What can I find here?

• HIP User Account creation
• Data flow on the HIP
• HIP GDPR compliance assessment
•  

Figure 1: Landing page of the Human Intracerebral EEG Platform HIP

HIP User Account creation

Prerequisite – Step 1: Access to the HIP requires a registered EBRAINS user account, which needs to be permitted and authenticated. EBRAINS user accounts are available to users with a legitimate interest (mainly research and development) from Europe and beyond.

Request an EBRAINS user account: https://www.ebrains.eu/page/sign-up

The HIP endeavours to comply with national and international laws and regulations, comprising principles such as intellectual property rights and the protection of privacy, ethical considerations and security regulations when designing rules and conditions for Access and the use of the platform.

Platform Access – Step 2 : Only EBRAINS authorised Users can request access to the HIP. In the initial phase, accreditations are managed by the CHUV Leadership, oversight is granted by the Data Governance Steering Committee.

The User tries to log into the HIP with their EBRAINS account and then HAS TO request access to the HIP by contacting either EBRAINS support at support@ebrains.eu, who will forward the request to the HIP team, by contacting directly support@thehip.app, which is the HIP specific support email or alternatively, or by contacting the HIP team via the EBRAINS website: https://www.ebrains.eu/tools/human-intracerebral-eeg-platform

Users are mandated to accept the HIP Terms of Use and are required to accept the EBRAINS Terms and Policies https://www.ebrains.eu/page/terms-and-policies, to indicate acceptance and compliance with all applicable laws, regulations, rules, and approvals in the use and sharing of the data, including, but not limited to, the General Data Protection Regulation (GDPR).

Accredited users access the HIP through a web-based interface, which will provide them with access to all the available tools and relevant own or shared data.

Data flow on the HIP

under preparation

HIP GDPR compliance assessment

Several aspects are crucial for demonstrating GDPR compliance. Hereunder is a compliance assessment based on the GDPR core principles:

• Lawfulness, Fairness, and Transparency

Lawfulness: The HIP ensures that data processing is based on informed consent obtained from data subjects (participants), aligning with GDPR requirements for lawful processing (Article 6(1)(a)). It requires users to accept the EBRAINS General Terms of Use, HIP General Terms and Conditions, adhering to all applicable laws and regulations, including GDPR.

DPIAs*, Data Transfer Agreements (DTAs) and approved research protocols provide a legal framework and are mandated before any data transfer or data sharing, ensuring compliance with Article 28(3) regarding processor agreements (GDPR Articles 5(1)(a), 6, and 7).

**The HIP Data Protection Impact Assessment (DPIA) is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.

Fairness: Ethical compliance is ensured by obtaining informed consent before data entry into the HIP, getting ethical approvals of projects and signing data transfer agreements (DTA or DSA) prior to data sharing. Data pseudonymisation is required before integration in the HIP, which minimises the risk of reidentification, protecting data subjects from potential harm (GDPR Article 6(1)(a)). FAIRification efforts to display metadata of datasets on the HIP in the EBRAINS Knowledge Graph are underway.

Transparency: The open-source nature of the HIP promotes GDPR transparency by providing accessible source code, fostering community involvement, and offering comprehensive documentation with clear data flows, empowering stakeholders to review data processing practices and ensuring accountability. The HIP requires that data is processed based on informed consent obtained from participants (GDPR Articles 12, 13), whose data are collected as part of real-world clinical data and according to ethically approved research protocols for research studies. Also, there is detailed user documentation at https://hip-infrastructure.github.io/build/html/index.html . 

• Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes, including clinical research and collaboration within the scientific community. The HIP restricts data use to these defined purposes. Data Controllers define the specific research projects and publications their data can contribute to (GDPR Article 5(1)(b)). Data collected during clinical practice (real-world data), e.g., iEEG data, are provided on the HIP with the specific purpose of creating a cohort of sufficient size to perform meaningful scientific analysis, as these data are very scarce.

• Data Minimisation

Only high-quality data necessary for research is stored and processed, including pseudonymised iEEG data, neuroimaging data, and other relevant health-related data. Data must be pseudonymised and/or anonymised prior to upload to the platform, reducing the risk of unnecessary data exposure. The HIP employs a 3-tiered architecture and implements strict control on data access and sharing (GDPR Article 5(1)(c)).

• Accuracy

Data curation is required before moving from the private to the collaborative space, ensuring data quality and accuracy (GDPR Article 5(1)(d)). This curation aspect is especially important for projects that work collaboratively on data from different centres.

• Storage Limitation

In principle, Data controllers decide the duration of data storage in compliance with legal obligations, ensuring that data is not retained longer than necessary for its intended purpose (GDPR Article 5(1)(e)). Additionally, the HIP will have boundaries and policies for data storage volume and duration, that need to be respected.

• Integrity and Confidentiality

HIP adopts privacy by design principles, ensuring secure data storage and transfer. Pseudonymisation and anonymisation techniques protect personal data, and the platform architecture prevents local data downloads, mitigating misuse risks. Access to private and collaborative spaces is restricted to authorised and accredited users only, with data access permissions managed at user or group levels (GDPR Articles 5(1)(f), 25, and 32).

• Accountability

HIP ensures that data controllers are responsible for their data and its use, managing it throughout its lifecycle, from collection to sharing and publication. Users must comply with GDPR and other applicable laws, and the platform includes mechanisms for accreditation and oversight by the Data Governance Steering Committee. Data Transfer Agreements (DTA) and Data Use Agreements (DUA) are in place, outlining responsibilities and compliance with GDPR (GDPR Article 5(2)).

• Data Protection by Design and by Default

HIP’s 3-tier architecture and privacy-aware environment demonstrates compliance with data protection principles by design. Access to different data spaces is tightly controlled, and data is always pseudonymised or anonymised before sharing (GDPR Article 25).

• Data Subject Rights

Patients' rights to access, rectify, and erase their data are respected. The responsibility lies with the Data controllers, who can remove their data from private and collaborative spaces, ensuring compliance with GDPR rights (GDPR Articles 15, 16, 17, and 18).

• Data Transfers (Articles 44-50)

The HIP ensures that any data transfers comply with GDPR’s requirements for international data transfers. This is achieved using DTAs and DSAs, ensuring that data transferred across borders is protected under equivalent data protection standards.