HDC/VRE onboarding

Figure 1. Steps to lawful processing of health data.

The Virtual Research Environment (vre; vre.charite.de) is the node of HDC at the Charité—Universitätsmedizin Berlin for collaborative processing of the special category of health data in compliance with the European Union's General Data Protection Regulation (GDPR). According to GDPR the special category of Health Data includes all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required in the case of processing on a large scale of special categories of data. Furthermore, per Article 37 GDPR, processing on a large scale of special categories of data require the controller and the processor to designate a data protection officer (DPO) that directly report to the highest management level of the controller or the processor. Furthermore, per Article 38 GDPR, the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Importantly, Per Article 39 GDPR the DPO has the task to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and other data protection provisions and to monitor compliance with GDPR including the assignment of responsibilities. Consequently, controllers must work closely with the Charité DPO and the DPOs of other participating institutions to prepare a comprehensive DPIA that addresses the risks and mitigations associated with processing health data. Consequently, a final statement or vote of all involved DPOs on the prepared DPIA is required before VRE processing activities can commence.

The DPIA documents are accessed from the Charité—Universitätsmedizin Berlin SharePoint. Access to this SharePoint requires for non-employees the non-disclosure agreement in the Drive of this Collab. 

Figure 2. Externals need an NDA to access the DPIA template due to business secrets.

As the general flow of processing operation inside the VRE is fixed to the existing tools and services, it was agreed with the DPO of Charité that only deviations from the template provided in the DPIA Report (file DPIA_VRE_UseCase_Lesion2TVB_2023-09-15-EN.docx) and Risk analysis (file R1_Risk-analysis-for-DPIA-Neuroimage-processing-brain-simulation-within-the-Virtual-Research-Environment-(VRE)-2023-09-15.xlsx) need to be communicated to the Charité DPO. This use case describes a typical processing operation that involves health data of stroke patients including Findings, Imaging Data and Clinical Test Results. In addition to the main DPIA Report and Risk analysis, the DPIA is supplemented by Annexes that describe the VRE Architecture, Authorization Concept, Risk Assessment, Terms and Policies and the VRE Data Protection Concept.

To communicate changes in the DPIA Report and Risk analysis only deviations from Use Case 1 specified in the template DPIA (DPIA_VRE_UseCase_Lesion2TVB_2023-09-15-EN.docx) need to be defined. The general steps of this use case include data upload to the Green Room; data minimization according and purpose limitation in Green Room; storage, organization, and controlled exposure in the Core Zone; processing with custom containerized workflows on VRE virtual machines or the VRE high-performance computer; transfer between VRE Green Room, Core Zone, JupyterHub, VM, and HPC. Any deviation from this Use Case including transfers to and from other systems or processing on systems different from those specified in the VRE DPIA must be explicitly specified. This includes any downloads and other forms of data exports from the VRE to other systems and processing of the data on other systems or any other networking activity with systems outside the VRE (including, for example, the sending of log files, or the integration with online repositories, etc.).

To specify deviations please provide a dedicated PDF file and use the same format as used in the following chapters of the provided DPIA. It is mandatory to specify any deviations from the existing Use Case 1 regarding in particular

• the list of the names and contact details of controllers (second page) and processors (chapter 4.1 “List of Processors”) according to Article 4(7) GDPR;
• a systematic description of the deviating processing activities to those specifed in chapter 2
• the deviating processing steps to those specified in chapter 2.2.2. "Use Case 1";
• the deviating IT Infrastructure, systems, and applications to those specified in chapter 3, including changes to the network, infrastructure resources and hardware;
• deviating data flows to those specified in chapter 3.3.1 and 3.3.2;
• deviating list of processors to those specified in chapter 4.1;
• deviating transfers with third countries to those specified in chapter 4.2;
• deviating recipients of the data to those specified in chapter 5.3;
• deviating summary of risks in chapter 8.1;
• deviating overall risk assessment in chapter 8.2;
• the opinion of all Data Protection Officers in chapters 9.1 and the statements of the person(s) responsible for implementation in chapter 9.2 on the revised and complete use case and processing activity;
• deviating risks and mitigation measures to those specified in chapter 9.3 and the accompanying file R1_Risk-analysis-for-DPIA-Neuroimage-processing-brain-simulation-within-the-Virtual-Research-Environment-(VRE)-2023-09-15.xlsx.