Changes for page HDC/VRE onboarding

Last modified by michaels on 2023/11/21 09:29
From version 7.1
edited by michaels
on 2023/11/21 09:29
Change comment: There is no comment for this version
To version 6.1
edited by michaels
on 2023/11/21 09:26
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -2,17 +2,17 @@
2 2  
3 3  [[image:Fig3_20231012.jpg||style="float:left"]]
4 4  
5 -//Figure 1. Steps to lawful processing of health data.//
5 +Figure 1. Steps to lawful processing of health data.
6 6  
7 7  
8 -The Virtual Research Environment (vre; vre.charite.de) is the node of HDC at the Charité—Universitätsmedizin Berlin for collaborative processing of the special category of health data in compliance with the **European Union's General Data Protection Regulation (GDPR)**. According to GDPR the **special category of Health Data** includes all data pertaining to the health status of a data subject which reveal information relating to **the past, current or future physical or mental health status** of the data subject. Per Article 35(3)(b) of GDPR a **Data Protection Impact Assessment** is required in the case of processing on a large scale of special categories of data. Furthermore, per Article 37 GDPR, processing on a large scale of special categories of data require the controller and the processor to **designate a data protection officer (DPO) **that directly report to the highest management level of the controller or the processor**.** Furthermore, per Article 38 GDPR, **the controller and the processor shall ensure that the data protection officer is involved**, properly and in a timely manner, in all issues which relate to the protection of personal data. Importantly, Per Article 39 GDPR the DPO has the task to **inform and advise** the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and other data protection provisions and to **monitor compliance** with GDPR **including the assignment of responsibilities**. Consequently, controllers must work closely with the Charité DPO and the DPOs of other participating institutions to prepare a comprehensive DPIA that addresses the risks and mitigations associated with processing health data. Consequently, **a final statement or vote of all involved DPOs on the prepared DPIA is required before VRE processing activities can commence**.
8 +The DPIA documents are accessed from the Charité—Universitätsmedizin Berlin SharePoint. Access to this SharePoint requires for non-employees the following **non-disclosure agreement **<TODO: NDA>.
9 9  
10 -The DPIA documents are accessed from the Charité—Universitätsmedizin Berlin SharePoint. Access to this SharePoint requires for non-employees the **non-disclosure agreement **in the [[Drive of this Collab>>https://wiki.ebrains.eu/bin/view/Collabs/health-data-cloud/Drive]].
10 +[[image:image-20231121092250-1.png]]
11 11  
12 +Figure 2. Externals need an NDA to access the DPIA template due to business secrets.
12 12  
13 -[[image:image-20231121092250-1.png]]
14 14  
15 -//Figure 2. Externals need an NDA to access the DPIA template due to business secrets.//
15 +The Virtual Research Environment (vre; vre.charite.de) is the node of HDC at the Charité—Universitätsmedizin Berlin for collaborative processing of the special category of health data in compliance with the **European Union's General Data Protection Regulation (GDPR)**. According to GDPR the **special category of Health Data** includes all data pertaining to the health status of a data subject which reveal information relating to **the past, current or future physical or mental health status** of the data subject. Per Article 35(3)(b) of GDPR a **Data Protection Impact Assessment** is required in the case of processing on a large scale of special categories of data. Furthermore, per Article 37 GDPR, processing on a large scale of special categories of data require the controller and the processor to **designate a data protection officer (DPO) **that directly report to the highest management level of the controller or the processor**.** Furthermore, per Article 38 GDPR, **the controller and the processor shall ensure that the data protection officer is involved**, properly and in a timely manner, in all issues which relate to the protection of personal data. Importantly, Per Article 39 GDPR the DPO has the task to **inform and advise** the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and other data protection provisions and to **monitor compliance** with GDPR **including the assignment of responsibilities**. Consequently, controllers must work closely with the Charité DPO and the DPOs of other participating institutions to prepare a comprehensive DPIA that addresses the risks and mitigations associated with processing health data. Consequently, **a final statement or vote of all involved DPOs on the prepared DPIA is required before VRE processing activities can commence**.
16 16  
17 17  As the general flow of processing operation inside the VRE is fixed to the existing tools and services, it was agreed with the DPO of Charité that **only deviations from the template** provided in the DPIA Report (file //DPIA_VRE_UseCase_Lesion2TVB_2023-09-15-EN.docx//) and Risk analysis (file //R1_Risk-analysis-for-DPIA-Neuroimage-processing-brain-simulation-within-the-Virtual-Research-Environment-(VRE)-2023-09-15.xlsx//) need to be **communicated to the Charité DPO**. This use case describes a typical processing operation that involves health data of stroke patients including Findings, Imaging Data and Clinical Test Results. In addition to the main DPIA Report and Risk analysis, the DPIA is supplemented by Annexes that describe the VRE Architecture, Authorization Concept, Risk Assessment, Terms and Policies and the VRE Data Protection Concept.
18 18  
Table of content