Enterprise Europe Network Luxembourg Conférence Protection des Données May 25, 5, 2011 0 09h00 IBBL – data protection in practice Dominic Allen, COO, IBBL Damien Aps, CFO, IBBL The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation Introduction • • • • 2008 – Grand Duchy created IBBL to support biomedical research in Personalized Medicine and to work closely with the Lung Cancer Program and the newly created Luxembourg Centre for Systems Biology IBBL’s mandate requires it to support a broad range of biomedical research projects and develop research collaborations internationally IBBL collected its first sample and data, data for a lung cancer study study, in 2009 2009, but became fully operational only in mid 2010 In the immediate future, the IBBL needs to be collecting tissues and associated data to support research in four priority areas: • • • • Cancer C Diabetes (T2) Parkinson’s disease A large population cohort IBBL must ensure that its data protection policy and practice supports its strategy The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation Current Status - Specimens • Collections – – – – – – Lung cancer – Two hospitals Luxembourg, one Belgium, one France Colon – One hospital Luxembourg Brain – One hospital Luxembourg (pending) Normal population – One hospital Luxembourg Blood samples for cardiovascular clinical trial – 31 EU sites Bladder cancer – Spanish National Cancer Research Center • Types of Samples – – – – Tumour Blood/serum DNA/RNA Viable cells IBBL is extending its collection program in Luxembourg and internationally Current Status – Research & Collaboration • • • • • • GBM clonality (TGen & Niclou – CRP-Santé) MSRA – Develop SNPs for European strains (TGen & Even – LNS) Lipid accumulating bacteria (TGen & Wilmes – CRP-GL & Uni.lu) Whole genome sequence of never-smoker (TGen & Betsou/De Witt – IBBL) Gene methylation in CML (TGen & Dieterich – Kirchberg) (pending) Bladder cancer – biomarkers in urine (Domon – LCP) • Pre-analytical metabolomics (Biobanque de Picardie, France) • Tissue biospecimen research (Pathology group in Thionville, France) • Tuberculosis biobanking, g, p publication in p preparation p ((WHO,, Geneva)) • Methodological evaluation of a population cohort, publication submitted (The Institut de Veille sanitaire, France) • Quality assurance in biobanking, publication submitted (NCRI) • ISBER on development and implementation of international proficiency testing IBBL is developing research collaborations internationally Potential Barriers to Success • Acquisition of significant volumes of biospecimens for research can only be efficient if consent and collection are part of the standard processes of diagnosis g and treatment in regular g medical care • Electronic health records are essential, as is the continuous updating of data associated with human tissue samples stored in biobanks Efficient collection of samples and data pose important questions relating to data protection TTP – cornerstone of IBBL privacy protection Issue How to ensure the highest level of privacy and confidentiality of donor identity? Complete anonymization is a poor solution: • Impossible to provide important feedback to donor • Greatly reduces the value of the samples because follow-up data not possible IBBL Approach • • • • • • • • IBBL has contracted with an external partner, ebrc, to provide a service at arms length – th Trusted the T t d Third Thi d Party P t (TTP) The functionalities were designed by CRP-HT with the future needs of eHealth in mind The concept uses the ORACLE Master Patient Index product Double de-identification of all data and highly secure IT links The TTP never stores donor medical data (CRF…) IBBL never stores donor identifying data (name, address, DoB) But the TTP allows continuous updates of donor data IBBL can share data and samples with a broad range of scientists without compromising privacy of donor data The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation TTP De-identification Process Data Source Trusted Third Party Samples Collection Site 1st Level De-Identification Demographic Data Demographic Data Pseudonym Data Management Researcher IBBL Data Consumer 2nd Level De-Identification L lD Id tifi ti Pseudonym Donor ID DID Message ID Message ID ⌛ TTL DID BEN BEN Demographic Data Donor ID Donor ID Medical Data Medical Data DID Medical Data Message ID Medical Data Medical Data Message ID Message ID DID BEN TANS TANS TTL De-Identification ID Bonded Execution Number Transaction Number (Source) Transaction Number (Destination) Time To Live The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation TTP De-identification Process • The TTP stores personal identifying data about subjects, but no samples or clinical data or genetic data • IBBL stores samples and clinical data (as well as information generated byy research such g as genetic data), but no personal identifying data • The link is the double de-identified ID of the donor The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation IT Security Policy in IBBL - guidelines Security is a process, not a state Security is a process, not a state • • • • • ISO 27001 for IT systems ISO 27001 for IT systems ISO 17025 for laboratories Best practice Best practice HealthNet Security Policy Minim m ri hts ne essar to ork Minimum rights necessary to work IBBL Network HealthNet Le HealthNet est une plateforme télématique dédiée au secteur de la santé, dont le but est de mettre à disposition des professionnels de la santé et des établissements du secteur: • une infrastructure leur permettant de communiquer de façon sécurisée • des applications spécialisées permettant l’échange de résultats d'analyses médicales et dans l'avenir des applications de télémédecine • Le réseau HealthNet se base sur des lignes louées auprès des opérateurs g p p de télécommunications, des connexions DSL ou ISDN via des canaux sécurisés (VPN) • Actuellement tous les hôpitaux, certains laboratoires d'analyses p , y médicales, les centres de recherche, les caisses de maladie, le Ministère de la Santé, l'Entente des Hôpitaux Luxembourgeois ainsi qu'environ 200 médecins utilisent HealthNet dans leur travail quotidien External access • External access is limited and possible only with an RSA token • Today, with a token it is possible to access: – Email – Bio4D (IBBL’s software platform in development) Internal security • Firewall – Zones (DMZ, Trusted, Untrusted) Zones (DMZ Trusted Untrusted) – Vlans (Servers, Office, Sensors, Wifi, Guests, Labo … ) – Guests areas • Active directory Active directory – User rights – Limited groups access • Antivirus software Antivirus software – On the user computer – On the Exchange system – On the file server On the file server • Security Policy – Passwords Limited user rights – Limited user rights Next steps – short term (Q2, Q3 2011) • Monitoring system Monitoring system – Log monitoring system based on Nagios – Proxy server for WWW filtering • • • • IIntrusion Detection/Prevention System i i / i S Internal IT procedures New backup system New backup system New IT organization in laboratories (preparing for ISO 17025 accreditation) Next steps – medium term • • • • (Q4 2011) IBBL Security Policy IT procedures Vulnerability assessment system Vulnerability assessment system IT security training for IBBL staff • Full audit and penetration test prepared by external company based on ISO 27001 (in 2012) Thank you The Integrated Biobank of Luxembourg (IBBL) is an independent, not-for-profit biobanking and biotechnology foundation