A wallet for the research lab? How an early Nordic pilot is testing a new way to unlock sensitive genomic data
When a researcher is approved to use a protected dataset, how should that permission travel? Today, the answer is often a patchwork of institutional logins, access forms, local account systems, and manual checks. In genomics, where data is both highly sensitive and increasingly shared across institutions and borders, that patchwork is becoming harder to scale.
That is the backdrop to a proof of concept explored by CSC in Finland, Sunet in Sweden and SIROS Foundation, using digital wallet-based credentials as a possible new way to represent and present access rights. CSC is the Finnish state- and university-owned nonprofit digital infrastructure provider for research, education, culture, and public administration. Sunet, part of the Swedish Research Council, operates Sweden’s research and education network and provides identity infrastructure and related digital services for higher education and research organizations.
At CSC, Meeri Hakala sits close to the practical problem. She is service owner for SD Apply, one of CSC’s sensitive data services. SD Apply is used to manage permissions for controlled-access datasets stored in CSC environments, including genomic and biomedical data. It is a fully electronic service through which researchers can apply for access to sensitive datasets, while data access committees review decisions and approved datasets are made available in a secure computing environment. The service also logs decisions and supports an auditable trail of access management.
In the interview, Hakala explains that this is what drew her into the wallet experiment. “We already use this Global Alliance Passport standard for communicating the access rights,” she says. “But then we wanted to explore how we could use digital wallets together with that to gain more trust to the user’s identity and also to the access rights.”
That idea builds on an older layer of infrastructure. CSC has spent years developing REMS, short for Resource Entitlement Management System, a tool for managing access rights to research resources and datasets. REMS allows applicants to use federated identities, submit data access applications, agree to terms of use, and route requests to resource owners for approval. CSC’s SD Apply service is one practical implementation of that logic. CSC also notes that SD Apply aligns with international standards, including the GA4GH Passport specification, which is designed to encode and communicate a researcher’s access permissions across systems in a tamper-resistant way.
What the pilot adds is a new way to handle identity and trust using the digital wallet.
In Hakala’s description, the demonstration followed a simple but revealing sequence. A user applied for access to two datasets in a test biobank instance. Once the request was approved, REMS issued the permission as a verifiable credential into the user’s wallet. The user could then use that wallet in the login flow to enter a secure processing environment and show that the required access rights existed.
At Sunet, where Liström works with trust and identity services, he views wallet-based identity as part of a broader shift in how information is exchanged. “The way information sharing is done with the concept of the digital identity wallet can improve both user experience and privacy issues,” he says. That matters especially in research and higher education, he argues, because access control is already hard and getting harder. “It is quite a complicated thing today in the identity space,” he says, “particularly looking at higher education because it’s such a global sector.”
That observation lands squarely in genomics. Europe’s Genomic Data Infrastructure, or GDI, is working toward a federated, secure, cross-border infrastructure for genomic, phenotypic, and clinical data. Its stated goal is to enable access to these data for research, healthcare, and policymaking across Europe, while keeping access controlled, lawful, and interoperable. In other words, the policy ambition is already there. The open question is how the trust layer will work in practice when real people need to prove who they are and what they are allowed to access.
That is one reason this exploratory pilot is interesting.
“So far this has been only internal,” Hakala says. The concept has been demonstrated externally, but not yet tested with actual end users. One reason is that an important final step is still missing. “Currently in our environment, we can show that the user has access to something,” she says, “but we can’t yet make the data available based on the permit that has been issued in the wallet.”
Liström is even blunter about the maturity level. “We’re not just trying a new service,” he says. “We’re trying a completely new concept.” In his telling, almost every layer is still in motion at once: infrastructure, standards, user flows, interface design, and trust relationships. “It’s not just one thing that is new,” he says. “It’s like everything is new.”
That caution matters, because wallet rhetoric often runs ahead of implementation. A digital wallet, in principle, lets a user hold credentials directly and share only what is needed for a given interaction. SIROS, whose wwWallet technology is being used in this pilot, describes digital wallets as a way to prove who you are, what you are allowed to do, or whether you meet a requirement without repeatedly handing over copies of documents or excess personal data. The organization emphasizes selective disclosure and zero knowledge proof, passkey-based authentication, and user control over where credentials are stored.
In a genomics context, that model has obvious appeal. Sensitive data holders do not want to expose more identity data than necessary. Researchers do not want yet another brittle access workflow. And institutions need strong assurance that permissions are authentic, current, and portable across systems.
Yet Hakala is clear that researchers themselves are usually not the ones worrying about architecture diagrams. “Researchers just want things to be easy for them so they can concentrate on their research,” she says, “even when working with sensitive data.” In her experience, the real scrutiny tends to come from the organizations behind the services: IT units, legal teams, and data controllers. Controlled-access genomic data sits at the intersection of privacy law, research governance, and public trust. A biobank or data custodian cannot afford to get identity and authorization wrong.
Hakala sees the wallet pilot as the next step in a longer journey. In an earlier phase, organizations moved from paper forms to digital access management. Now the challenge is how to communicate those access rights more securely, and in a form the user can carry and present when needed. “Through these years we have seen that it is a very complex problem,” she says. “Only now this digital wallet seems like a very promising alternative.”
For Liström, the most promising aspect is not only the wallet itself, but the prospect of interoperability. “There are so many different actors that are actually joining together to try to find a common way to exchange this information,” he says. That matters because identity systems have historically been fragmented by sector, institution, and national boundary.
He breaks the challenge into three parts. First, the ecosystem still has to decide who plays which role: who issues which credentials, who verifies them, and who is accountable for what. Second, there is the cross-sector question: how public-sector identity frameworks, research infrastructures, and possibly private actors can interoperate without collapsing into a single centralized model. Third, there is the global question. European digital identity frameworks are moving fast, but research itself is global. “How can we collaborate globally around identity solutions,” Liström asks, “particularly in the case where we’re now working within the European digital identity framework, but in higher education the sector as such is global?”
Hakala sees the same dynamic from the research side. She says organizations outside Europe are already paying attention. “We were already discussing it with Australia and New Zealand,” she says. “They don’t yet know what will happen in their country, but they are very interested to see what we have and follow the development.”
That may ultimately be the strongest signal from this early pilot. It is not that the hard problems are solved. It is that the right people are now testing the problem in a concrete way: as a controlled-access use case in a field where privacy, interoperability, and trust all matter at once.
And that is what makes this more than a technical demo. It is an early attempt to rethink how researchers prove not just who they are, but what they are authorized to do — in a way that could eventually be more secure, more portable, and more privacy-preserving than the systems many institutions rely on today.
Because in research, as in identity, trust is rarely a single login. It is an ecosystem.
