How is Public-nEUro GDPR compliant
Platform compliance:
-
(a) The legal basis for Public-nEUro is a performance of contract, acting as a processor on behalf of the data controller, to share data; and acting as data controller for users to provide them with a service.
(b) a privacy notice for the Public-nEUro users - their information being processed under performance of contract.
(c) data controllers who use Public-nEUro can request and access all users access related to their data.
(d) all data access will be recorded for audit purposes.
(e) a record of staff and their GDPR training will be kept.
(f) a Data Protection Officer is in charge of reviewing compliance and implementing changes when needed.
(g) data breach of the authors/user/institution in the database will be reported to the supervisory authority as soon as possible via phone call and email, and data users will be informed by email.
(h) in case of data breach related to datasets, authors will be contacted immediately for them to report to their supervisory authority.
Public data sharing compliance
-
(a) data are securely stored and managed with Identity and Access Management (IAM) system.
(b) identified users must sign a Data User Agreement and Standard Contractual Clauses for users located in non-EU or non-adequate level of procession countries.
(c) data access requests and access are auditable.
(d) cloud stored data is strongly encrypted at rest and in transit.
(e) any data breach will be reported to the data controllers.
(f) the cloud service and the nEurothenticate platform are ISO27001 certified.
(g) a risk assessment is conducted on regular basis keeping that information in a risk registry.
Additional GDPR compliance includes the Data Transfer Agreement between authors and the Neurobiology Research Unit and users must agree with Public-nEUro to keep their information for the purpose of providing them data access and auditing.
Sharing Legally under GDPR with Public nEUro
The General Data Protection Regulation (GDPR) is the law that regulates all processing of personal data in all of Europe, which according to GDPR Article 4 §2 includes a very broad range of activities such as collection, organisation, storage, alteration, retrieval, use, disclosure, alignment, restriction, or even erasure and destruction of data. GDPR Article 6 §1 requires all processing of personal information to have a legal basis and be for a specified purpose, and GDPR Article 5 §1b states that further processing for research is not to be seen as incompatible with any initially defined purposes.
Brain imaging of patients and healthy volunteers relates to the health of a natural person, which is a special category of information given special protection by GDPR Article 9 §1. Even after pseudonymization, it can be argued such data remain personal and processing these categories of information is forbidden, except in a defined set of circumstances. One such circumstance is defined in GDPR Article 9§2 which allows research processing in accordance with national law, if it is pursuing a substantial public interest, is proportional to the aim, and has adequate protections in place according to GDPR Article 32 and GDPR Article 89. The research institution can, according to GDPR Article 28 §3, also make use of third party services for processing personal data (cf Data processing services, and the cloud below).
Following these rules, an institution can share research brain imaging data, providing the data collection and sharing is nationally lawful and users are processing data for research purposes (which should be defined in the Data User Agreement).
Data processing services and the cloud
Following GDPR Article 28 §3, a 3rd party can process data on behalf of the data controller if a data processing agreement is in place that describes what kind of processing is allowed. Such agreements can only be made with a data processor who is able to sufficiently document that appropriate technical and organisational measures can be put in place (cf Protective measures below - GDPR Article 28 §1). The data processor may also only process information according to documented instruction from the data controller. According to GDPR Article 82 §2, the data controller is liable for any damages caused by this processing, except that the data processor is liable for damage caused by any processing that has been carried out outside of these instructions.
Given the protective measures in place in Public nEUro, EU institutions can share data using a Data Processing Agreement. EU research institutions are the data controller and remain responsible for what is happening to the data.
Protective measures
Principles for protection shall according to GDPR Article 5 §1 include purpose limitation (only for specified legal purposes), data minimization (only use relevant and necessary data), storage minimization (do not keep longer than necessary), and integrity and confidentiality (technical and organisational measures).
GDPR Article 32 §1 requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
GDPR Article 32 §1 suggests encryption and/or pseudonymization when suitable. Pseudonymization, according to GDPR Article 4 §5 entails processing of personal data in such a manner that it can no longer be attributed to a specific person, without the use of additional information (eg "a key") which is to be kept protected and separate. If this additional information is deleted, so that it is no longer possible to attribute the data to a specific person even indirectly, then the data is anonymous and ceases to be personal data regulated by GDPR, and thus may no longer require as high levels of protection. However, GDPR Article 32 §1d requires regular follow-up of the effectiveness of the protective measures, such as anonymization carried out in the past, since as the "state of the art" progresses and more information becomes available, it may over time become possible or even trivial to again attribute the data to a specific person, making the data anonymous no longer. Depending on how the supposedly anonymous data has been disseminated, it may then require significant effort across many organisations to again restore it to an appropriate level of protection.
Roles and Responsibility for authors, Public nEUro and users
Roles
Author(s): The person(s) who are credited with the work in producing the dataset, be it in defining the selection criteria, or gathering, structuring, enriching, or annotating the data, or for leading or funding the work. This is comparable to the list of authors in an academic publication.
Copyright holder and Data controller: the institution(s) each dataset originates from.
Contact person: The person to be contacted in relation to a dataset. This would typically be an author or a data protection officer from the author institution.
Data processor: The Neurobiology Research Unit/Region Hovedstaden is the data processor on behalf of the data controllers (each data controller must have signed a data transfer agreement with Public-nEUro to process their data).
Data Processing Agreement (DPA): the DPA refers to a legal document in which the data controller allows Public-nEUro to process data on their behalf.
User: the person who is downloading one or more datasets – users are registered and fully identified, they must belong to an institution and agree with the terms of each dataset.
Data User Agreement (DUA): the DUA refers to the legal document in which a user agrees with the terms set by the data controller.
User Institution: a public or private organisation involved in biomedical brain imaging research and development activities. Users’ institutions must register with users and disclose security measures in place for the dataset to be downloaded.
Data Protection Impact Assessment (DPIA): DPIA is a document where the risk associated with data processing is evaluated.
Responsibilities
The authors are responsible for pseudo-anonymizing their data and providing a Data User Agreement that is GDPR and Nationally lawful. Public-nEUro is responsible for data sharing, ensuring the Data User Agreement, and Standard Contractual Clauses for non-EU-users/countries not offering an adequate level of protection, are signed before giving access, as well as ensuring overall data security.
Metadata and DOI
BIDS Dataset are fully indexed with Datalad and metadata are published and openly available via our github repository. The datalad catalog is used to index all the datasets and to searth for them. Work is ongoing to also have data findable via OpenNeuro and EBRAINS
Once the data are uploaded and metadata encoded, they will receive a DOI and metadata are published with this new DOI
Finding, Searching and Data checks
Findability is ensured by using metadata schemas (i.e., small text based file describing the data at a group level, without the presence of personal data), making data findable via other platforms. We are also working on making data available via a Data Catalogue.
Accessibility is ensured by the Cloud service that allows downloading datasets for identified users. It is further supported by DataLad, a free and open-source distributed data management system.
Interoperability and Reusability are ensured by curating datasets or requesting users to curate their datasets using the Brain Imaging Data Structure. Every Dataset is checked ensuring it is BIDS compliant.