IDDO legal and regulatory documentation

IDDO maintains a series of current documentation in compliance with the data protection regulatory landscape, in particular the EU General Data Protection Regulation (GDPR), UK Data Protection Act 2018 and the UK GDPR. These documents are available to access below.

Providing equitable and secure access to data

Good governance of data relies on an interlocking framework of ethics, legal agreements and regulatory compliance. As a global repository, IDDO is guided by principles of equity and responsible use of data. Through providing data infrastructure to enable research, IDDO looks to ensure that access to the benefits of data sharing and the direction of resulting research incorporate the knowledge and active participation of low- and middle-income countries (LMIC) partners. This approach rests in turn on achieving best practice in accordance with global regulatory compliance. 

 

Schematic showing stages in what happens to data: Data Privacy Impact Assessment box with Transfer Risk Assessment box underneath, both labelled ‘DPIA’. Main Data contribution box with arrow pointing to Terms of Submission, with boxes underneath labelled Technical and Organisational Measures, De-identifications Procedures, IDDO sub-processors. Main Data request box with arrow pointing to Data Access application, with boxes underneath labelled Data Access Guidelines, DAC Terms of Reference, Data Access Request Evaluation. This set of boxes is labelled ‘DAC’, and has an additional box labelled Conflict of Interest Policy. Main Data Transfer box with a Data Use Agreement box pointing to it, with further boxes below labelled Schedule 1, and International Data Transfer Agreement.
Schematic showing stages of data flow and relevant documentation

View our legal and regulatory documentation 

IDDO Data Privacy Impact Assessment

This document records and demonstrates how IDDO embeds data protection by design and default into its data processing. While not required to complete a DPIA as a processor, IDDO maintains this DPIA as part of its data governance framework to achieve high standards, transparency and confidence in its handling of personal data
IDDO Terms of Submission

These terms describe the rights and obligations of individuals and organisations who contribute data to the IDDO repository, and detail how the data are processed by IDDO and its Sub-processors, and accessed for research purposes.
IDDO Technical and Organisational Measures (TOMs)

The technical and organisational measures presented in this document are implemented by IDDO in accordance with GDPR. They are continuously improved by IDDO to ensure a level of security appropriate to risk in relation to latest best practice.
IDDO De-identification Procedure (Clinical Trials)

This document provides an overview of the data de-identification framework adopted by IDDO to preserve the privacy and data protection rights of the participants included in the research studies shared with IDDO.
IDDO Sub-processors

IDDO maintains a current list of approved Sub-processors who process data on behalf of IDDO and in accordance with the Terms of Submission. All IDDO Sub-processors pass a Third-party Security Assessment conducted with the University of Oxford Information Compliance Team.
IDDO Data Access Committee

Documentation developed by and for the independent DAC govern the review process and operations of this committee. These documents include their Data Access Guidelines, DAC Terms of Reference and Conflict of Interest Policy.
IDDO Data Use Agreement

IDDO’s Data Use Agreement complies with the data protection safeguards laid down in the GDPR and uses the International Data Transfer Agreement to comply with GDPR when making restricted transfers, in line with the Transfer Risk Assessment completed as part of IDDO’s Data Privacy Impact Assessment.