Information Governance
Important
This section must be included in SOPs where data containing personally identifiable information (PII), or other sensitive information is accessed, generated, or stored.
The ‘Information Governance’ section of an SOP should describe how information generated, accessed, or stored during a procedure is managed in compliance with institutional policies, legal requirements, and ethical standards. Depending on the procedure, this may include:
Data Protection & Privacy: Specify how personal or sensitive data is handled in line with relevant regulations (e.g. GDPR in the UK/EU, HIPAA in the US etc).
Genetic Data Governance: Define how genomic sequences, variant data, and metadata are stored, anonymised, and shared.
Confidentiality: Define who has access to the information and how confidentiality is maintained.
Access Control: State what permissions, accounts, or authentication are required to access data or systems.
Retention & Disposal: Outline how long data must be retained and the approved methods for secure disposal.
Audit & Traceability: Describe how information use is logged, monitored, and traceable for compliance purposes.
Ethical Use: Ensure information is used only for its intended purpose (e.g. surveillance, diagnostics, research) and in accordance with institutional policies.
Third-Party Systems: Identify any external platforms or services used (e.g. NCBI).
Example content:
🧬 Bioinformatics QC Procedure
Example content from a bioinformatics SOP outlining the procedure for assessing the quality of Illumina sequencing data prior to downstream bioinformatics analyses.
Information Governance
Patient and sequencing data must be handled in accordance with Information Governance and Data Protection policies. Personally identifiable information (PII) must never be stored outside secure, access-controlled systems (e.g., LIMS). Data transfers must occur only via approved, encrypted connections, and users must ensure that all analysis systems and accounts are password-protected and access-controlled.
👩🔬 Staff Training Procedure
Example content from an SOP outlining a training procedure
Information Governance
Protect participant information in accordance with the organisational Data Protection and Information Governance Policy.
Training materials containing sample data must use anonymised or public datasets only (no personally identifiable or patient data).
Data transfers must occur only via approved, encrypted connections, and users must ensure that all analysis systems and accounts are password-protected and access-controlled
🌌 Galaxy Training Procedure
Example content from a training SOP detailing the standardised procedure for training on the Galaxy platform
Information Governance
Protect participant information in accordance with the organisational Data Protection and Information Governance Policy.
Training materials containing sample data must use anonymised or public datasets only (no personally identifiable or patient data).
Data transfers must occur only via approved, encrypted connections, and users must ensure that all analysis systems and accounts are password-protected and access-controlled
🧪 Laboratory Procedure
Example content from a wet-lab SOP outlining the procedure for preparing sequencing libraries using the Illumina DNA Prep kit.
Information Governance
All data generated as part of this procedure, including run identifiers, plate maps, worksheets, and electronic files, must be recorded, stored, and retained in accordance with laboratory information governance policies. Access to data must be restricted to authorised personnel, and all records must be maintained to ensure data integrity, traceability, and confidentiality.
💻 Code Update & Review Procedure
Information Governance
All information generated, accessed, or stored during the code review process must be managed in accordance with institutional Information Governance and Data Protection policies, and applicable legal and ethical requirements (e.g. GDPR in the UK/EU, HIPAA in the US).
Data Protection & Privacy: Code repositories must not contain personal or sensitive data unless explicitly authorised. Any incidental personal identifiers must be removed or anonymised before commit.
Confidentiality: Access to repositories, merge requests, and review comments is restricted to authorised team members. Confidentiality must be maintained at all times, and information must not be shared outside approved channels.
Access Control: All systems used for code review (e.g. GitLab, project servers) must be password-protected and access-controlled. Permissions are role‑based (Reporter, Developer, Reviewer, Team Leader) and managed by the Team Leader.
Retention & Disposal: Code review records, including merge requests, comments, and approval logs, must be retained in the version control system for the duration specified by institutional policy.
Audit & Traceability: All commits, merge requests, and review actions are automatically logged in GitLab, providing full traceability of changes and approvals. These logs must be preserved for audit and compliance purposes.