Revision Date: 2023.12.13
Table of Contents
I. Description
The purpose of this Reliable Method (RM) is to provide process steps Sage employees should take in reporting a suspected data incident within one of our Synapse communities and/or among users.
For identification, immediate triage steps, and containment, Sage employees should follow the process outlined in the Confluence Incidents page. All suspected incidents should be reported to the appropriate Security Incident Response Team member.
Privacy Incidents are distinct from security incidents. An actual Security Incident is a fault in the confidentiality, availability and integrity of an information system. A Privacy Incident is when protected information is used or disclosed without authorization. Not all Security Incidents result in privacy incidents, and some Privacy Incidents can occur even when technical security controls function properly. This RM provides action steps that should be taken after a Privacy Incident has been identified.
II. Scope
This RM is applicable to all Sage Employees.
III. Definitions & Acronyms
Access & Compliance Team (ACT): A subgroup of the Sage Governance Team that escalates data incidents and other violations of the Synapse Terms and Conditions of Use
Access Requirement (AR): A data use restriction set up by ACT that defines conditions for access to a Synapse entity.
Click-wrap: A type of Synapse AR that can be satisfied by a user by selecting "I accept the terms of use".
Data Protection Impact Assessment: A tool used to guide Sage’s evaluation of potential incidents and analysis of potential impact to users of platform tools in the event of inadvertent disclosure of personal information.
Incident: Suspected event that impacts the computer or data environment within Sage Bionetworks.
Managed AR: A type of Synapse AR that requires data access to be granted via a Data Access Committee (DAC). The Sage ACT typically serves as the DAC for Managed ARs in Synapse.
Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
Privacy Incident: Protected information is used or disclosed without authorization.
Project Lead: An internal Sage team member who is a single point-of-contact actively managing a project.
Protected Health Information (PHI): Individually identifiable health information except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.
Sage Project Lead: Sage employee who helps to facilitate Synapse communities by interfacing with data contributors, curating data, or helping to manage data access or project spaces.
Security Incident: A fault in the confidentiality, availability, or integrity of an information system.
Security Incident Response Team (SIRT): Sage workforce members who are responsible for organizational response to incidents, and to prepare for incidents, assess risks, and maintain the incident response process.
Violation: Any behavior or action that is not compliant with the Synapse Terms and Conditions of Use, Privacy Policy, or Community Standards.
IV. Authorities/Responsibilities
Sage ACT: Conduct root-cause analysis. Follow up with alerts, employee training, updating Privacy Incident Log, and resolving Jira issues.
Sage Employee: Report information of data Privacy Incidents to Jira Governance (SG) queue. Follow guidance of Reliable Method.
Data Protection Officer (DPO): Determine privacy impact of incident. Manage the resulting notification process. Ensure regulatory compliance of data privacy, including breach risk and Data Protection Impact Assessments.
V. Incident Identification
For the following privacy incidents, the Sage employee should create a ticket in the Governance (SG) Jira queue
Examples of a Privacy Incident include:
Breach of Protected Health Information (PHI), e.g., research participant’s name, date of birth, social security number or other identification number
Breach of Personally Identifiable Information (PII), e.g., Synapse user’s name, identification number, email address
Improper use and/or release of biomedical research data by internal or external researchers such as
Failure to adhere to Conditions for Use for a given dataset
Failure to comply with Synapse governance policies and procedures
Failure to follow ethical principles for use of biomedical research data (e.g. Common Rule or Declaration of Helsinki)
For the following violations, the Sage employee should create a ticket in the Governance (SG) Jira queue. The Synapse user may create a ticket by clicking the “Report Violation” in Synapse and filing a report or by writing to the Data Protection Officer by email
Examples of a Synapse Violation include:
Violating the Synapse Code of Conduct
Violating the Synapse Terms and Conditions of Use
Violating the Privacy Policy
Examples of Remediation of a Synapse Violation:
Revocation of User’s access to the Data Contributor’s project.
Data Contributor determines the User's ability to reapply for data access).
Revocation of Certification Quiz and re-training of use of Synapse platform.
VI. Procedures
Sage Employee will complete the following steps in any instance where they suspect or are certain that a privacy incident or violation occurred:
Promptly report the suspected incident to your supervisor to evaluate if an incident has occurred.
If an incident has occurred, identify the incident type (i.e., privacy or security) and refer to the Roles and Responsibilities table in the IT Confluence Incidents SOP to report the incident to appropriate Security Incident Response Team (SIRT) member for follow-up.
Confirm with your supervisor immediate action steps for risk mitigation.
Sage Employee will file a Jira ticket as soon as possible under the Governance Project (SG) using the “Report Synapse Violation” Jira component.
Within the Jira ticket, tag the Data Protection Officer (Christine Suver), Research Regulatory & Compliance Team Lead (Vanessa Barone), Principal Security and Compliance Manager (Brad Egloff), Governance Analyst (Kim Corrigan) and the Project Lead with as much information as you have, including but not limited to:
What data is included in the breach,
synIDs if the breach involves data on Synapse
Whether the breach contains sensitive data (PHI/PII)
The nature of the breach (e.g., data distributed through an improperly controlled Synapse project or a compromised Synapse account),
How and when the breach was discovered and by whom,
What steps have been taken so far, if any
Comment with updates in the Jira as you gain more information
Sage ACT will:
Determine what steps need to be taken and by whom to secure the data AS SOON AS POSSIBLE (timeline should be defined in project-specific regulatory documents, but is typically 24-72 hours after initial knowledge of privacy incident). Reference the Incident Categories in Section VII to assist with next steps for risk mitigation. Examples of privacy risk mitigation may include:
Revoking user access to data
Locking down the data, i.e., making the files or entities private
Notification of incident to user and/or data contributor, and advising on action steps.
Request to IT that data be made private
Review the data incident/suspected data breach to determine the sensitivity of the data, such as whether it included any PHI or PII, the extent of the incident/breach, and what immediate steps should be taken to limit any further incident breach of data. Incidents involving PHI/PII must be reported to the Data Protection Officer.
Determine who should be alerted to the incident and what additional steps are needed. See Platforms User Data Protection Impact Assessment (Platforms DPIA) for breaches related to a Sage platform and/or tool. Any additional project-specific regulatory documents such as the privacy policy, data sharing agreement, or project-specific DPIA should also be reviewed
If the data incident is related to a Synapse Project or is the result of an action taken by a Sage Employee, Sage ACT will ensure that Sage Employees complete the following steps.
If the incident is related to a Synapse project:
Sage ACT will revoke employee certification status
Sage Employee will re-take the certification quiz
If the incident is the result of an action taken by a Sage Employee:
Sage Employee will complete the NIH Information Security and Management Training module
Sage Employee will download their training completion certificate and email it to Sage ACT
Sage ACT will attach it to the Jira issue and update the /wiki/spaces/I/pages/819953732
If the incident is related to an Independent User project:
Sage ACT determines the type of violation that has occurred.
Determines if there has been a violation of the Data Contributor’s project Conditions for Use.
If Sage ACT has access to the project, revoke User access to project.
If Sage ACT does not have access to project, message Data Contributor to add ACT as Administrator to project, then revoke User access.
Sage ACT creates a ticket in ACT SD and messages the Data Contributor with details of violation and actions taken. Sage ACT will communicate with the data contributor to understand their expectations with regard to restoring user access to the data. (If a Synapse Terms and Conditions of Use violation has occurred, Sage ACT will coordinate action steps with data contributor, e.g., User has to retake Certification Quiz before the user can reapply for data access)
Sage ACT creates a ticket in ACT SD to message the User regarding violation, actions taken, investigation process, and next steps. Link ticket to original ticket to Data Contributor.
Sage ACT creates a ticket in the Governance SG queue and links to the original ACT SD ticket to Data Contributor. The SG ticket must be created to allow the Data Protection Officer to validate resolution of the issue.
Sage ACT resolves all Jira issues and update the Security Incident Log and set the validator of the Governance SG issue to the Christine Suver, Data Protection Officer
Conduct a root-cause analysis to determine why the breach occurred and to prevent future risk of breach.
Designated Sage ACT member will file the breach within the Security Incident Log.
Instructions for creating an entry in the Security Incident Log.
Open link to the Security Incident Log and navigate to the menu on the left side of page
Click on the “+” sign to the right of Security Incident log
Add child page to entry
On right side of page, ensure that “Incidents” is selected in the drop-down menu
In child page, add the title and context for the incident
Click “Publish”
Instructions for editing an entry in the Security Incident log
Open link to the Security Incident Log. On the main Confluence page, locate and click on the link to the incident in progress
In the menu on the upper right side of page, click the edit button
Update incident and click “Publish”
To save changes without publishing, click “Close”
VII. Incident Categories
Click-wrap or ACT-managed Access Requirement was inadvertently removed from an entity
ACT should reinstate the removed ACT-managed Access Requirement or click-wrap immediately
Review the breached data type
Determine whether the entity contains sensitive data by contacting the Sage Community Manager if applicable. Breaches of sensitive data are more serious in nature and should be prioritized.
For Challenge data, ACT should review the Challenge Data Transfer Agreement (called Memorandum of Understanding (MOU) for older Challenges) to verify whether Challenge data is intended to be released after the Challenge concludes and whether secondary use of data is authorized.
If the data was not intended to be released, loop in the data contributor and ensure that all downloaders have deleted local copies of the data. See instructions in 1.d.
ACT should review the removed click-wrap or ACT-managed Access Requirement.
A click-wrap only indicating acknowledgement/citation likely does not require you to loop in the data contributor
A click-wrap or ACT-managed AR indicating restrictions for data use may require you to reach out to the data contributor about the breach. Review the data contract if applicable for more information.
ACT should submit a Jira issue to IT and request a list of downloaders from the Synapse Administrator from the time that the AR was removed to the time that it was reinstated, and contact each of them via email.
Request that all local copies of the entity be deleted
Suggest re-requesting access now that the restriction has been reinstated
ACT will document email responses in the Jira issue
A restricted file was duplicated and uploaded publicly with no restrictions
ACT should follow the steps from category 1, but ensure you contact both the duplicate creators and the duplicate downloaders
Explain the issue and request that duplicate creators make any copies private
ACT will contact downloaders and request deletion of local copies of data and instruct users to re-request access via the source entity
You can implement a blank AR on the duplicates to prevent download. Example: “Dataset duplicates cannot be publicly downloaded. Please go to the source entity ( synxxxxxxx ) and agree to terms of use for download access. ACT is unable to accept any access requests to entity duplicates.”
VIII. Use Cases
Violation of Project Conditions for Use and Synapse Terms and Conditions of Use
Project Type: Independent User
Scenario: A Registered, Certified and Validated Synapse user was approved for data access to an Independent User project. The Synapse User downloaded a file from the project. The User was seeking assistance with a data download issue and requested help troubleshooting the issue by submitting a request to act@sagebase.org and attaching the downloaded file.
Issue: The attachment of the file violated the Project Conditions for Use and the Synapse Terms and Conditions for Use. The User had agreed to the following: “You commit to keeping these data confidential and secure and will not redistribute data or Synapse account credentials.”
Identification:
Sage ACT identified that the file attachment contained sensitive data and was a violation of both the Project Conditions for Use and the Synapse Terms and Conditions of Use
Immediate triage and containment:
Sage ACT revoked User’s access to Project data
Sage ACT submitted a Jira ticket to IT requesting that the User’s Synapse Certification Quiz be revoked in response to the Synapse violation
Sage ACT communicated with User and Data Contributor regarding violations, immediate action steps taken, and remediation next steps
Sage ACT communicated with the Data Contributor regarding restoration of user’s access to the data. The Data Contributor determined that they would allow the user to re-apply for data access
Sage ACT communicated to the Data Contributor and User that the user had also violated the Synapse Terms and Conditions of Use and would be required to retake the Certification Quiz as part of the re-training and violation response process prior to reapplying for data access to the Independent User project.
Recovery and Follow-up:
User completed Certification Quiz and re-applied for data access
Data Contributor reviewed and approved data access request
Jira issues were resolved by Sage ACT and Security Incident Log was updated. The Jira issue was validated by the Data Protection Officer.
IX. Associated Documents and Resources
X. Revision History
Revision#, Date | Description |
V1, 2023.12.15 | New version as RM. |