Last modified by melissargos on 2024/10/11 18:12
From version 11.1
edited by bschaffha
on 2024/10/08 17:05
Change comment: There is no comment for this version
To version 12.1
edited by bschaffha
on 2024/10/08 17:24
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -50,7 +50,7 @@
50 50  
51 51  Several aspects are crucial for demonstrating GDPR compliance. Hereunder is a compliance assessment based on the GDPR core principles:
52 52  
53 -**Lawfulness, Fairness, and Transparency**
53 +* **Lawfulness, Fairness, and Transparency**
54 54  
55 55  **Lawfulness:** The HIP ensures that data processing is based on informed consent obtained from data subjects (participants), aligning with GDPR requirements for lawful processing (Article 6(1)(a)). It requires users to accept the EBRAINS General Terms of Use, HIP General Terms and Conditions, adhering to all applicable laws and regulations, including GDPR.
56 56  
... ... @@ -62,39 +62,39 @@
62 62  
63 63  **Transparency:** The open-source nature of the HIP promotes GDPR transparency by providing accessible source code, fostering community involvement, and offering comprehensive documentation with clear data flows, empowering stakeholders to review data processing practices and ensuring accountability. The HIP requires that data is processed based on informed consent obtained from participants (GDPR Articles 12, 13), whose data are collected as part of real-world clinical data and according to ethically approved research protocols for research studies. Also, there is detailed user documentation at [[https:~~/~~/hip-infrastructure.github.io/build/html/index.html>>url:https://hip-infrastructure.github.io/build/html/index.html]] .
64 64  
65 -**Purpose Limitation**
65 +* **Purpose Limitation**
66 66  
67 67  Data is collected for specified, explicit, and legitimate purposes, including clinical research and collaboration within the scientific community. The HIP restricts data use to these defined purposes. Data Controllers define the specific research projects and publications their data can contribute to (GDPR Article 5(1)(b)). Data collected during clinical practice (real-world data), e.g., iEEG data, are provided on the HIP with the specific purpose of creating a cohort of sufficient size to perform meaningful scientific analysis, as these data are very scarce.
68 68  
69 -**Data Minimisation**
69 +* **Data Minimisation**
70 70  
71 71  Only high-quality data necessary for research is stored and processed, including pseudonymised iEEG data, neuroimaging data, and other relevant health-related data. Data must be pseudonymised and/or anonymised prior to upload to the platform, reducing the risk of unnecessary data exposure. The HIP employs a 3-tiered architecture and implements strict control on data access and sharing (GDPR Article 5(1)(c)).
72 72  
73 -**Accuracy**
73 +* **Accuracy**
74 74  
75 75  Data curation is required before moving from the private to the collaborative space, ensuring data quality and accuracy (GDPR Article 5(1)(d)). This curation aspect is especially important for projects that work collaboratively on data from different centres.
76 76  
77 -**Storage Limitation**
77 +* **Storage Limitation**
78 78  
79 79  In principle, Data controllers decide the duration of data storage in compliance with legal obligations, ensuring that data is not retained longer than necessary for its intended purpose (GDPR Article 5(1)(e)). Additionally, the HIP will have boundaries and policies for data storage volume and duration, that need to be respected.
80 80  
81 -**Integrity and Confidentiality**
81 +* **Integrity and Confidentiality**
82 82  
83 83  HIP adopts privacy by design principles, ensuring secure data storage and transfer. Pseudonymisation and anonymisation techniques protect personal data, and the platform architecture prevents local data downloads, mitigating misuse risks. Access to private and collaborative spaces is restricted to authorised and accredited users only, with data access permissions managed at user or group levels (GDPR Articles 5(1)(f), 25, and 32).
84 84  
85 -**Accountability**
85 +* **Accountability**
86 86  
87 87  HIP ensures that data controllers are responsible for their data and its use, managing it throughout its lifecycle, from collection to sharing and publication. Users must comply with GDPR and other applicable laws, and the platform includes mechanisms for accreditation and oversight by the Data Governance Steering Committee. Data Transfer Agreements (DTA) and Data Use Agreements (DUA) are in place, outlining responsibilities and compliance with GDPR (GDPR Article 5(2)).
88 88  
89 -**Data Protection by Design and by Default**
89 +* **Data Protection by Design and by Default**
90 90  
91 91  HIP’s 3-tier architecture and privacy-aware environment demonstrates compliance with data protection principles by design. Access to different data spaces is tightly controlled, and data is always pseudonymised or anonymised before sharing (GDPR Article 25).
92 92  
93 -**Data Subject Rights**
93 +* **Data Subject Rights**
94 94  
95 95  Patients' rights to access, rectify, and erase their data are respected. The responsibility lies with the Data controllers, who can remove their data from private and collaborative spaces, ensuring compliance with GDPR rights (GDPR Articles 15, 16, 17, and 18).
96 96  
97 -**Data Transfers (Articles 44-50)**
97 +* **Data Transfers (Articles 44-50)**
98 98  
99 99  The HIP ensures that any data transfers comply with GDPR’s requirements for international data transfers. This is achieved using DTAs and DSAs, ensuring that data transferred across borders is protected under equivalent data protection standards.
100 100  )))