Last modified by melissargos on 2024/10/11 18:12
From version 18.1
edited by bschaffha
on 2024/10/10 13:57
Change comment: There is no comment for this version
To version 20.1
edited by melissargos
on 2024/10/11 17:50
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.bschaffha
1 +XWiki.melissargos
Content
... ... @@ -37,38 +37,39 @@
37 37  
38 38  Users are mandated to accept the **HIP Terms of Use** and are required to accept the **EBRAINS Terms and Policies** [[https:~~/~~/www.ebrains.eu/page/terms-and-policies>>url:https://www.ebrains.eu/page/terms-and-policies]], to indicate acceptance and compliance with all applicable laws, regulations, rules, and approvals in the use and sharing of the data, including, but not limited to, the General Data Protection Regulation (GDPR).
39 39  
40 -Accredited users access the HIP through a web-based interface, which will provide them with access to all the available tools and relevant own or shared data.
40 +Accredited users access the HIP through a web-based interface [[https:~~/~~/thehip.app/login>>https://thehip.app/login]], which will provide them with access to all the available tools and relevant own or shared data.
41 41  
42 +== GDPR-compliant Data Processing on the HIP ==
42 42  
43 -== GDPR-compliant data processing on the HIP ==
44 +(% style="width:878px" %)
45 +|(% style="width:5px" %)
46 +|(% style="width:5px" %) |(% style="width:882px" %)[[image:image-20241010130312-1.jpeg||height="974" width="796"]]
44 44  
45 -|
46 -| |[[image:image-20241010130312-1.jpeg]]
48 +**Figure 2: Data Flow on the HIP: **(% class="small" %) //This diagram depicts the different legal and regulatory steps to be taken to be allowed to upload data to the institutional private space of the HIP, the process of creating a collaborative project, and the step of putting anonymised data into the public space.//
47 47  
48 -**Figure 2: Data Flow on the HIP: **(% class="small" %) //This diagramme depicts the different legal and regulatory steps to be taken to be allowed to upload data to the institutional private space of the HIP, the process of creating a collaborative project, and the step of putting anonymised data into the public space.//
50 +**Terminologies: (% class="small" %)//Project Leader //(%%)**(% class="small" %)//– HIP User initiating and responsible for a collaborative project; **Project Member** – HIP User accredited to contribute to a collaborative project; **Data Controller** - The natural or legal person who determines the purposes and means of the processing of personal data provided; **DTA **– Data Transfer Agreement; **DPIA -** Data Privacy Impact Assessment//
49 49  
50 -(% class="small" %)//**Project Leader **– HIP User initiating and responsible for a collaborative project; **Project Member** – HIP User accredited to contribute to a collaborative project; **Data Controller** - The natural or legal person who determines the purposes and means of the processing of personal data provided; **DTA **– Data Transfer Agreement; **DPIA -** Data Privacy Impact Assessment//
52 +== Data Governance Principles ==
51 51  
54 +(% style="color:#000000" %)**Acquisition:**(%%) Data will be collected by the physicians or clinical researchers during clinical routine or within the framework of a scientific study based on specific research protocols, approved by the corresponding local and national ethical bodies. This includes that Participants consented to the procedure undertaken to collect their data by signature of an informed consent or consented to the re-use of their data for research purposes, according to EU data protection legislation, also by signature of an explicit consent for use or reuse of their data in research projects.
52 52  
53 -(% style="color:#27ae60" %)**Acquisition:**(%%) Data will be collected by the physicians or clinical researchers during clinical routine or within the framework of a scientific study based on specific research protocols, approved by the corresponding local and national ethical bodies. This includes that Participants consented to the procedure undertaken to collect their data by signature of an informed consent or consented to the re-use of their data for research purposes, according to EU data protection legislation, also by signature of an explicit consent for use or reuse of their data in research projects.
56 +(% style="color:#000000" %)**Pre-processing:**(%%) The HIP requires data to be de-identified / pseudonymised prior to the data upload. Data curation e.g., annotation, to assure data quality is also required. Preferably, data are transformed into the BIDS format prior to upload, this can however also be performed directly on the platform with available tools. Data Pre-processing and planned processing are evaluated in a DPIA. Based on a signed DTA, and by using approved data transfer protocols, users can transfer the pre-processed pseudonymised medical data onto the HIP. Data Providers qualify as Data Controllers for the uploaded data.
54 54  
55 -(% style="color:#27ae60" %)**Pre-processing:**(%%) The HIP requires data to be de-identified / pseudonymised prior to the data upload. Data curation e.g., annotation, to assure data quality is also required. Preferably, data are transformed into the BIDS format prior to upload, this can however also be performed directly on the platform with available tools. Data Pre-processing and planned processing are evaluated in a DPIA. Based on a signed DTA, and by using approved data transfer protocols, users can transfer the pre-processed pseudonymised medical data onto the HIP. Data Providers qualify as Data Controllers for the uploaded data.
58 +(% style="color:#000000" %)**Storage & Usage:**(% style="color:#27ae60" %)** **(%%)The data will be stored in the Data Provider's private space on the HIP, where all available tools and workflows can be used to process their own data. It is not possible to share data in the private space with users from other centres. Data controllers decide on the duration of storage of their research data in the HIP in compliance with their legal obligations.
56 56  
57 -(% style="color:#27ae60" %)**Storage & Usage: **(%%)The data will be stored in the Data Provider's private space on the HIP, where all available tools and workflows can be used to process their own data. It is not possible to share data in the private space with users from other centres. Data controllers decide on the duration of storage of their research data in the HIP in compliance with their legal obligations.
60 +(% style="color:#000000" %)**Sharing & Publication:**(% style="color:#27ae60" %)** **(%%)The HIP facilitates data sharing. If the Data controller wants to share their own data with other HIP users to start a new research project or contribute to an existing research project, a dedicated project can be created as a collaborative space on the HIP. Based on fulfillment of regulatory requirements, data can be copied in the respective project space, where accredited Project Members will be able work towards specified research objectives. Each collaborative project has a defined Project Leader, who is responsible for obtaining relevant approvals. All agreements regarding publications and authorship shall be discussed between relevant parties at the start of the project, guidance is available in the Charter. Importantly, at any time Data Providers will keep full control of all scientific activities performed by the HIP community on their data transferred to the HIP collaborative space, and no scientific publication integrating their data shall be submitted without their consent.
58 58  
59 -(% style="color:#27ae60" %)**Sharing & Publication: **(%%)The HIP facilitates data sharing. If the Data controller wants to share their own data with other HIP users to start a new research project or contribute to an existing research project, a dedicated project can be created as a collaborative space on the HIP. Based on fulfilment of regulatory requirements, data can be copied in the respective project space, where accredited Project Members will be able work towards specified research objectives. Each collaborative project has a defined Project Leader, who is responsible for obtaining relevant approvals. All agreements regarding publications and authorship shall be discussed between relevant parties at the start of the project, guidance is available in the Charter. Importantly, at any time Data Providers will keep full control of all scientific activities performed by the HIP community on their data transferred to the HIP collaborative space, and no scientific publication integrating their data shall be submitted without their consent.
62 +(% style="color:#000000" %)**Termination:**(%%) Collaborative projects have defined start and end-dates, after the end of the project, the data will be removed from the collaborative space and the project will be closed. Requirements for data availability after the project end need to be specified.
60 60  
61 -(% style="color:#27ae60" %)**Termination:**(%%) Collaborative projects have defined start and end-dates, after the end of the project, the data will be removed from the collaborative space and the project will be closed. Requirements for data availability after the project end need to be specified.
64 +(% style="color:#000000" %)**Re-use:**(%%) High-quality Data can and should be re-used for new projects, provided relevant approvals are available. This is an important aspect to valorise data and the major efforts going into data curation and pre-processing.
62 62  
63 -(% style="color:#27ae60" %)**Re-use:**(%%) High-quality Data can and should be re-used for new projects, provided relevant approvals are available. This is an important aspect to valorise data and the major efforts going into data curation and pre-processing.
66 +(% style="color:#000000" %)**Archiving & Destruction:**(% style="color:#27ae60" %)** **(%%)Storage requirements can be defined in the DTA or Research protocol. Retention policies and long-term storage possibilities for data on the HIP are currently being worked out, if possible, in alignment with EBRAINS policies.
64 64  
65 -(% style="color:#27ae60" %)**Archiving & Destruction: **(%%)Storage requirements can be defined in the DTA or Research protocol. Retention policies and long-term storage possibilities for data on the HIP are currently being worked out, if possible, in alignment with EBRAINS policies.
68 +(% style="color:#000000" %)**Fair data:** (%%)Integration of the EBRAINS Knowledge Graph and implementation of data curation workflows are being under preparation to improve FAIRness of data on the HIP, making the metadata accessible and findable, thus fostering new collaborations.
66 66  
67 -(% style="color:#27ae60" %)**Fair data:**(%%) Integration of the EBRAINS Knowledge Graph and implementation of data curation workflows are being under preparation to improve FAIRness of data on the HIP, making the metadata accessible and findable, thus fostering new collaborations.
70 +(% style="color:#000000" %)**Public data:**(%%) Data Controllers might wish to make their data public, which will require anonymisation of the data and transferring them to the HIP public space. Relevant ethical approval needs to be provided. Thereafter, the Data Controllers will have no more control on how, and by whom, the public data might be used, including in terms of scientific publications and authorship. Requirements for appropriate acknowledgment together with the attributed license will be published alongside the public dataset in the EBRAINS Knowledge Graph.
71 +
68 68  
69 -(% style="color:#27ae60" %)**Public data:**(%%) Data Controllers might wish to make their data public, which will require anonymisation of the data and transferring them to the HIP public space. Relevant ethical approval needs to be provided. Thereafter, the Data Controllers will have no more control on how, and by whom, the public data might be used, including in terms of scientific publications and authorship. Requirements for appropriate acknowledgment together with the attributed license will be published alongside the public dataset in the EBRAINS Knowledge Graph.
70 -
71 -
72 72  **Summary of legal steps to be followed, depending on the purpose of the processing or project:**
73 73  
74 74  * Patient consent for usage of data for research purposes (specific, general, re-use)
... ... @@ -78,12 +78,14 @@
78 78  * Collaboration Agreement
79 79  * Data Use agreement
80 80  
82 +== ==
83 +
81 81  == HIP GDPR compliance assessment ==
82 82  
83 83  
84 84  [[image:image-20241010130312-2.png||height="398" width="401"]]
85 85  
86 -(% class="small" %)//Illustration from:** **//[[(% class="small small small small small small" %)//GDPR - Back to Basics | URM Consulting//>>url:https://www.urmconsulting.com/blog/gdpr-back-to-basics#Section-3]]
89 +(% class="small" %)//Illustration from:** **//[[(% class="small small small small small small small small small" %)//GDPR - Back to Basics | URM Consulting//>>url:https://www.urmconsulting.com/blog/gdpr-back-to-basics#Section-3]]
87 87  
88 88  
89 89  Several aspects are crucial for demonstrating GDPR compliance. Hereunder is a compliance assessment for the HIP, based on the GDPR core principles:
... ... @@ -97,7 +97,7 @@
97 97  
98 98  (% style="color:#c0392b" %)//~*~*The HIP Data Protection Impact Assessment (DPIA) is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
99 99  
100 -**Fairness:** Ethical compliance is ensured by obtaining informed consent before data entry into the HIP, getting ethical approvals of projects and signing data transfer agreements (DTA or DSA) prior to data sharing. Data pseudonymisation is required before integration in the HIP, which minimises the risk of reidentification, protecting data subjects from potential harm (GDPR Article 6(1)(a)). FAIRification efforts to display metadata of datasets on the HIP in the EBRAINS Knowledge Graph are underway.
103 +**Fairness:** Ethical compliance is ensured by obtaining informed consent before data entry into the HIP, getting ethical approvals of projects and signing data transfer agreements (DTA or DSA) prior to data sharing. Data pseudonymisation is required before integration in the HIP, which minimises the risk of re-identification, protecting data subjects from potential harm (GDPR Article 6(1)(a)). FAIRification efforts to display metadata of datasets on the HIP in the EBRAINS Knowledge Graph are underway.
101 101  
102 102  **Transparency:** The open-source nature of the HIP promotes GDPR transparency by providing accessible source code, fostering community involvement, and offering comprehensive documentation with clear data flows, empowering stakeholders to review data processing practices and ensuring accountability. The HIP requires that data is processed based on informed consent obtained from participants (GDPR Articles 12, 13), whose data are collected as part of real-world clinical data and according to ethically approved research protocols for research studies. Also, there is detailed user documentation at [[https:~~/~~/hip-infrastructure.github.io/build/html/index.html>>url:https://hip-infrastructure.github.io/build/html/index.html]] .
103 103