Background¶
To facilitate neuroimaging data sharing, a template data sharing consent form was generated by pooling forms from many places and being reviewed by ethic experts and lawyers, resulting in a 1st draft of open consent around 2015. This consent doesn’t however comply with the European General Data Protection Regulation (GDPR), and work has been done in June 2019 during OHBM Hackathon toward updating the consent: see this google doc Following up on this work, the GliMR COST action joined the project and organized a workshop in November 2019 to create a new consent form.
Workshop Participants¶
| surname | name | expertise | |
|---|---|---|---|
| Pernet | Cyril | cyril.pernet@ed.ac.uk | neuroinformatics, data management |
| Katsaros | Vasilis | bslkatsaros@gmail.com | clinical |
| Mutsaerts | Henk-Jan | henkjanmutsaerts@gmail.com | signal processing |
| Benedetta Pizzini | Francesca | francesca.pizzini@aovr.veneto.it | clinical |
| Barker | Gareth | gareth.barker@kcl.ac.uk | ethic, multi-centre trials |
| Heunis | Stephan | jsheunis@gmail.com | cognitive neuroscience, method, OBC |
| Herholz | Peer | herholz.peer@gmail.com | cognitive neuroscience, method, OBC |
| Oostenveld | Robert | r.oostenveld@donders.ru.nl | ethic, data management |
| Broeckx | Nils | nils.broeckx@dewallens-partners.be | law, GDPR |
Issues addressed during the workshop¶
Anonymization¶
Following the OBC, data must be de-identified before distribution. However, it has become clear that one cannot single out subjects from biomedical data and/or MRI scans (including fMRI profiles from connectivity). This means that changes to the data (removing ID and defacing) is only a pseudo-anonymization procedure and according to GDPR, that procedure leaves the data as ‘personal’ (as opposed to ‘anonymized’).
GDPR¶
There are specific items required in a consent form that needs to be updated: data controller, data processor, legal basis, right to withdraw, info and contact of the data protection officer, how data are pseudoanonymized, infrastructure where data are stored, where data are shared, how people will access data, signature of who collected the consent, where and when.
GDPR doesn’t allow sharing freely personal data outside the EEA –> a data user agreement must be used, limiting redistribution, excluding attempt to reidentify, and including what to do re-identification occurs.
Clinical Data¶
When collecting data from patients, there are some specifics aspects to consider that should be included (as a separated template?).
Goal¶
- update consent form with GDPR items
- draft a data user agreement (Donders’ DUA)
- recommendation on pseudo-anonymization
- recommendation on sharing (GLiMR specific)
Schedule¶
We streamed the morning session on google hangout.
- 10.00 Sharing brain MRI data under GDPR (Cyril Pernet)
- 10.40 Introduction to the OBC (Stephan Heunis)
- 11.15 Issuing a Data User Agreement - example from the Donders (Robert Oostenveld)
- 12.00 Collecting and sharing Patients data (Francesca Benedetta Pizzini)
- 12.30 General Discussion (Nils Broeckx, chairing/answering GDPR questions)
- 13.30 Split per working groups to update the documentation
- 16.00 Wrap-up
From there, discussion on GitHub followed to update all documentation.