Last modified by melissargos on 2024/10/11 18:22
From version 30.1
edited by melissargos
on 2024/10/11 18:22
Change comment: There is no comment for this version
To version 23.1
edited by bschaffha
on 2024/10/10 14:40
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.melissargos
1 +XWiki.bschaffha
Content
... ... @@ -36,21 +36,24 @@
36 36  
37 37  //**Figure 1:** User Interface of the Medical Informatics Platform MIP//
38 38  
39 -== Creation of a MIP User Account ==
39 +​
40 40  
41 -**Prerequisite – Step 1**: Access to the MIP requires an EBRAINS user account, which needs to be permitted and authenticated. EBRAINS user accounts are available to users with a legitimate interest (mainly research and development) from Europe and beyond.
41 +== Creation of a MIP User Account ==
42 42  
43 -Request an EBRAINS user account: [[https:~~/~~/www.ebrains.eu/page/sign-up>>url:https://www.ebrains.eu/page/sign-up]]
44 -The EBRAINS user account allows users to directly access the** Public MIP ([[https:~~/~~/mip.ebrains.eu/>>url:https://mip.ebrains.eu/]]**) with no further accreditation being required.
43 +**Prerequisite – Step 1**: Access to the MIP requires an **EBRAINS user account, **which needs to be permitted and authenticated. EBRAINS user accounts are available to users with a legitimate interest (mainly research and development) from Europe and beyond.
45 45  
46 -**Access to a specific MIP Federation – Step 2:** EBRAINS authorised Users with an active EBRAINS account can request access to a specific MIP Federation by contacting [[support@ebrains.eu>>path:mailto:support@ebrains.eu]], who will forward the specific request to the MIP Management team. Users can also get in direct contact with the MIP team via the online form on the EBRAINS website: [[https:~~/~~/www.ebrains.eu/tools/medical-informatics-platform>>url:https://www.ebrains.eu/tools/medical-informatics-platform]]
45 +**Request an EBRAINS user account**: [[https:~~/~~/www.ebrains.eu/page/sign-up>>url:https://www.ebrains.eu/page/sign-up]]
46 +The EBRAINS user account allows users to directly access the **Public MIP** ([[https:~~/~~/mip.ebrains.eu/>>url:https://mip.ebrains.eu/]]) with no further accreditation being required.
47 +EBRAINS authorised Users with an active EBRAINS account can request access to a specific federation by contacting [[support@ebrains.eu>>path:mailto:support@ebrains.eu]], who will forward the specific request to the MIP Management team.
47 47  
48 -The Data Science Steering Committee (DSSC) of the specific federation will be involved in the accreditation process to receive access approvals. The creation of a new MIP Federation projects can be initiated at any time.
49 +Users can also get in direct contact with the MIP team via the online form on the **EBRAINS website**: [[https:~~/~~/www.ebrains.eu/tools/medical-informatics-platform>>url:https://www.ebrains.eu/tools/medical-informatics-platform]]
49 49  
50 -Users are required to accept the EBRAINS Terms and Policies [[https:~~/~~/www.ebrains.eu/page/terms-and-policies>>url:https://www.ebrains.eu/page/terms-and-policies]], to indicate acceptance and compliance with all applicable laws, regulations, rules, and approvals in the use and sharing of the data, including, but not limited to, the General Data Protection Regulation (GDPR).
51 +The Data Science Steering Committee (DSSC) of the specific federation will be involved in the accreditation process to receive access approvals.
51 51  
52 -Upon login to the MIP, users are mandated to accept the Terms of Use of the MIP. Accredited users access the MIP through a web-based interface, which will provide them with direct access to the respective federation on the MIP.
53 +New federated projects can be initiated at any time. Users are required to accept the EBRAINS Terms and Policies [[https:~~/~~/www.ebrains.eu/page/terms-and-policies>>url:https://www.ebrains.eu/page/terms-and-policies]], to indicate acceptance and compliance with all applicable laws, regulations, rules, and approvals in the use and sharing of the data, including, but not limited to, the General Data Protection Regulation (GDPR).
53 53  
55 +Upon login to the MIP, users are mandated to accept the Terms of Use of the MIP. Accredited users access the MIP through a web-based interface, which will provide them with access to the respective federation on the MIP.
56 +
54 54  == MIP Data Governance ==
55 55  
56 56  [[image:1728560441625-436.png]]
... ... @@ -59,14 +59,17 @@
59 59  
60 60  //T(% class="small" %)his illustration depicts how data governance and data flow in the MIP are organised and how the legal framework and data management are interlinked. Decision points are indicated.//
61 61  
62 -(% style="color:#c0392b" %)//~*~*The **MIP Data Protection Impact Assessment (DPIA) **is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required for processing of sensitive data.//
65 +(% style="color:#c0392b" %)//~*~*The **MIP Data Protection Impact Assessment (DPIA) **is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
63 63  
64 64  === //MIP and data anonymisation// ===
65 65  
66 -**Note**: (% style="color:#27ae60" %)**The MIP is handling anonymised data.**(%%) The definition for anonymisation (//ISO standard (ISO 29100:2011)//) of personal data is the process of encrypting or removing personally identifiable data from data so that a person can no longer be directly or indirectly identified (see also **Recital 26 of the GDPR)**. As soon a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.
67 67  
68 -However, processing personal data **for the purpose of anonymisation** is still processing that must have a **legal basis under Article 6 of GDPR**. The anonymisation process is defined as “**further processing**” and this processing must be compliant with the principle of purpose limitation. The process of data anonymisation can be used to improve data protection compliance, e.g., as part of the “**privacy by design**” strategy, with the goal to improve the protection of the processed data; or as part of the “**data minimisation**” strategy, where data can be anonymised and used without the risk of harming the data subjects.
70 +**Note**: (% style="color:#27ae60" %)**The MIP is handling anonymised data.**(%%) The definition for anonymisation (//ISO standard (ISO 29100:2011)//) of personal data is the process of encrypting or removing personally identifiable data from datasets so that a person can no longer be identified directly or indirectly (see also **Recital 26 of the GDPR)**. As soon a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.
69 69  
72 +However, processing personal data **for the purpose to anonymise the data** is still processing that must have a **legal basis under Article 6 of GDPR**. The anonymisation process is what is known as “**further processing**”. As such the new processing must be compliant with the principle of purpose limitation. Most often, the legal basis of the controller’s/processor’s fulfilling contract or legitimate interest will apply, if the principles of collection, purpose, retention have been complied with.
73 +
74 +The process of anonymization can be used to improve data protection compliance in two main ways: i.e., as part of the “**privacy by design**” strategic work, with the goal to improve the protection of the processed data; or as part of the “**data minimisation**” strategy – where data can be anonymized and used without the risk of harming the data subjects.
75 +
70 70  (% style="color:#27ae60" %)**Both strategies are followed by the MIP.**
71 71  
72 72  === MIP concepts and definitions ===
... ... @@ -103,7 +103,7 @@
103 103  |(((
104 104  **Figure 3**// MIP Data Flow//
105 105  
106 -//T(% class="small" %)his diagram illustrates the MIP Data Flow, indicating processing steps prior to data upload and steps after data upload to the MIP.  EHR – electronic health record, MRI - magnetic resonance imaging, ETL - data integration (extract, transform, load), CDE – common data elements, ML – machine learning, GUI – graphical user interface, VM – virtual machine. Data pre-processing: extract data from EHR records and produce pseudonymised data in .csv format; optional Step1: extract brain volumes from MRI images and merge with data extracted from EHR records; Data Quality and Harmonisation: Prepare CDE: if CDE exists – Steps 2B, 4 and 5 are followed; if CDE needs to be prepared, first Steps 2A and 3A need to be performed, followed by Steps 2B, 4 and 5. Data Analysis and ML: anonymised dataset is uploaded either to the federated node in the institution or the dedicated VM on EBRAINS CSCS. Data Analysis can be performed via the Federation Service Layer and User Interface: use of predefined federated algorithms, aggregated results will be retrieved via the GUI.//
112 +//T(% class="small" %)his diagramme illustrates the MIP Data Flow, indicating processing steps prior to data upload and steps after data upload to the MIP.  EHR – electronic health record, MRI - magnetic resonance imaging, ETL - data integration (extract, transform, load), CDE – common data elements, ML – machine learning, GUI – graphical user interface, VM – virtual machine. Data pre-processing: extract data from EHR records and produce pseudonymised data in .csv format; optional Step1: extract brain volumes from MRI images and merge with data extracted from EHR records; Data Quality and Harmonisation: Prepare CDE: if CDE exists – Steps 2B, 4 and 5 are followed; if CDE needs to be prepared, first Steps 2A and 3A need to be performed, followed by Steps 2B, 4 and 5. Data Analysis and ML: anonymised dataset is uploaded either to the federated node in the institution or the dedicated VM on EBRAINS CSCS. Data Analysis can be performed via the Federation Service Layer and User Interface: use of predefined federated algorithms, aggregated results will be retrieved via the GUI.//
107 107  )))
108 108  
109 109  == MIP GDPR compliance assessment ==
... ... @@ -110,6 +110,7 @@
110 110  
111 111  Several aspects are crucial for demonstrating GDPR compliance. Hereunder is a compliance assessment based on the GDPR core principles:
112 112  
119 +
113 113  (% style="color:#27ae60" %)**Lawfulness, Fairness, and Transparency (Article 5 GDPR)**
114 114  
115 115  **Lawfulness and Fairness:** In alignment with GDPR requirements for lawful processing (Article 6(1)(a)), the MIP legal contracts with Data Providers require that data processing is based on informed consent obtained from data subjects. It requires users to accept the EBRAINS General Terms of Use, adhering to all applicable laws and regulations, including GDPR. Data Transfer Agreements (DTAs) and Data Sharing Agreements (DSAs) provide a legal framework and are mandated before any data transfer or data sharing, ensuring compliance with Article 28(3) regarding processor agreements (GDPR Articles 5(1)(a), 6, and 7). Strict authentication and authorisation procedures are in place, to only provide access to accredited users. Data anonymisation is required before integration in the MIP, which minimises the risk of reidentification, protecting data subjects from potential harm (GDPR Article 6(1)(a)). An additional built in privacy threshold restricts data analysis to receiving aggregate results of at least 10 participant records.
... ... @@ -159,7 +159,7 @@
159 159  * (% style="color:#c0392b" %)//DPIA * under preparation//
160 160  * Data Transfer agreement or Data Sharing Agreement
161 161  * Collaboration Agreement
162 -* MIP User Charter
169 +* Data Use agreement
163 163  * MIP Installation Agreement
164 164  )))
165 165  )))
XWiki.XWikiRights[3]
Allow/Deny
... ... @@ -1,1 +1,0 @@
1 -Allow
Levels
... ... @@ -1,1 +1,0 @@
1 -view
Users
... ... @@ -1,1 +1,0 @@
1 -XWiki.XWikiGuest
XWiki.XWikiRights[4]
Allow/Deny
... ... @@ -1,1 +1,0 @@
1 -Allow
Groups
... ... @@ -1,1 +1,0 @@
1 -XWiki.XWikiAllGroup
Levels
... ... @@ -1,1 +1,0 @@
1 -view