Last modified by melissargos on 2024/10/11 18:22
From version 21.1
edited by bschaffha
on 2024/10/10 13:58
Change comment: There is no comment for this version
To version 22.1
edited by bschaffha
on 2024/10/10 14:36
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -62,8 +62,19 @@
62 62  
63 63  //T(% class="small" %)his illustration depicts how data governance and data flow in the MIP are organised and how the legal framework and data management are interlinked. Decision points are indicated.//
64 64  
65 -(% style="color:#c0392b" %)//~*~*The MIP Data Protection Impact Assessment (DPIA) is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
65 +(% style="color:#c0392b" %)//~*~*The **MIP Data Protection Impact Assessment (DPIA) **is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
66 66  
67 +=== //MIP and data anonymisation// ===
68 +
69 +
70 +**Note**: (% style="color:#27ae60" %)**The MIP is handling anonymised data.**(%%) The definition for anonymisation (//ISO standard (ISO 29100:2011)//) of personal data is the process of encrypting or removing personally identifiable data from datasets so that a person can no longer be identified directly or indirectly (see also **Recital 26 of the GDPR)**. As soon a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.
71 +
72 +However, processing personal data **for the purpose to anonymise the data** is still processing that must have a **legal basis under Article 6 of GDPR**. The anonymisation process is what is known as “**further processing**”. As such the new processing must be compliant with the principle of purpose limitation. Most often, the legal basis of the controller’s/processor’s fulfilling contract or legitimate interest will apply, if the principles of collection, purpose, retention have been complied with.
73 +
74 +The process of anonymization can be used to improve data protection compliance in two main ways: i.e., as part of the “**privacy by design**” strategic work, with the goal to improve the protection of the processed data; or as part of the “**data minimisation**” strategy – where data can be anonymized and used without the risk of harming the data subjects.
75 +
76 +(% style="color:#27ae60" %)**Both strategies are followed by the MIP.**
77 +
67 67  === MIP concepts and definitions ===
68 68  
69 69  * **Common Data Elements (CDEs)**