approval. 8. Transfers of data outside the EU The CECM acts in accordance with the GDPR (2016) which restricts transfers of personal data outside the EEA unless the rights of the individual are protected in another way. Wherever possible the CECM will fully anonymise any data to be shared outside the EEA. If full anonymisation is not possible, while maintaining the utility of the data, the Data Access Committee will assess and document the steps taken to ensure there is an adequate level of protection. In addition to the member states, the European Commission has assessed a number of countries as having an adequate level of protection. For more information on international transfers, see the ICO website. 9. Documentation Third parties must sign an agreement before they can access data held by the CECM. Where data are to be removed from the CECM this will take the form of a Data Sharing Agreement signed by the legal entities representing Queen Mary University of London and the recipient organisation. Where data is remaining on the CECM servers this will take the form of a Data Access Request form signed by researchers and CECM representatives only. 9.1 Agreement to data sharing by Data Sharing Agreement Recipients of the data do not have the right to pass on data shared by the CECM to any other organisation or partner organisation unless that has been agreed as part of the original Data Sharing Agreement. Recipients must agree not to link the anonymised data provided with any other data set without the permission of the Data Access Committee. Recipients must not attempt to identify any individual from the data provided. Any requests to further share the data are likely to be the subject to a separate Data Sharing Agreement where necessary. Documentation A written Data Sharing Agreement based on the CECM Data Sharing Agreement template will detail: 1. Specific data requirements 2. Proposed research to be undertaken using the data 3. Publication plan for the proposed research 4. Justification of the data access request 5. Summary description of data requested 6. All data custodian(s): usually the chief investigator(s) of study(ies) involved in the agreement 7. Data owner(s): i.e. study sponsor (Joint Research Management Office (JMRO) for Queen Mary University of London (QMUL)) 8. Data recipient: this will be (a) named individual(s)/organisation(s) who will have access to the data 9. Details about the controlled access approach for sharing anonymised / pseudonymised individual patient data / study data aiming to protect patients’ privacy and confidentiality 10. Details on data destruction or data archiving by the recipient 11. Secure data transfer method 12. Time period for which the approval has been granted 13. Where relevant, obligation on data recipients to commit to and apply security and confidentiality measures to the shared data according to NHS Digital (previously the Health & Social Care Information Centre) Data Sharing Framework, which can be referred to for more guidance. 14. Any constraints/requirements specified by data custodian/data controller Where few data fields are to be shared these can be listed within the Data Sharing Agreement but in most cases a summary of the fields should be included in the Data Sharing Agreement with a full list of fields described in an accompanying technical document. 9.2 . Agreement to data sharing by Data Access Request Where third parties will access data on the CECM Servers a written Data Access Request based on the CECM Data Access Request template will detail items 1-6, 8, 12–14 above. 9.3 Review and Approval of agreement on behalf of the CECM and individual researchers The Data Sharing Agreement or Data Access Request will be reviewed and approved on behalf of the CECM by the chair of the Data Access Committee. 9.4 Review and Signing of agreement by legal entities (Data Sharing Agreement only) The Data Sharing Agreement will be reviewed and signed by the Data Custodian, Data Owner (usually the sponsor), Data recipient. For studies that are not sponsored by Queen Mary University of London (QMUL), QMUL will also approve the document. After sign off, data will be made available by the CECM via a secure transfer method as agreed. 10. Data preparation The CECM will prepare the dataset(s), either anonymised or pseudonymised, prior to sharing, in line with the signed Data Sharing Agreement or Data Access Request and using recommendations to minimise the risk of patient re-identification. In order to do this, the CECM will follow its own anonymisation and pseudonymisation procedures, which should be in line with guidelines on effective anonymisation of data.