cfDNA dataset for cfDNA cohort

DATA ACCESS AGREEMENT These terms and conditions govern access to the managed access datasets (details of which are set out in Appendix I) to which the User Institution has requested access. The User Institution agrees to be bound by these terms and conditions. Definitions Authorized Personnel: The individuals at the User Institution to whom St. Jude Children’s Research Hospital, Inc., grants access to the Data. This includes the User, the individuals listed in Appendix II, and any other individuals for whom the User Institution subsequently requests and is given access to the Data. Details of the initial Authorized Personnel are set out in Appendix II. Data: The managed-access, de-identified datasets St. Jude Children’s Research Hospital, Inc., is making available in accordance with this Data Access Agreement and to which the User Institution has requested access. Data Producers: St. Jude Children’s Research Hospital, Inc., and the individuals listed in Appendix I. External Collaborator: A collaborator of the User, working for an institution other than the User Institution. Project: The project for which the User Institution has requested access to these Data. A description of the Project is set out in Appendix II. Publications: Includes, without limitation, articles published in print journals, electronic journals, reviews, books, posters and other written and verbal presentations of research. Research Participant: An individual whose data form part of these Data. Research Purposes: Activities seeking to advance the understanding of genetics and genomics, including the treatment of disorders, and work on statistical methods that may be applied to such research, and that do not include commercialization of the Data. User: The principal investigator for the Project. User Institution(s): The Institution that has requested access to the Data. 1. The User Institution agrees to use these Data only for the purpose of the Project (described in Appendix II) and only for Research Purposes. The User Institution further agrees that it will use these Data only for Research Purposes which meet the requirements of, and are within the limitations (if any), of Appendix I, and will use these Data only as consist with all requirements of this Data Access Agreement. 2. The User Institution agrees to preserve, at all times, the confidentiality of these Data. In particular, it undertakes not to use, or attempt to use, these Data to compromise or otherwise infringe the confidentiality of information of Research Participants. Without prejudice to the generality of the foregoing, the User Institution agrees to use at least the measures set out in Appendix I to protect these Data. User Institution agrees to develop, document, use, and keep current appropriate procedural, administrative, physical, technical, and electronic safeguards to prevent any use or disclosure of Data other than as permitted or required by this Data Access Agreement. 3. The User Institution agrees to protect the confidentiality and privacy of Research Participants in any research papers or publications that it prepares by taking all reasonable care to prevent the possibility of identification. User Institution shall report immediately, but no later than five (5) business days, to St. Jude any information of which it becomes aware, concerning any use or disclosure of Data that is not permitted by this Data Access Agreement. 4. The User Institution agrees not to link or combine these Data to other information or archived data available in a way that could re-identify the Research Participants, even if access to that data has been formally granted to the User Institution or is freely available without restriction. 5. The User Institution agrees to transfer or disclose these Data, in whole or part, or any material derived from these Data, only to the Authorized Personnel. Should the User Institution wish to share these Data with an External Collaborator, the External Collaborator must complete and have St. Jude accept a separate application for access to these Data. 6. The User Institution must not (1) share the Data without St. Jude’s prior written permission, (2) use the Data to create a commercial or open source product that includes the Data in the product. 7. This agreement gives User Institution a limited, revocable license to use the Data consistent with the terms of this agreement and only for so long as User Institution complies with the terms of this agreement. Subject to Appendix III, User Institution may commercialize results or intellectual property that the Project produces so long as neither the Data or any part of the Data are part of the results or intellectual property that is sold or commercialized unless User Institution receives separate, written permission of an authorized representative of St. Jude. 8. The Data are provided “as is.” The User Institution agrees that St. Jude Children’s Research Hospital, Inc., the Data Producers, and all other parties involved in the creation, funding, or protection of these Data: a) make no warranty or representation, express or implied, as to the accuracy, quality, or comprehensiveness of these Data; b) bear no legal responsibility for the accuracy, quality, or comprehensiveness of the Data; c) exclude to the fullest extent permitted by law all liability for actions, claims, proceedings, demands, losses (including but not limited to loss of profit), costs, awards, damages (including for indirect, consequential, or incidental damages), and payments made by the User Institution or Authorized Users that may arise (whether directly or indirectly) in any way whatsoever from their access to and use of these Data or from the unavailability of, or break in access to, these Data for whatever reason; and (d) bear no responsibility for the further analysis or interpretation of these Data. 9. The User Institution agrees to follow the Publication Policy in Appendix III. User Institution will acknowledge in any work, including Publications, based in whole or part on the Data or any Publication based on or derived from the Data: (a) St. Jude Children’s Research Hospital, Inc., (b) the Data Producers, (c) the published paper from which the Data derives, and (d) the version of the Data used. Wording must be suitable to St. Jude and consistent with Appendix III. 10. The User Institution agrees not to make intellectual property claims on these Data and not to use intellectual property protection in ways that would prevent or block access to, or use of, any element of these Data, or obvious conclusion drawn directly from these Data. 11. The User Institution may elect to perform further research that would add intellectual and resource capital to these data and decide to obtain intellectual property rights on these downstream discoveries. In this case, the User Institution agrees to implement licensing policies that will not obstruct further research and to follow the U.S. National Institutes of Health Best Practices for the Licensing of Genomic Inventions (2005) (https://www.icgc.org/files/daco/NIH_BestPracticesLicensingGenomicInventions_2005_en.pdf ) in conformity with the Organisation for Economic Co-operation and Development Guidelines for the Licensing of the Genetic Inventions (2006) (http://www.oecd.org/science/biotech/36198812.pdf ). 12. User Institution understands and acknowledges that the Data are protected by copyright and other intellectual property rights, and that duplication of the Data, except as reasonably required to carry out the Project, or sale of all or any part of the Data on any media is not permitted. Nothing in this agreement shall operate to transfer to the User Institution any intellectual property rights in or relating to the Data. The User Institution has authorization to develop intellectual property based on comparisons with its own Data. 13. The User Institution agrees to destroy/discard the Data held, once it is no longer used for the Project, unless obliged to retain the data for archival purposes in conformity with audit or legal requirements. 14. The User Institution will notify St. Jude Children’s Research Hospital, Inc., within 30 days of any changes or departures of Authorized Personnel. 15. The User Institution will notify St. Jude Children’s Research Hospital, Inc., prior to any significant changes to the protocol for the Project. 16. The User Institution will notify St. Jude Children’s Research Hospital, Inc., immediately should any Authorized User become aware of a breach of any term or condition of this agreement. 17. St. Jude Children’s Research Hospital, Inc., may terminate this agreement by written notice to the User Institution. If this agreement terminates for any reason, the User Institution will destroy any Data held, including copies and backup copies. This clause does not prevent the User Institution from retaining these Data for archival purpose in conformity with audit or legal requirements. 18. The User Institution accepts that it may be necessary for the Data Producers to alter the terms of this Agreement from time to time. As an example, this may include specific provisions relating to the Data required by Data Producers and the collaborators listed in Appendix I. Data also may be reissued from time to time, with suitable versioning. If required, including if the reissue is at the request of sample donors and/or other ethical scrutiny, User Institution will destroy earlier versions of the Data. If either changes or reissue is required, the Data Producers or their appointed agent will contact the User Institution to inform it of the changes, and the User Institution may elect to accept the changes or terminate the agreement. 19. User Institution will obtain, retain, manage, store, analyze, and share with Authorized Users the Data consistent with all applicable and all appropriate data security and management requirements and measures, including those in Appendix I to protect the Data from disclosure. If requested, the User Institution will allow data security and management documentation to be inspected to verify that it is complying with the terms of this agreement. 20. The User Institution agrees to distribute a copy of these terms to the Authorized Personnel. The User Institution will ensure that the Authorized Personnel comply with the terms of this agreement and shall be responsible for any breach by its Authorized Personnel and any others accessing the Data at or by virtue of the access of User Institution and/or its Authorized Personnel. 21. The Data are subject to US laws and may be subject to laws of other jurisdictions. User Institution is responsible for complying with, and agrees to comply with, any applicable law or requirement. St. Jude Children’s Research Hospital makes no representations about laws of any jurisdiction. User Institution is responsible for compliance with the laws and requirements of its own jurisdiction. 22. Unless prohibited by law, User Institution agrees to indemnify St. Jude Children’s Research Hospital, Inc., and Data Producers for any claim or liability arising from User Institution’s or its Authorized Personnel’s access, download, use, storage, maintenance, of the Data. Nothing herein waives a Party’s legal right to claim to sovereign immunity. 23. Unless prohibited by applicable law, this Agreement shall be interpreted and construed in accordance with the laws of the State of Tennessee and the United States of America. 24. User Institution agrees that the Data are made available for one (1) year or until it is no longer needed for the Project, whichever is earlier. User Institution agrees to destroy the Data after one (1) year or until it is no longer needed for the Project, whichever is earlier, unless User Institution has re-applied for and received an extension before one (1) year has elapsed. User Institution must re-apply to access the Data after this period if the allowed access has lapsed. It is User Institution’s responsibility to track this timeframe. APPENDIX I – DATASET DETAILS Dataset reference (EGA Study ID and Dataset Details) # ____EGAS00001005863_________________ Name of project that created the dataset Identification of the dismal subtype of B-ALL with dysregulation of CDX2 and UBTF Names of other data producers/collaborators Charles G. Mullighan Specific limitations on areas of research None Minimum protection measures required Successful applicants should have access to a secure server. The Data or any data which relates to it containing sensitive genetic information, should remain on this server. Applicants must also provide a list of all Authorized Users. User Institution agrees to use applicable U.S. and EU best practices for administrative, technical, and physical security requirements to protect the confidentiality, integrity, and resilience of the Data. All devices used to access, use, or download the Data must meet commercially reasonable and industry standard security requirements for the protection of health information at the time of download or access, including without limitation, unique passphrase, separation of accounts (especially in the case of elevated privileges), controlled access limited to those with permission to access, encryption in transit, incident response training, secure configuration, regular vulnerability scanning and timely application of software security patches, privacy and security training, secure coding training, account monitoring and management, encryption on mobile devices and removable media, and secure deletion upon decommission. User Institution will notify St. Jude Children’s Research Hospital immediately in the event of unauthorized breach or access by others to the Data. If Data are stored, they must be stored in a secure, encrypted manner behind firewalls that block access from outside the institution and restrict external access. Data must not be shared with anyone else including by sharing account access credentials. Data must not be posted on servers that will make the Data publicly available or discoverable. If Data are being downloaded to a high performance computing (HPC) environment where file storage system encryption is not technically feasible, then the encryption requirement can be deferred if appropriate physical safeguards protecting the file storage system from unauthorized access and/or potential loss of Data and storage media are in place. Appropriate physical safeguards include, but are not limited to, a dedicated, locked data center space, multifactor access control, detailed records of data center access, and monitored video cameras. File access: Data can be held in unencrypted files on an institutional computer system so long as password protected, with Unix user group read/write access for one or more appropriate groups but not Unix world read/write access behind a secure firewall. Laptops holding these data should have encrypted hard drives, password protected logins, and screenlocks (set to lock after 5 min of inactivity). If held on USB keys or other portable hard drives, the data must be encrypted.