Getting Started

Below you will find relevant information about research with sensitive data and how BioMedIT can support you.

You are a Swiss institution (e.g. hospital, organisation, etc.) that would like to outsource data storage and data processing to the BioMedIT infrastructure

By linking to the BioMedIT Network, hospitals benefit from a trusted research IT environment to which they can “outsource” research data management and data analysis, without the need to develop their own costly and time consuming in-house infrastructures and know-how.

By providing an SPHN-compliant secure framework for each project (i.e. tenants, with tenant-specific security configuration), and simultaneously remaining highly flexible as regards IT configuration within the tenants, BioMedIT nodes can offer an environment suitable for research in complement to the offer of hospital IT services.

The three BioMedIT nodes have already established pilot collaborations with university hospitals in their respective geographic area (Basel, Lausanne, Zurich). Aspects of these collaborations typically cover:

  • initial review and approval of security concepts for the tenants by hospital IT,
  • support for secure data transfers,
  • deployment of data management systems and data analysis software,
  • configuration of data access control (i.e. configuration of tenant access for IT staff, data managers and data analysts, according to applicable policies).

Leveraging container technologies and related deployment management tools, configuration effort invested in one node are immediately transferrable to other nodes.

How BioMedIT can support you navigate the tight regulations for using health-related personal and sensitive data in Switzerland

The conduct of a research project on human beings, including health-related personal data, must be authorized by an ethics committee. The responsible ethics committee is that of the canton in which the research will be conducted. If a research project is carried out according to a standard protocol, but in multiple cantons (multicenter research project), authorization is required from the ethics committee which is responsible at the site of activity of the main project leader. The list of ethics committees in Switzerland is available on the Swissethics website.  

Under Swiss law, personal data are defined as all information relating to an identified or identifiable person (e.g. art. 3 lit. a Federal Act on Data Protection). The processing of personal data is subject to framework regulations that derive from the Federal Act on Data Protection (for private individuals and federal entities) or from cantonal legislation (for cantonal public entities). In view of the risks involved to the individual (the data subject), in terms of their privacy and identity, personal data relating to health are categorized by these different laws as "sensitive data" and are subject to higher levels of protection. "Sensitive data" in Swiss law, is an abstract concept and does not take into account the potential for harm during individual transmissions and processing of the data.

The Human Research Act establishes special rules which set out the conditions under which personal health data may be processed or reused for research purposes. It distinguishes between non-genetic and genetic data, both of which can be used as identifiable data, coded/pseudonymized data, or anonymized. Explanations of the terms can be found in the SPHN Glossary

The Human Research Act allows in particular for the use of a general consent, whereby a patient may consent to certain types of data (coded/pseudonymized or anonymized genetic data, non-genetic data) being reused "for research purposes". The processing of such data relying on the general consent is therefore not limited to a specific research project. Under certain restrictive conditions, the competent ethics committee may also authorize, in exceptional cases, the further use of data in derogation of the rules laid down by the HRA, in particular if the collection of consent is impossible or poses disproportionate difficulties (art. 34 HRA). While the processing of anonymous data is mostly excluded from the scope of the HRA, coded/pseudonymized data are considered personal data in the context of research on human beings. More information about the de-identification process for research can be found on the SPHN website

If the research project involves shared use of data between several institutions, these institutions must adopt an appropriate contractual framework. Such an agreement serves several purposes; it not only limits the use of the data by the data recipient to the agreed objective, but also allows the data provider to meet its own obligations. By concluding a data transfer and use agreement, the data provider ensures, for example, that the rights of the data subjects will continue to be observed (right of access, right of rectification, incidental findings, etc.). Meanwhile the data provider also ensures that it continues to meet its own legal obligations in terms of data protection (reporting a data breach, minimizing data or deleting it when necessary). To facilitate the establishment of the contractual framework, SPHN and the SIB Swiss Institute of Bioinformatics have established different agreement templates (e.g. Data Transfer and Use Agreement, Consortium Agreement, accessible on the SPHN website). 

Cutting-edge biomedical research on health-related data and transfer and use of such data require not only high security guarantees (in the interest of preserving public trust), but also significant computing power that individual research institutions do not necessarily possess. The BioMedIT Network was developed to meet these needs. When several institutions use the BioMedIT infrastructure, each entity of the BioMedIT Network involved legally acts as a data processor. Such outsourcing activity implies the establishment of a legal agreement that will regulate the respective obligations of each party. The majority of the SPHN agreement templates include a subcontracting agreement in their annexes, the Data Transfer and Processing Agreement

Are you planning a collaborative research project with sensitive health-related data and would like to use the BioMedIT environment and its services?

BioMedIT is more than a platform for research with sensitive data, it covers the entire research journey from the transport of the data via secure, end-to-end encrypted data transfers to a secure project space, which researchers can access from the comfort of their desks via cloud technology. The data can be processed in a collaborative fashion, and the network provides all relevant technologies and services required to do data-driven research at scale.

So, while researchers can focus on their research, BioMedIT ensures compliance of the IT environment and processes with regulatory requirements, and provides services and support throughout the entire research project.

In principle, any research project (multi-site or local) dealing with sensitive data and needing to leverage a secure computing environment can use BioMedIT. Typically, the BioMedIT node hosting the project will act as a service provider. If desired, projects can take advantage of the HPC facilities offered by the BioMedIT nodes.

To initiate the setup of a project, interested researchers should contact the BioMedIT central services. Researchers from the nodes' host institutions (local users) can contact their node directly.

Projects to be hosted on a BioMedIT node need to be onboarded by the BioMedIT teams. When this is done and the project is listed on the BioMedIT Portal, users who are authorised to use the BioMedIT Network can be assigned a role on the project. 

Where a new data provider is being used, the data provider must be onboarded to one of the BioMedIT nodes.

Where a project receives data from a provider, which is already linked to a BioMedIT node, requests to transfer data can be made by the project data manager.

In all cases there are standard operating procedures (SOPs) and work instructions (WIs) which deal with the requirements for a project and/or a data provider to become part of the BioMedIT Network.

Contact us for more detailed information.

Once it is clear on which BioMedIT node the project will be hosted, the following project requirements must be defined:

  • Storage and compute capacity needed in the project space.
  • Project resources required, i.e., virtual desktop, special scientific software, if any custom training is necessary.
  • The IP addresses (or ranges) of project users whitelisted in the BioMedIT node's firewall.
  • The contact details of the project's Data Providers.
  • The contact details of the project’s Data Manager and Permissions Manager.

Based on the collaborating parties in the data processing and transfer, the consortium partners must choose, prepare, and sign the applicable legal agreements between the Data Providers, Data Recipients and the BioMedIT node(s).

The project members will discuss and agree the cost of the hosting, technical support, user management, and any other scientific support and will sign a Service Level Agreement (SLA) with the hosting BioMedIT node. At this time, it may also be discussed what will happen to the project data at the completion of the project, whether the project workspace is to be archived and stored for a defined length of time, and what access to this data/workspace should be maintained. Removal or maintenance of long-term user access rights might also be discussed. The associated costs to be met for providing these ongoing services should also be agreed upon between the project and the BioMedIT hosting node.

In the BioMedIT Portal, the project’s users will create accounts using their SWITCH edu-ID, and a portal administrator will create the project record including the details about the Project Leader (PL), hosting node and resources requested. If the PL opts out of accessing the portal/project workspace, the portal administrator will assign the role of Permissions Manager for the project to a user (upon the request of the PL).

Setting up a project specific legal agreement lays the foundation for a successful collaboration within a multicenter research project and needs to be submitted with the other project-specific documents when applying for ethics approval. It defines the collaborative exchange and permitted use of health-related data, publications, intellectual property, liability and responsibilities of participating parties.

For most of the projects within the SPHN network a Consortium Agreement with an integrated Data Transfer and Use Agreement (DTUA) and Data Transfer and Processing Agreement (DTPA) is the appropriate contractual framework. There are exceptions however, and the SPHN DCC will be able to advise on the correct agreement for your project. More detailed information can be found on the SPHN website.