The National Bioscience Database Center (NBDC) of the Japan Science and Technology Agency (JST) develops and operates the NBDC Human Database in accordance with the NBDC Guidelines for Human Data Sharing (hereinafter, the Data Sharing Guidelines). For data users, we have the NBDC Security Guidelines for Human Data (for Data Users)" (hereinafter, the User Security Guidelines). For database centers, which receive data from data submitters and offer them to data users, security measures that are stronger than those taken by data users are required because database centers handle not only controlled-access data, which are defined in the Data Sharing Guidelines, but also data for future release (data held prior to publication of a paper or acquisition of a patent). Based on the User Security Guidelines, this document sets forth the security measures to be taken by database centers.
1. Application of the User Security Guidelines
When controlled-access data or data for future release are handled, in principle the standard-level (Type I) security measures, which are listed in the User Security Guidelines, must be put in place, and high-level (Type II) security measures are implemented as needed. All data offered must be de-identified.
Some definitions in Section 1 (Definitions) of the User Security Guidelines are changed as follows, and the sections starting with Section 2 (Measures to Be Taken under Standard-Level (Type I) Security) apply to this document.
- Controlled-access data and data for future release that are handled at the database center.
- Principal Investigator (PI)
- The person in charge of the database center.
- Data user
- The PI the database center or staff who accesses data at the database center.
2. Security Measures Additionally Taken by the Database Center
- The database center must be audited by system security experts when a system is built and once every several years.
- With regard to open data, the servers and network devices that handle them must be properly maintained in order to avoid unauthorized access and malicious data alteration.