Last modified by melissargos on 2024/10/11 18:22
From version 21.1
edited by bschaffha
on 2024/10/10 13:58
Change comment: There is no comment for this version
To version 23.1
edited by bschaffha
on 2024/10/10 14:40
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -62,8 +62,19 @@
62 62  
63 63  //T(% class="small" %)his illustration depicts how data governance and data flow in the MIP are organised and how the legal framework and data management are interlinked. Decision points are indicated.//
64 64  
65 -(% style="color:#c0392b" %)//~*~*The MIP Data Protection Impact Assessment (DPIA) is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
65 +(% style="color:#c0392b" %)//~*~*The **MIP Data Protection Impact Assessment (DPIA) **is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
66 66  
67 +=== //MIP and data anonymisation// ===
68 +
69 +
70 +**Note**: (% style="color:#27ae60" %)**The MIP is handling anonymised data.**(%%) The definition for anonymisation (//ISO standard (ISO 29100:2011)//) of personal data is the process of encrypting or removing personally identifiable data from datasets so that a person can no longer be identified directly or indirectly (see also **Recital 26 of the GDPR)**. As soon a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.
71 +
72 +However, processing personal data **for the purpose to anonymise the data** is still processing that must have a **legal basis under Article 6 of GDPR**. The anonymisation process is what is known as “**further processing**”. As such the new processing must be compliant with the principle of purpose limitation. Most often, the legal basis of the controller’s/processor’s fulfilling contract or legitimate interest will apply, if the principles of collection, purpose, retention have been complied with.
73 +
74 +The process of anonymization can be used to improve data protection compliance in two main ways: i.e., as part of the “**privacy by design**” strategic work, with the goal to improve the protection of the processed data; or as part of the “**data minimisation**” strategy – where data can be anonymized and used without the risk of harming the data subjects.
75 +
76 +(% style="color:#27ae60" %)**Both strategies are followed by the MIP.**
77 +
67 67  === MIP concepts and definitions ===
68 68  
69 69  * **Common Data Elements (CDEs)**
... ... @@ -147,6 +147,16 @@
147 147  (% style="color:#27ae60" %)**Data Transfers (Articles 44-50)**
148 148  
149 149  The MIP ensures that any data transfers comply with GDPR’s requirements for international data transfers. This is achieved using DTAs and DSAs, ensuring that data transferred across borders is protected under equivalent data protection standards. If data is transferred, secure file transfer solutions are used.
161 +
162 +**Summary of legal steps to be followed, depending on the purpose of the processing or project:**
163 +
164 +* Patient consent for usage of data for research purposes (specific, general, re-use, anonymisation)
165 +* Ethical clearance for research projects and planned processing
166 +* (% style="color:#c0392b" %)//DPIA * under preparation//
167 +* Data Transfer agreement or Data Sharing Agreement
168 +* Collaboration Agreement
169 +* Data Use agreement
170 +* MIP Installation Agreement
150 150  )))
151 151  )))
152 152