Login using IAM
1.Definitions
The following terms and phrases – wherever used in these regulations – shall have the meanings as defined below:
KACST: King Abdulaziz City for Science and Technology.
National Committee: National Committee of Bioethics.
The Central Bank: The genomic data bank that established in KACST in accordance with the law.
Law: The law of Ethics of Research on Living Creatures.
Local banks: Any bank established in entity for storing genomic materials and data.
Data Management Office: The Data Management Office at KACST.
Data: Any data collected from the result of research or diagnostic studies that done on a natural person's genomic materials, including:
• Health data and medical history of the disease (onset and diagnostic symptoms of the affected organ or system).
• Genotype and phenotype.
• Genotyping and whole genome sequencing.
• Biomarkers.
• Questionnaires.
• Medical device data.
• Results of any research or diagnostic studies previously performed using those data.
Health Data: Any Personal Data related to an individual's health condition, whether their physical, mental or psychological conditions, or related to Health Services received by that individual.
Advisory Committee: A committee established in the Central Bank in accordance with these regulations.
Data Subjects: A natural person who their data being collected for research or treatment purpose, after their consent, and stored in the Central Bank.
Data Access Agreement: An agreement between the Central Bank and the data access requester.
Research Data Sharing Agreement: An agreement concluded between the Central Bank and data access requester if accessing the data is for research purposes.
Data Breach: Any unauthorized access to data or threat that place the data at risk of unauthorized access, loss, or damage.
3. Applicability
These regulations apply to:
The Central Bank director and staff
a. Physicians
b. Researchers
c. Data Subjects
d. Local banks
e. The findings of diagnosis or research on genomic samples
4.General Principles
4.1 The data stored in the Central Bank is the property of the Kingdom of Saudi Arabia and should not be granted to any party inside or outside the Kingdom except in accordance with what the law stipulates, while adhering to the national laws and policies related to transferring data outside the geographical borders of the Kingdom.
4.2 The Central Bank shall ensure that the research project complies with the law prior to authorizing data sharing with the researcher.
4.3 The Central Bank is responsible for storing and sharing data in compliance with the law, personal data protection laws and regulations, and all relevant data storage and protection laws and regulations in the Kingdom.
4.4 The researchers within the Kingdom shall have equal access rights to data stored at the Central Bank, and the bank reserves the right to deny any request that violates the provisions of these regulations and laws in the Kingdom.
4.5 Physicians shall have the right to access data stored at the Central Bank for therapeutic purposes.
4.6 In all circumstances, the data derived from research on genomic materials shall be stored in a format that prevent identifying the data source.
4.7 In cases where it required storing data that could be linked to their source, the data subject must be informed and disclosing the following:
- The purpose of data collection.
- Methods and procedures for data transferring, storage, and protection.
- The data storage period.
- Disposal procedures and methods
- Procedures to address data breaches
- A list of authorized personnel with access to the data.
4.8 Data subjects have the right to access, review, request to correct, or update their data stored at the Central Bank, provided it is possible to be re-identified.
4.9 Requests for data access are limited to research and treatment purposes, as well as instances where laws mandate access for security, judicial enforcement, or public health considerations.
5. The Central Bank
5.1 The Central Bank is affiliated administratively with the Data Management Office at KACST.
5.2 The President of KACST appoints the Central Bank director based on the nomination of the Data Management Office director, considering that the nominee should be specialized in the field of genetics.
a. Oversee the Central Bank and report its administrative and technical needs in accordance with the established procedures at KACST.
b. Designate authorized employees to request, receive, and store data from the Central Bank's employees in accordance with these regulations.
c. Approve requests for storing genomics data in the Central Bank.
d. Present all requests for data sharing to the advisory committee.
e. Ensure the Central Bank's stored data remains up-to-date and accessible in accordance with these regulations.
f. Notify the Data Management Office and the National Committee of Bioethics of any concerns or violations of these regulations, research results sharing agreements, or data sharing agreements. In addition, any threats that could lead to damage or unauthorized access to the data stored in the Central Bank.
g. Monitor the adherence of the Central Bank staff to the regulations, guidelines, and policies governing management and protection of data stored the Central Bank.
h. Submit an annual report to the Data Management Office and the National Committee that include the status of stored data in the Central Bank and any obstacles or difficulties facing the Central Bank and recommendations to address them. The Data Management Office and the National Committee may also request that the report include any additional information.
5.4 An advisory committee shall be formed at the Central Bank by a decision of KACST President and chaired by the director of Data Management Office. The committee shall be compose of, in addition to the chair, at least three members with expertise in the fields of genetics, data science, and cybersecurity.
5.4.1 The advisory committee is responsible of the following:
a. Approval of requests to access data classified as secret or top secret.
b. Review the procedure of documentation and storing data in the central bank.
c. Review the requests for linking local banks to the Central Bank, and submit their recommendation to the national committee.
c. Study the complaints and violations of the regulations and data access and sharing agreements, and submit them to the data management office to take the necessary action.
5.4.2 The advisory committee shall meet whenever the need arises. The meeting shall not be valid unless attended by the majority of its members, including the committee chair.
5.4.3 The decisions of the advisory committee issue with the approval of the majority of its attending members. In the event of equal votes of for and against, the committee chair vote side shall prevail.
5.4.4 The advisory committee may, if the need arises, invite experts and consultants to attend its meetings without the right to vote.
5.4.5 If a member of the advisory committee finds that he/she or a member has a direct or indirect interest in any topic presented at the meeting, he/she shall disclose this at the beginning of the meeting, and the committee chair should request the member/s to leave the meeting when the topic is discussed.
5.4.6 The formation letter of the advisory committee determines the procedure for remunerating the members and collaborators.
6.Data sharing:
6.1 According to the law, a central data bank shall be established in KACST for storing data related to genetic material and organize its use.
6.2 The central bank is responsible of data sharing in accordance with these regulations and the approved policy of data sharing in KACST.
6.3 The central bank may, after the approval of the data management office director, provide access to the stored data in accordance with requirements of the law and regulations or judicial decisions or public and health security.
6.4 When providing access to data, the central bank must take into account the use of electronic media approved by the National Cybersecurity Authority.
6.5 The data sharing levels determined by the data classification, as the following:
6.5.1 Top Secret The approval of request to access to these data require the following:
a. The approval of KACST president and the project owner entity.
b. Approval of the advisory committee on the request for access.
c. Formulate the data access request agreement.
d. The authorized staff for accessing the data shall obtain the data access-training certificate.
e. Access to this level is limited to government agencies and shared with the entity directly.
6.5.2 Secret: The approval of the request to access these data requires the following:
a. Approval of the advisory committee on the request for access.
b. Approval of the data source.
d. Obtain the data access-training certificate.
e. Access to this level is limited to medical and therapeutic purposes, and is shared with the treating physician directly.
6.5.3 Restricted: The approval of the request to access these data requires the following:
a. Approval of the advisory committee on the request for access
b. Formulate the data access request agreement.
c. Obtain the data access-training certificate.
6.5.4 Public: The access to these data require that the applicant obtain the data access and use training certificate.
6.6 The central bank, in coordination with the data management office, shall establish a data access request agreement that includes the following:
a. Name of the applicant
b. The purpose of data request.
c. Determine the data type.
d. Attestation to use the data only for what it shared for, and sharing the research or therapeutic results with the central bank if the purpose for the request was for research or therapeutic reasons.
e. Attestation to immediately disclose to the central bank of any data obtained by the applicant that may lead to the identification of the data source - in the event that the request for access to data is classified as restricted or public.
f. Specify the duration for data sharing.
g. If the purpose of the request for access to data requires sharing it with other parties, all those who have the right to view and access the data must be identified.
h. Attestation by all those who have the right to access data to maintain the confidentiality of the data and use it within the limits of the purposes for which it was shared.
i. Specify the means by which data will be saved and shared.
j. Procedures for dealing with intellectual property rights.
6.8 Access to data may be available to some persons on an ongoing and unrestricted access in cases determined by the central bank director, along with the advisory committee and the data management office approval.
6.9 The researcher may request the central bank to temporarily withhold access to the data related to the results of his/her research for a specified period.
6.10 The central bank should use the administrative controls and technical measures approved in KACST to ensure data protection.
6.11 In the event of conducting research using genetic material data, the researcher must indicate that the source of the data is the central bank in all scientific papers and reports published by the researcher.
6.12 The central bank shall, in collaboration with the data management office, establish a data breach response policy. This policy shall delineate the protocols to be followed by authorized personnel to access data in the event of a suspected or confirmed data breach. Additionally, the policy shall establish the mechanisms and timeframes for reporting, responding to, containing, and mitigating the ramifications of such an incident.
7. Authorized persons to access the data stored in the Central Bank
7.1 Researchers
7.1.1 Access to data by researchers is subject to the following:
The researcher must be scientifically qualified and have completed a research ethics course and an ethical approval for the research from a local committee registered at the national committee, as stipulated in the law.
7.1.2 Provide the central bank with the following documents:
a. The approval of the local committee to conduct the research and the research proposal, which include the objectives of the research and the expected results from it.
b. Formulate the data access request form in accordance with item (6.5) of these regulations.
c. Formulate the agreement of data sharing results.
7.1.3 If the stored data in the central bank is related to a research previously conducted by a researcher, the director of the central bank can directly approve the access to this data to the researcher after submitting the data access request form.
7.2 Central Bank personnel
7.2.1 The personnel of the central bank must be qualified and well trained in all technical and administrative aspects related to the procedures of data storing, sharing, retrieval and protection.
7.2.2 The personnel of the central bank are responsible of receiving requests for storage and storing data at the central bank.
7.2.3 Central Bank personnel shall classify and store data according to the classification state in these regulations.
7.2.4 When reviewing the researchers applications, the central bank personnel shall verify that the researchers meet the conditions stipulated in item (7.1) in these regulations.
7.3 Advisory Committee Members
7.3.1 Advisory Committee members shall maintain the confidentiality of all data they have access to or review in their capacity as committee members, including, but not limited to, the data of individuals submitting data access requests.
7.3.2 Upon reviewing any data sharing request, advisory committee member shall promptly disclose any potential conflict of interest arising from the review. Any member with a conflict of interest shall abstain from participating in any decision-making process related to the matter in which the conflict of interest exists.
7.4 Data Subject
7.4.1 The treating physician and the data subjects have the right to access the data that has been previously stored in the central bank, which relates to the patient's condition or the sample source condition.
7.4.2 Any data subject whose data is stored in the central bank and linked to their identity shall have the right to request access to such data from the central bank at any time, as well as to request correction, update, or deletion.
7.5 Local banks
7.5.1 Local banks can be granted access and view data that stored in the central bank pursuant to an agreement concluded with the central bank.
8. Data Classification
8.1 Top Secret
It is the data related to confidential research projects carried out by government agencies, and access to them can lead to serious and exceptional harm that cannot be remedied or repaired.
8.2 Secret
It is the data that access to it can lead to the identification of the data source.
8.3 Restricted
It is data that does not include any personal information, but its use in research or diagnostic purposes may lead to the possibility of linking it to its source.
8.4 Public
Public data refers to anonymized data stored in the central bank, rendering it impossible to link it to their source.
9. Data Storage
9.1 All research and diagnostic results derived from genetic material must be stored in the central bank.
9.2 With due regard to Article (14.3) of the regulations of the law, local committees must ensure that researchers store their research results on genetic material in the central bank. This requirement must be stipulated in agreements with sponsors prior to granting researchers ethical approval.
9.3 The informed consent form for research involving genetic material samples must clearly state that the data will be stored in the central bank.
9.4 Entities that established local genetic material banks shall provide the central bank with the information specified in Article (31.5) of the regulations of the law.
9.5 The Central Bank shall store data in accordance with the classification system outlined in item (8) of these regulations. Also, it must use secure and approved storage methods and media by the National Cybersecurity Authority.
9.6 The central bank, in collaboration with the data management office, shall establish a data privacy policy and make it accessible to data subjects. This policy shall specify the purpose of data collection, the nature of personal data to be collected, collection and storage methods, processing procedures, data destruction procedures, data subject rights, and the mechanisms for exercising these rights.
10. General Provisions
10.1 The central bank shall coordinate with the national committee and the data management office, as necessary, in preparing any forms or agreements for the implementation of these regulations.
10.2 The national committee shall review these regulations annually or as deemed necessary.
10.3 The central bank shall promptly notify authorized persons for accessing data, local banks, and data subjects of any amendments to these regulations or any related agreements or forms.
10.4 These regulations shall take effect from the date of approval by the national committee.
Last update: 18 September 2024
You can browse the portal by giving voice commands using the microphone
Speak Now...
Please give voice commands from the following options:
Disclaimer: Translation into other languages depends on the Google translation, Therefor the NCC is not responsible for the accuracy of the information in the new language.
