CPernet
commented
4 years ago more reviewers: @athorogood @tjhwhite @pjtoussaint
Closed CPernet closed 4 years ago
CPernet
commented
4 years ago more reviewers: @athorogood @tjhwhite @pjtoussaint
tjhwhite
commented
4 years ago Greetings Cyril,
I’ll plan to take a look at the open brain consent next week, if that’s OK…. I was on vacation and now I have a stack of grants that need to be reviewed before the end of the week.
Cheers, Tonya
Tonya White, M.D., Ph.D., M.Sc. Eng Associate Professor Department of Child and Adolescent Psychiatry Erasmus MC-Sophia / Kamer KP-2869 Postbus 2060 3000 CB Rotterdam
Bezoekadres: Wytemaweg 8 3000 CB Rotterdam
tel: +31 (0)10 703.70.72
De inhoud van dit bericht is vertrouwelijk en alleen bestemd voor de geadresseerde(n). Anderen dan de geadresseerde(n) mogen geen gebruik maken van dit bericht, het niet openbaar maken of op enige wijze verspreiden of vermenigvuldigen. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender te informeren door het bericht te retourneren en uit uw bestanden te verwijderen. Het Erasmus MC kan niet aansprakelijk gesteld worden voor een incomplete aankomst of vertraging van dit verzonden bericht. Ook aanvaardt het Erasmus MC geen enkele aansprakelijkheid voor enigerlei schade, voortvloeiend uit het gebruik en/of acceptatie van de inhoud van het bericht.
Op 4 dec. 2019, om 08:08 heeft Cyril Pernet notifications@github.com<mailto:notifications@github.com> het volgende geschreven:
more reviewers: @paulejhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpaulej&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003415806&sdata=%2Fz7Dd3n39F8RvQsPd54OhxVs36pH3w83LLKNBT8QVqY%3D&reserved=0 @athorogoodhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fathorogood&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003425803&sdata=17ALqja3udCokX%2FPxB0n1NnLQgfJmaqvQFJSVqgWUec%3D&reserved=0 @Helenehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHelene&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003425803&sdata=IvR3WMMABvSLXTveMnupkn9FueO8gXlyqTp8dau%2FzH8%3D&reserved=0 @tjhwhitehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftjhwhite&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003435797&sdata=Wmj%2BMSXitwlRT7MFSB9rA%2B0OO75MOi6NMgj8vCJ7%2FY0%3D&reserved=0 @athorogoodhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fathorogood&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003435797&sdata=C8TiincxxN65QQeFiPtVXbRQEzGga0AnZYD3BMUMqjk%3D&reserved=0 @pjtoussainthttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpjtoussaint&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003445791&sdata=XmAw3xYIHg1pFZ%2FSTB29oA3SPMFsqWshjqB30WgSjWo%3D&reserved=0
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCPernet%2Fopen-brain-consent%2Fissues%2F2%3Femail_source%3Dnotifications%26email_token%3DAHCELLV2EOR2YJLGZQP74K3QW5JN7A5CNFSM4JUVTIPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF37AWQ%23issuecomment-561508442&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003445791&sdata=n7IgFC8Ub%2FuW0nIIUy8sTtJgGZ6rOlnp9T64Z9LJbQU%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHCELLTJB4M3UPYPVYN3XDLQW5JN7ANCNFSM4JUVTIPA&data=02%7C01%7Ct.white%40erasmusmc.nl%7Ca9113f10aedb41ea6bf708d77888bdf5%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C1%7C637110401003455789&sdata=W8Evym%2BCNK8bTroeQFTHCRt7iWbm6xZ8g6jgYWiPNoA%3D&reserved=0.
eglerean
commented
4 years ago Hi
you most likely have discussed during the workshop, so I apologize if this is a trivial question. I was just thinking that it might be more reassuring from the participant's perspective to delete the sentences
" In addition, a security breach (break in or cyber attack) might lead to someone being able to link you to your data. This risk is very low because your data are stored in a secure database, and the information about your identity is stored separately from the data themselves, linked only through a code."
Instead, an appendix with a DPIA (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/) could be attached to the consent form (and privacy notice). The DPIA could evaluate the likelihood of such "data breach" risks. Such risks are not any higher risks than those regarding personal data we store in our phones/homes/etc. These generic risks can be written elsewhere and it would still be available for the participant to read about them in the DPIA if they wish so.
What do you think? Did you discuss this already?
jsheunis
commented
4 years ago To my recollection we didn't discuss this at the workshop. I like the idea, although it might vary based on whether a Data Privacy Impact Assessment (DPIA) or PIA was actually conducted, and to what level of detail. At the very least, I think its good practices for any study to do an elementary PIA. At our institution we are asked by the data protection officers to do a simple PIA-like assessment to answer the following questions before starting study planning:
Such a basic description could maybe contain a template-like formulation of general risks and severity levels.
I also like this idea since it would link to steps/processes that are expected in terms of GDPR, thus making the whole aspect of GDPR compliance (or not) more transparent.
jsheunis
commented
4 years ago also tagging @DorienHuijser
PeerHerholz
commented
4 years ago Great addition @eglerean and great points @jsheunis. I think this would be a great and highly valued add-on, not only to the GDPR version. Should the DPIA be treated as an addendum and should we include the pointers from @jsheunis as some sort of "minimal needed information" guideline?
CPernet
commented
4 years ago To me, it points to a new doc as we did for the DUA. A DPIA is highly recommended, and I'm pretty sure many IT will have something like that ready.
DorienHuijser
commented
4 years ago Thanks for adding me here :). I think adding a DPIA to the informed consent may only be confusing/possibly worrying for people. Writing a short paragraph instead about the fact that such a risk assessment was done and that security measures were taken (or which ones) should be enough in my opinion. If possible, the answers to @jsheunis's questions could also be included, but I think some of them are already answered in the template (e.g., you ask consent for the sensitive data [lawful basis + data types] and state who has accesss to them [parties involved])
eglerean
commented
4 years ago Thanks for the good points @DorienHuijser ! Indeed DPIA are confusing and worrying. The solution I had in mind is like you wrote
1) the consent form read by the subjects doesn't specifically go into the risks with words like "data breach" to avoid unrealistic fears and can instead have a generic line "we assessed the risks". 2) somewhere, if needed and if requested by the subject, a risk assessment has been carried out so that the participants who want can also read more (i.e. a DPIA which could even be a "generic" DPIA reused for all projects at an institution)
What do you think?
PeerHerholz
commented
4 years ago @eglerean, so the idea would be to definitely have a DPIA but only provide the specifics if asked by participants? Would you include more information regarding the DPIA in a potential ethics proposal? If so, we could have two forms: one being the adapted open brain consent with the generic line you mentioned and one chapter for ethics proposal with specifics of the DPIA (depending on the institute and ethics committee of course).
Would something like that be suitable?
eglerean
commented
4 years ago Maybe? :)
Long answer here from how we made the whole process at our uni to give the picture I see
a researcher prepares 1) ethical application [not public yet, but they should be IMO] 2) consent form to take part to this exact experiment [describes the hypothesis and it is given to subjects to sign] 3) privacy notice as required by GDPR [given to the subject to explain their data rights]
now we are adding secondary use of research personal data so we need 4) consent form for data reuse [will be given to subjects to sign, this is exactly the open brain consent] 5) Data User agreement [not given to subjects but they can read it if they want or ask about it] 6) DPIA regarding secondary use of research personal data [risk assessed, not given to the subjects but they can read it if they want or ask about it]
At my uni we started to keep all privacy notices for research projects (and not only) on a public webpage https://www.aalto.fi/en/services/privacy-notices so that who comes to the experiment has the time to read everything in advance.
DUA, DPIA and other generic IT security/etc documents can also be stored in a similar place for those participants who want to read (and ask).
I am not sure if this is THE way to go, but form the subject perspective they have something clear, simple, and "not scary" to read (the open brain consent form) and then go more into details with privacy notices, DPIA, DUA etc. We have to be ethical, so it is not about writing a fine print that nobody reads and make people sign, yet we don't want to scare subjects away mentioning "data breaches" since those can happen anyway anywhere. So a statement that expresses that there are risks with secondary use of personal data and if the participants want to ask about it they can do, but the benefit for science outweighs the theoretical risks.
jsheunis
commented
4 years ago @eglerean @PeerHerholz @DorienHuijser I really like the fact that we are getting into the nitty gritty of the different documents / notices / consents that are involved in this process of collecting, processing and sharing research data under GDPR.
I think it's worthwhile to note that my personal approach to this overall project is to clearly delineate between these aspects and to see how each is influenced by GDPR requirements, such that we can make it easier for researchers to understand and implement it. We all know it is already sufficiently complex for even experts to navigate.
Practically, this means (IMO) that the "Ultimate Open Brain Consent - GDPR edition" is not sufficient to stand on its own. It will not solve "sharing research data under GDPR". We will need a clearly delineated set of templates and procedures to do that. Of course, it's totally fine to start simple with just the OBC form and expand from there, noting explicitly where we would link to external documents/templates once we have them.
So onto @eglerean's comments about the different documents, I would like to expand it a bit to explain my understanding and make it easier for you to comment on:
A researcher prepares:
So how does the intention to share research data under GDPR change the above? I think that is the important question to ask to guide our efforts in providing useful templates.
I think we need to be clear about the distinction between consent that the participant gives for taking part in the study, which requires them to be sufficiently informed about the whole process (including about data sharing and data privacy, risks, etc), and consent for sharing their somewhat-de-identified data. Is explicit consent for the latter actually necessary if we state the lawful basis for data processing to be (1) public good or (2) legitimate research interest? If not, then the OBC is just a privacy notice and not an actual consent form. Accordingly, if this consent is implicit when the participant signs the general study consent form (after being sufficiently informed about everything), we need to be clear about that.
jsheunis
commented
4 years ago jsheunis
commented
4 years ago Also tagging @GNilsonne
eglerean
commented
4 years ago Beautiful explanation @jsheunis Those words and process descriptions should go into many universities support pages. I think that the DPIA with the risks of secondary use of research data is also needed because we can be honest to the participants and give them all the unrealistic risks with probability epsilon =~ 0 and they can still make an informed decision and donate their personal data for science. DPIA allows institutions to deviate from the GDPR and in this case a single DPIA can be reused for all secondary use of personal data as the risks are always the same.
GNilsonne
commented
4 years ago Thanks for the ping - following!
DorienHuijser
commented
4 years ago Great visualization! I never made the distinction before between the participant information letter and the privacy notice. Information about handling of sensitive/personal data is often included within our participant information letters and this is also why I thought of the OBC as a section within the info-letter. In the consent form, people can then indicate whether or not they consent to specific parts mentioned in the information letter.
There is a DPIA template available at Leiden University: template-dpia-research (2).xlsx, although I don't know if privacy-people (sorry if that sounds denigrating) are busy with making a (better) template..
I also agree that there should be a DUA template that has been declared lawful and useable for MRI researchers. I have asked our data protection office about this and they referred me to the law department. I'm still planning on asking them about this, I hope they can help.
DorienHuijser
commented
4 years ago Hi all! Best wishes for the new year :) I have read the form and don't really have any comments on it, it looks good!
I was wondering: Who are still planning on reviewing the OBC form? Just so that I have an indication when I can start translating the form to Dutch for our researchers to use :)
jsheunis
commented
4 years ago I still want to add my review during the next two weeks, hopefully this week...
CPernet
commented
4 years ago @jsheunis do remember that under GDPR 'The consent form, in which the participant agrees to take part in the study. This might contain extra boxes of consent for the participant to check and sign, because of GDPR.' is not really necessary because the legal basis for carrying out your research is not the consent anymore but your 'public task' -- you do however need a proof that people have been informed about the different bit of the research and they can withdraw etc .. and the best proof is a signature, so at the end you need a consent anyway (but just wanted to make that distinction)
CPernet
commented
4 years ago @all now changed the 'breach' sentence, from
In addition, a security breach (break in or cyber attack) might lead to someone being able to link you to your data. This risk is very low because your data are stored in a secure database, and the information about your identity is stored separately from the data themselves, linked only through a code.
to:
The risks of accessing such data from our servers have however been assessed and are considered to be low [(see the university/centre Data Privacy Impact Assessment @http://www.xxxx)].
CPernet
commented
4 years ago @all I have now included some recommendations on DPIA here the idea being to point to people that such thing should be in place rather than us doing any of this -
tjhwhite
commented
4 years ago Greetings and Happy New Year, I need to get caught up on this important work, where do I find the current work? Thanks Tonya
Tonya White, M.D., Ph.D., M.Sc. Eng Associate Professor Department of Child and Adolescent Psychiatry Erasmus MC-Sophia / Kamer KP-2869 Postbus 2060 3000 CB Rotterdam
Bezoekadres: Wytemaweg 8 3000 CB Rotterdam
tel: +31 (0)10 703.70.72
De inhoud van dit bericht is vertrouwelijk en alleen bestemd voor de geadresseerde(n). Anderen dan de geadresseerde(n) mogen geen gebruik maken van dit bericht, het niet openbaar maken of op enige wijze verspreiden of vermenigvuldigen. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender te informeren door het bericht te retourneren en uit uw bestanden te verwijderen. Het Erasmus MC kan niet aansprakelijk gesteld worden voor een incomplete aankomst of vertraging van dit verzonden bericht. Ook aanvaardt het Erasmus MC geen enkele aansprakelijkheid voor enigerlei schade, voortvloeiend uit het gebruik en/of acceptatie van de inhoud van het bericht.
On 6 Jan 2020, at 14:27, Stephan Heunis notifications@github.com<mailto:notifications@github.com> wrote:
I still want to add my review during the next two weeks, hopefully this week...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCPernet%2Fopen-brain-consent%2Fissues%2F2%3Femail_source%3Dnotifications%26email_token%3DAHCELLQYNQAQL3GWBVNUS43Q4MWUNA5CNFSM4JUVTIPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIFN56Y%23issuecomment-571137787&data=02%7C01%7Ct.white%40erasmusmc.nl%7Cb101f6e20e814ce016c808d792ac313a%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C0%7C637139140568338102&sdata=neZo%2FUrsYqUnzZ2itdv%2B5OWUIRmBz9TsLjtP37rTI2E%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHCELLR74RIICW6B6BNVQ4LQ4MWUNANCNFSM4JUVTIPA&data=02%7C01%7Ct.white%40erasmusmc.nl%7Cb101f6e20e814ce016c808d792ac313a%7C526638ba6af34b0fa532a1a511f4ac80%7C0%7C0%7C637139140568338102&sdata=pvIvQuiRLni4PcwB3LoX5vnmrFcRQqWBmfTYd5bVP%2FY%3D&reserved=0.
CPernet
commented
4 years ago Hi Tonya, it's here the docs/source folder
jsheunis
commented
4 years ago @CPernet can you make your commits of the DUA and other files part of PR #3 somehow, so that we can review them all in one place? Or if not, create a new PR to enable that?
CPernet
commented
4 years ago conflict resolved and PR merged
jsheunis
commented
4 years ago Thanks. But now (if I'm understanding this whole GitHub PR review thing correctly) we can't review the updated lines of text/code since the PR is closed. So you can either revert the merged PR, or what I can do is to create a new PR with my new updates. Then everyone can review this?
It's a bit messy, but what I like about being able to review everything using Github's functionality is that we can hash out details about single lines of text by starting a review thread on those particular lines. And we can still use this issue to discuss everything more generally. What do you think?
CPernet
commented
4 years ago @jsheunis, please open another issue if needed, there are more changes to see than that one - including new docs
and also
jsheunis
commented
4 years ago Thanks I will do that. I am working locally on restructuring the index such that there is more of a natural flow to the information we are adding. I will create separate issues:
And then send PRs for all.
@eglerean @robertoostenveld @PeerHerholz @jsheunis to review https://github.com/CPernet/open-brain-consent/blob/GLiMR-workshop/docs/source/ultimate_gdpr.rst