About us
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Our Strategic Road Map defines strategies, standards, and policy frameworks to support responsible global use of genomic and related health data.
Discover how a meeting of 50 leaders in genomics and medicine led to an alliance uniting more than 5,000 individuals and organisations to benefit human health.
GA4GH Inc. is a not-for-profit organisation that supports the global GA4GH community.
The GA4GH Council, consisting of the Executive Committee, Strategic Leadership Committee, and Product Steering Committee, guides our collaborative, globe-spanning alliance.
The Funders Forum brings together organisations that offer both financial support and strategic guidance.
The EDI Advisory Group responds to issues raised in the GA4GH community, finding equitable, inclusive ways to build products that benefit diverse groups.
Distributed across a number of Host Institutions, our staff team supports the mission and operations of GA4GH.
Curious who we are? Meet the people and organisations across six continents who make up GA4GH.
More than 500 organisations connected to genomics — in healthcare, research, patient advocacy, industry, and beyond — have signed onto the mission and vision of GA4GH as Organisational Members.
These core Organisational Members are genomic data initiatives that have committed resources to guide GA4GH work and pilot our products.
This subset of Organisational Members whose networks or infrastructure align with GA4GH priorities has made a long-term commitment to engaging with our community.
Local and national organisations assign experts to spend at least 30% of their time building GA4GH products.
Anyone working in genomics and related fields is invited to participate in our inclusive community by creating and using new products.
Wondering what GA4GH does? Learn how we find and overcome challenges to expanding responsible genomic data use for the benefit of human health.
Study Groups define needs. Participants survey the landscape of the genomics and health community and determine whether GA4GH can help.
Work Streams create products. Community members join together to develop technical standards, policy frameworks, and policy tools that overcome hurdles to international genomic data use.
GIF solves problems. Organisations in the forum pilot GA4GH products in real-world situations. Along the way, they troubleshoot products, suggest updates, and flag additional needs.
NIF finds challenges and opportunities in genomics at a global scale. National programmes meet to share best practices, avoid incompatabilities, and help translate genomics into benefits for human health.
Communities of Interest find challenges and opportunities in areas such as rare disease, cancer, and infectious disease. Participants pinpoint real-world problems that would benefit from broad data use.
The Technical Alignment Subcommittee (TASC) supports harmonisation, interoperability, and technical alignment across GA4GH products.
Find out what’s happening with up to the minute meeting schedules for the GA4GH community.
See all our products — always free and open-source. Do you work on cloud genomics, data discovery, user access, data security or regulatory policy and ethics? Need to represent genomic, phenotypic, or clinical data? We’ve got a solution for you.
All GA4GH standards, frameworks, and tools follow the Product Development and Approval Process before being officially adopted.
Learn how other organisations have implemented GA4GH products to solve real-world problems.
Help us transform the future of genomic data use! See how GA4GH can benefit you — whether you’re using our products, writing our standards, subscribing to a newsletter, or more.
Help create new global standards and frameworks for responsible genomic data use.
Align your organisation with the GA4GH mission and vision.
Want to advance both your career and responsible genomic data sharing at the same time? See our open leadership opportunities.
Join our international team and help us advance genomic data use for the benefit of human health.
Share your thoughts on all GA4GH products currently open for public comment.
Solve real problems by aligning your organisation with the world’s genomics standards. We offer software dvelopers both customisable and out-of-the-box solutions to help you get started.
Learn more about upcoming GA4GH events. See reports and recordings from our past events.
Speak directly to the global genomics and health community while supporting GA4GH strategy.
Be the first to hear about the latest GA4GH products, upcoming meetings, new initiatives, and more.
Questions? We would love to hear from you.
Read news, stories, and insights from the forefront of genomic and clinical data use.
Attend an upcoming GA4GH event, or view meeting reports from past events.
See new projects, updates, and calls for support from the Work Streams.
Read academic papers coauthored by GA4GH contributors.
Listen to our podcast OmicsXchange, featuring discussions from leaders in the world of genomics, health, and data sharing.
Check out our videos, then subscribe to our YouTube channel for more content.
View the latest GA4GH updates, Genomics and Health News, Implementation Notes, GDPR Briefs, and more.
Discover all things GA4GH: explore our news, events, videos, podcasts, announcements, publications, and newsletters.
4 May 2020
The individual or entity that determines the purposes and means of processing personal data are ‘Controllers’ under the GDPR. However, in the author’s personal experience, a claim is sometimes made, in relation to Universities and Research Institutions (herein “University”), that there is only one Data Controller, and that is the [President, University Board, etc.]. This is an understandable position insofar as it applies to, for example, the maintenance of student records. Where scientific research is at issue, however, the principal investigator (PI) often “determines the purposes and means of such processing”, and thus would seem to be a Data Controller.
The individual or entity that determines the purposes and means of processing personal data are ‘Controllers’ under the GDPR. However, in the author’s personal experience, a claim is sometimes made, in relation to Universities and Research Institutions (herein “University”), that there is only one Data Controller, and that is the [President, University Board, etc.]. This is an understandable position insofar as it applies to, for example, the maintenance of student records. Where scientific research is at issue, however, the principal investigator (PI) often “determines the purposes and means of such processing”, and thus would seem to be a Data Controller.
This argument is founded on the premise that a Data Subject would sue the University and not the PI if there is a data protection violation. This line is strengthened by appeals to the relationship between the PI and the University: the University, as research sponsor, might sign the contract for the work with external funders , or require certain data security measures. Does this determine that the University is, alone, the Data Controller?
It must be noted first, that there is a great range across Universities and jurisdictions as to how far PIs are independent. For example, it is not always the case that a University signs a contract with a funder, sometimes it is the PI. It is not helped that there is often a tension in law as to where liability ends between what the employee does for the employer and what she does in her own right. Universities are vicariously liable for employees, but PIs are employed for their ability to independently devise and run novel research; devising the purpose and means of the processing of personal data is often left to PIs’ academic skill and integrity. Further, academic freedom requires this independence: it is a matter of public interest that PIs have freedom and control in determining the purpose and means of processing personal data in their research, beyond mere professional integrity. It is not satisfactory to say that in all cases the University is necessarily the Data Controller.
This position is justified on at least three grounds. First, the GDPR does not require only one Data Controller. The GDPR’s text expressly allows for more than one Data Controller, and Article 26 operationalises this requiring shared, defined responsibility where there is more than one Controller.
Second, the determination of “who” is a Data Controller is a matter for data protection law alone. The applicable concept is contained in the GDPR and, according to the Article 29 Working Group Opinion 01/2010 at p. 3, is “related to activities reflecting the life cycle of information from its collection to its destruction, and this needed to be looked at both in detail and in its entirety”. Determining who is the Data Controller is essential because the Controller’s role is defined in relation to the Data Subject’s rights, ensuring that the Controller’s obligations protect the Data Subject’s interests.
Third, it is not a matter of organisational convenience, but of fact: when one determines the purposes of processing, and supervises that processing, then one owes duties to the Data Subject. That relationship has to be defined clearly, but the duties remain. Applying this to the specific scenario of the PI researcher in the University, it is a matter of professional duty that must be observed, and the responsibilities have to be determined between the Controllers.
To summarise then: the University is still one of the Joint Controllers, but by acknowledging that the PI is also the Joint Controller, the spirit of the GDPR is operationalised effectively and the rights of the Data Subject respected.
Postscript: This could strike terror into PIs, as the fines for breach of the GDPR are very large. The argument is not that the University could use this argument to escape liability; where a PI-employee is asked or required to determine the purpose and means of the processing of personal data as part of their employment, that is part of exercising the duties of that employment. However, that is a matter for employment law beyond the scope of the GDPR brief.
Further Reading
Relevant GDPR Provisions
David Townend is Professor of Law and Legal Philosophy in Health, Medicine and Life Sciences at Maastricht University.
Acknowledgment: I am very grateful to my colleagues. Their comments helped me to refine this piece. The errors remain mine alone.
See all previous briefs.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.