update consent form new EU GDPR data law

[PeerHerholz]

Hey everyone,

I guess most of have heard that the EU made some changes regarding data protection and you got one or the other "we've updated our privacy policy" mails. It's called the General Data Protection Regulation (GDPR) and you can find information about it here and here.

As I recently put some work into making the open brain consent the standard data sharing form here I had "some" discussions, also regarding the GDPR. Based on that, I wanted to ask if you think the form should be updated including add ons related to the GDPR!? Maybe an GDPR version for european folks/studies? After going through the legal text and in accordance with our local ethics committee, adding the contact information of the state's data protection officer and the person that's responsible for data analysis is sufficient so far (our updated version was already accepted here).

Would be great to get some ideas and start discussions.

Best, Peer

[Remi-Gau]

The issue was raised on twitter and some pointers were given to the MRC website.

[yarikoptic]

adding the contact information of the state's data protection officer and the person that's responsible for data analysis is sufficient so far (our updated version was already accepted here).

Should we then may be just add an additional paragraph at the end of the ultimate form, with a comment, alike

(For studies in EU and GDPR compliance, add this additional paragraph) .... whatever @PeerHerholz had added to satisfy the committee ...

How did you word it @PeerHerholz ?

[PeerHerholz]

Hey @Remi-Gau & @yarikoptic,

thanks for following up on this.

After this paragraph However, any data and research results already shared with other investigators or the general public cannot be destroyed, withdrawn or recalled. we included the following: Furthermore, you have the right to file a formal complaint at a data protection regulatory authority, more precisely, the state's data protection commissaries (*contact information here*).

Additionally, we mentioned the name and contact information of the person responsibly for data analyses: The person responsible for data analyses is Peer Herholz (*contact information here*).

Last but not least, the committee required that people could also participate in a study, even if they don't sign the consent form. This is, of course, against the aims we're trying to achieve. However, we had to do it and so far everyone (over 50 participants) signed it without any reservations.

One potential (more certain) problem is that all this will be highly dependent on the ethics committee at hand. For example, everyone I know who's working at a private research institute (different folks at different branches of the same institute) says that data sharing is simply not possible for them. No matter what. I already had conversations with different institutes of this kind, presenting the consent form, also in the context of the GDPR, but no chance. Nothing.

I wonder if other EU folks already have some experience wrt this topic?

[CPernet]

hackathon proposal for OHBM2019 @jsheunis is on it we need to clarify what we consider anonymous data - if de-identified, then you don't even need consent to share --> I prefer asking anyway and currently, I think the consent reflects this quite well we may consider brain data are never really anonymous

[vsoch]

Just a quick note after having worked with the SOM about "deidentified" vs. "anonymized." I'm not sure about the source of this distinction but they stressed it to me several times.

Deidentified is an assertion that the identity / PHI is completely removed. What if a header field is left, there is a bad nose stripping, or just someone makes a mistake? Anonymized suggests a "best effort" to remove PHI but does not guarantee it. Deidentified guarantees it. I would argue you can never 100% guarantee it, and so perhaps it makes sense to come up with a list of criteria that encompasses a best effort anonymization. If you really think deid. can be guaranteed, you could think about that too (but it seems like a hard problem).

Just looked at the hackathon proposal - that looks like a great idea! +1 to have an updated protocol for the latest and greatest tools. :)

[PeerHerholz]

I'm super glad that this is finally taking off and that so many folks are interested in taking part and helping. It seems like a lot of us already have experience wrt this topic and did something within their own institute/university. That being said, it's nothing but amazing that our efforts can/will be combined through the hackathon project and hopefully beyond that as well. @jsheunis and I started a channel called open_brain_gdpr within the slack brainhack workspace. However, given recent developments we could/should move to mattermost and additionally also guarantee, that the process is documented and accessible more openly than slack and mattermost would allow. We'll start a google docs soonish within which I'll also link and include the awesome twitter thread.

Regarding the pointers from @vsoch and the twitter thread wrt de-identification, anonymization, metadata, the possibility of re-identification, etc., @Remi-Gau and I are currently discussing extensions for BIDSonym here to address some of these points (e.g. some sort of BIDS validator, but regarding identification/personal data aspects with the option to remove these things from, for example headers and json sidecar files). Furthermore, there are plans to include something like a "quality check" using @wazeerzulfikar's amazing mri-deface-detector, also incorporating David Abramian's & @wanderine's cool refacing tool. Any input/ideas/comments highly appreciated!

[vsoch]

Since you didn't mention it, I'll add pydeface which might even be behind some of the BIDS tools. I don't have a record but (I believe) either it or another one of the apps are cleared by our IRB to anonymize data. I can double check on this if it's helpful - it was a few years ago so I don't remember the exact details.

[PeerHerholz]

thx for the pointer @vsoch! BIDSOnym already includes pydeface. From my experience I do think it does a good job of removing features that are important wrt re-identification. However, we would still need the assessment of the header and metadata files. Do you have any chance to maybe ask that person again why it might be okay to use pydeface? With that we could also start gathering comments/ideas/opinions from IRBs.

[vsoch]

That's a great idea @PeerHerholz, I'd be happy to! How cool would it be to have some kind of inter / national best practices? I'll get back to you with more information.

[vsoch]

@poldrack you were involved in the discussions right? I checked with Ruth, and she suggested reaching out to you if there is any detail that can be provided. It would be good to know what was evaluated (and if more is needed) so BIDSonym a la pydeface can be further recommended.

[poldrack]

we had discussions around openneuro but not about consent for Europeans to share data. I think that it would be best to engage someone with deep expertise on the implications of GDPR for human data sharing - unfortunately I don't know such a person...

[vsoch]

@poldrack isn't that a different thing than anonymization? Despite the title of the issue, I think @CPernet and @PeerHerholz and discussing a hackathon proposal for OHBM 2019 that will define what is anonymized data.

[poldrack]

sorry, my confusion. but I do think that any discussion of anonymization wrt GDPR will require someone with deep knowledge of the regulations (i.e. probably a lawyer or policy wonk, not an imager)