Revision Date: 2023.12.13
...
Access & Compliance Team (ACT): A subgroup of the Sage Governance Team that escalates data incidents and other violations of the Synapse Terms and Conditions of Use
Access Requirement (AR): A data use restriction set up by ACT that defines conditions for access to a Synapse entity.
Click-wrap: A type of Synapse AR that can be satisfied by a user by selecting "I accept the terms of use".
Data Protection Impact Assessment: A tool used to guide Sage’s evaluation of potential incidents and analysis of potential impact to users of platform tools in the event of inadvertent disclosure of personal information.
Incident: Suspected event that impacts the computer or data environment within Sage Bionetworks.
Managed AR: A type of Synapse AR that requires data access to be granted via a Data Access Committee (DAC). The Sage ACT typically serves as the DAC for Managed ARs in Synapse.
Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
Privacy Incident: Protected information is used or disclosed without authorization.
Project Lead: An internal Sage team member who is a single point-of-contact actively managing a project.
Protected Health Information (PHI): Individually identifiable health information except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.
Sage Project Lead: Sage employee who helps to facilitate Synapse communities by interfacing with data contributors, curating data, or helping to manage data access or project spaces.
Security Incident: A fault in the confidentiality, availability, or integrity of an information system.
Security Incident Response Team (SIRT): Sage workforce members who are responsible for organizational response to incidents, and to prepare for incidents, assess risks, and maintain the incident response process.
Violation: Any behavior or action that is not compliant with theSynapse Terms and Conditions of Use,Privacy Policy, or Community Standards.
| Anchor | ||||
|---|---|---|---|---|
|
...
For the following privacy incidents, the Sage employee should create a ticket in the Governance (SG) Jira queue
Examples of a Privacy Incident include:
Breach of Protected Health Information (PHI), e.g., research participant’s name, date of birth, social security number or other identification number
Breach of Personally Identifiable Information (PII), e.g., Synapse user’s name, identification number, email address
Improper use and/or release of biomedical research data by internal or external researchers such as
Failure to adhere to Conditions for Use for a given dataset
Failure to comply with Synapse governance policies and procedures
Failure to follow ethical principles for use of biomedical research data (e.g. Common Rule or Declaration of Helsinki)
For the following violations, the Sage employee should create a ticket in the Governance (SG) Jira queue. The Synapse user may create a ticket by clicking the “Report Violation” in Synapse and filing a report or by writing to the Data Protection Officer by email
Examples of a Synapse Violation include:
Violating the Synapse Code of Conduct
Violating the Synapse Terms and Conditions of Use
Violating the Privacy Policy
Examples of Remediation of a Synapse Violation:
Revocation of User’s access to the Data Contributor’s project.
Data Contributor determines the User's ability to reapply for data access).
Revocation of Certification Quiz and re-training of use of Synapse platform.
...
Sage Employee will complete the following steps in any instance where they suspect or are certain that a privacy incident or violation occurred:
Promptly report the suspected incident to your supervisor to evaluate if an incident has occurred.
If an incident has occurred, identify the incident type (i.e., privacy or security) and refer to the Roles and Responsibilities table in the IT Confluence Incidents SOP to report the incident to appropriate Security Incident Response Team (SIRT) member for follow-up.
Confirm with your supervisor immediate action steps for risk mitigation.
Sage Employee will file a Jira ticket as soon as possible under theGovernance Project (SG) using the “Report Synapse Violation” Jira component.
Within the Jira ticket, tag the Data Protection Officer (Christine Suver), Research Regulatory & Compliance Team Lead (Vanessa Barone), Principal Security and Compliance Manager (Brad Egloff), Governance Analyst (Kim Corrigan) and the Project Lead with as much information as you have, including but not limited to:
What data is included in the breach,
synIDs if the breach involves data on Synapse
Whether the breach contains sensitive data (PHI/PII)
The nature of the breach (e.g., data distributed through an improperly controlled Synapse project or a compromised Synapse account),
How and when the breach was discovered and by whom,
What steps have been taken so far, if any
Comment with updates in the Jira as you gain more information
Sage ACT will:
Determine what steps need to be taken and by whom to secure the data AS SOON AS POSSIBLE (timeline should be defined in project-specific regulatory documents, but is typically 24-72 hours after initial knowledge of privacy incident). Reference the Incident Categories in Section VII to assist with next steps for risk mitigation. Examples of privacy risk mitigation may include:
Revoking user access to data
Locking down the data, i.e., making the files or entities private
Notification of incident to user and/or data contributor, and advising on action steps.
Request to IT that data be made private
Review the data incident/suspected data breach to determine the sensitivity of the data, such as whether it included any PHI or PII, the extent of the incident/breach, and what immediate steps should be taken to limit any further incident breach of data. Incidents involving PHI/PII must be reported to the Data Protection Officer.
Determine who should be alerted to the incident and what additional steps are needed. See Platforms User Data Protection Impact Assessment (Platforms DPIA) for breaches related to a Sage platform and/or tool. Any additional project-specific regulatory documents such as the privacy policy, data sharing agreement, or project-specific DPIA should also be reviewed
If the data incident is related to a Synapse Project or is the result of an action taken by a Sage Employee, Sage ACT will ensure that Sage Employees complete the following steps.
If the incident is related to a Synapse project:
Sage ACT will revoke employee certification status
Sage Employee will re-take the certification quiz
If the incident is the result of an action taken by a Sage Employee:
Sage Employee will complete the NIH Information Security and Management Training module
Sage Employee will download their training completion certificate and email it to Sage ACT
Sage ACT will attach it to the Jira issue and update the /wiki/spaces/I/pages/819953732
If the incident is related to an Independent User project:
Sage ACT determines the type of violation that has occurred.
Determines if there has been a violation of the Data Contributor’s project Conditions for Use.
If Sage ACT has access to the project, revoke User access to project.
If Sage ACT does not have access to project, message Data Contributor to add ACT as Administrator to project, then revoke User access.
Sage ACT creates a ticket in ACT SD and messages the Data Contributor with details of violation and actions taken. Sage ACT will communicate with the data contributor to understand their expectations with regard to restoring user access to the data. (If a Synapse Terms and Conditions of Use violation has occurred, Sage ACT will coordinate action steps with data contributor, e.g., User has to retake Certification Quiz before the user can reapply for data access)
Sage ACT creates a ticket in ACT SD to message the User regarding violation, actions taken, investigation process, and next steps. Link ticket to original ticket to Data Contributor.
Sage ACT creates a ticket in the Governance SG queue and links to the original ACT SD ticket to Data Contributor. The SG ticket must be created to allow the Data Protection Officer to validate resolution of the issue.
Sage ACT resolves all Jira issues and update the Security Incident Log and set the validator of the Governance SG issue to the Christine Suver, Data Protection Officer
Conduct a root-cause analysis to determine why the breach occurred and to prevent future risk of breach.
Designated Sage ACTmember will file the breach within theSecurity Incident Log.
Instructions for creating an entry in the Security Incident Log.
Open link to the Security Incident Log and navigate to the menu on the left side of page
Click on the “+” sign to the right of Security Incident log
Add child page to entry
On right side of page, ensure that “Incidents” is selected in the drop-down menu
In child page, add the title and context for the incident
Click “Publish”
Instructions for editing an entry in the Security Incident log
Open link to the Security Incident Log. On the main Confluence page, locate and click on the link to the incident in progress
In the menu on the upper right side of page, click the edit button
Update incident and click “Publish”
To save changes without publishing, click “Close”
...
| Anchor | ||||
|---|---|---|---|---|
|
Revision#, Date | Description |
V1, 2023.12.1513 | New version as RM. |