All partners in the CHALLENGE Platform adhere to the code of conduct as has been outlined by Novo Nordisk Fonden. This document further details the principles in the handling of personal and confidential data, as well as biological materials. It also describes measures taken to ensure the secure storage, transfer and analysis of these sensitive data. Each partner is individually responsible to conduct themselves appropriately and in compliance with their own institution concerning storage, transfer and analysis of these data and biological materials.
This project complies with the EU GDPR, The Danish Data Protection Agency as well as commonly accepted good practices for secure handling of personal and confidential data in scientific research projects. The project implements Data Processing Agreements and aims to include all relevant partners and associates. All management of data, e.g. receiving, sending or processing, between institutions is to be carried out by either a designated Data Processor, a person, institution or corporation specified in the Data Processing Agreement or a person specifically authorized by the Data Controller. Moreover, the project complies with all data security strictures contained in the approved application to the National Committee on Health Research Ethics.
The EU GDPR distinguishes between “personal data” and “sensitive personal data”. Personal data could include name, address, education or employment, while sensitive personal data and materials could include race, sexual orientation, health information, dates for medical examinations as well as biometric-, genetic-, or proteomic data. CPR numbers are categorized separately as confidential data.
Personal data and sensitive personal data pertaining to patients or donors used in this project are to be processed in a pseudonymised form. This means that no sensitive data such as diagnoses, dates of hospital visits or biological materials, can be linked to a specific person. Different personal-, sensitive personal- or confidential data regarding the same patient may be handled throughout the project, but there will be no way of linking for instance a specific biological sample with a CPR number. This way a person working on the project will neither be able to disclose the identity of the individual nor gain any knowledge about specific patients, donors or citizens.
Pseudonymised or confidential data that needs to be stored for any length of time is to be kept on hard drives with encryption, such as BitLocker. The passwords to these hard drives will only be known to authorized members, such as designated Data Processors, and are never to be written down or sent via unencrypted email or messages. Detachable hard drives will, at all times, be kept in the possession of an authorized person or securely locked away. The detachable drives should not be connected to any computer suspected of being susceptible to virus- or hacking attacks. Pseudonymised or confidential data is never to be stored on a cloud storage service, as these are deemed less secure. Cloud storage may also violate GDPR, as the servers might be located in a non-EU country not specified in the Data Processing Agreement.
Paper documents containing pseudonymised or confidential data are to be kept in the possession of the authorized person or securely locked away. This could mean a keycard protected front door and a locked cabinet, office or archive. Paper documents such as printed lists of hospital record- or CPR numbers are only for temporary use and will be destroyed immediately after use. Any such documents handed over to support staff or external participants will be destroyed, or returned for destruction, after intended use. While in use, they are to be kept by an authorized person only or be securely locked away.
Any biological material from patients or donors is to be stored, transported, processed or analyzed in a way that ensures high confidentiality. Materials are to be kept behind two sets of locks, such as a keycard protected front door and a locked cabinet, office or archive. The biological materials are to be clearly marked with an identifying number.
The individual patients and donors from whom the tissue used in this project originate will all have their CPR numbers checked against Vævsanvendelsesregisteret (Registry for Use of Tissue) by a person who is both authorized to do so and not involved in the project. In all cases where a patient or donor is registered as not wishing their tissues to be used for scientific purposes, their tissue will not be used in the project and their data will be excluded.
Transportation of biological materials and pseudonymised or confidential data between institutions will always be carried out by an authorized person. Materials are to be transported in appropriate containers and never left out of sight of the authorized person during transport. Digital data will be kept on an encrypted hard drive that is never left out of sight of the authorized person during transport. Paper documents are to be transported in appropriate folders and never left out of sight of the authorized person during transport. Materials are checked and counted before and after transport. In case of materials or data being lost or stolen this will immediately be reported to the appropriate authorities and the institution of origin. In case of materials or data sustaining damage, this will be reported to the institution of origin immediately.
Processing and analysis of data and biological material is only to be carried out by an authorized institution, corporation or person and under conditions of restricted access. During analysis or processing, all data and biological material will be under the supervision of authorized people. Pseudonymised or confidential data can be processed and saved temporarily on an unencrypted computer, but will not be stored there for any length of time. Upon completion of processing, data will be secured by encryption or it will be deleted. Biological material will be returned to its secure archive of origin or destroyed after end of analysis. Some analysis might require destruction of the analyzed material. This however will never happen without consent from the institution of origin and never in cases where it is the last remaining biological sample from a clinical archive.
After end of use, e.g. analysis, acquisition, or confirmation of successful transfer, pseudonymised or confidential data contained on computers or detachable hard drives will be deleted and if possible, the drives should be formatted.
Data in the form of paper documents can be destroyed by dropping them in a designated shredding bin or otherwise ensuring shredding or incineration.
Biological materials are only to be destroyed with the consent of the institution from which it has been acquired. It is to be disposed of as biohazardous medical waste.
All transfers of pseudonymised or confidential digital data will be carried out by an authorized person and in a way that ensures high security. Emails containing pseudonymised or confidential data are only to be sent via encrypted email services and are to be deleted no more than 30 days after receipt. Pseudonymised or confidential data is never to be shared by way of cloud storage or any other service that does not offer a high level of security. Data transfer is only to be conducted peer to peer, e.g. via a secure FTP, or some similar service that is approved by the IT-responsible staff at both the sender’s and the recipient’s institutions and preferably offers encryption.
Computers and other devices (e.g. tablets or smartphones) for the use of viewing, processing or analyzing pseudonymised or confidential data will always be password protected. While working with pseudonymised data, members will make sure that no one else can gain access to their devices while they are not present. Making sure to put the device in sleep-mode, screensaver or another setting that requires a password for reactivation is an easy way to ensure this. Laptops, tablets or phones containing, or with access to, research data are never to be left lying around and should always be kept close to their owner during travel or transport.
All partners, both individuals as well as institutions, in the project will be made aware of this document and be given an introduction and short presentation on the subject of data security at the projects annual meeting. Furthermore, all partners will be made aware of their obligation to comply with the EU GDPR as well as the specific data security requirements of their own institution or corporation. The partners are required to regularly make sure that data security is upheld, e.g. by conduction a data security assessment, and that they comply with the most recent version of this document.