Table of content
Introduction
At PROBE we believe in full transparency with regard to our legal matters. Our ambition is to ensure that all members knows exactly what happens to their data, and feels safe that they can always remove them without further ado.1
1. Introduction and scope
PROBE wants to access the regulatory requirements in Europe for processing personal data on the PROBE platform between users of the platform, individuel researchers and health organisations including security measures for processing and storage of personal data.
Identified legislation and international standards of relevance:
- GDPR (EU) 2016/679
- ISO 27001:2017 Information technology – Security techniques – Information security management systems – Requirements
- ISO/IEC 27701:2021 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines
2. Regulatory definitions related to personal data
In the European Union (EU), the sharing of personal data is regulated by the General Data Protection Regulation (GDPR (EU) 2016/679).
GDPR defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, cf. GDPR, Art. 4(1).
The Controller of personal data “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”, cf. GDPR, Art. 4(7).
The Processor of personal data “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”, cf. GDPR, Art. 4(8).
Consent to control and process personal data “means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”, cf. GDPR, Art. 4(11).
3. Product description
PROBE is developing a cloud-based software platform where users (natural persons) of the platform can be matched as test subjects with clinical trials testing of medical devices or pharmaceutical products. The list of clinical trials will be made available from hospitals, research institutes, pharma companies or Contract Research Organisations (CRO). The platform will be opening for sign-up for both for healthy volunteers and patients.
4. Personal data on Probe cloud-based platform
At signup, the user is requested to provide name, contact data, gender, etc. Once the user profile is set up, the user is requested to provide information related to the health status and diagnoses related to physical, physiological, genetic, mental, ethnicity, and/or social identity. This information’s will be available for the host of the cloud platform, PROBE, and the physicians/clinicians on the platform.
Processing of personal data is per default prohibited by GDPR (GDPR, Art. 9.1) unless the purpose can be defined in accordance with GDPR (GDPR, Art. 9.2.b-j) or the natural person provides a consent to the storage, archiving and processing of personal data (GDPR, Art. 9.2.a). As Probe cannot claim that the processing of personal data in accordance with article 9.2b-j, PROBE must obtain consent from the natural persons signing up on the PROBE cloud-based platform.
The consent must be signed either by a physical signature or eSignature via e.g., MitID or document management platform providing eSignature possibilities. All consent must be stored for as long as the person’s personal data is available for data storage, archiving and processing. The person must be offered the opportunity to at any time to withdraw the consent given. In the event of request of withdrawal of the consent, Probe must document that all personal data is deleted.
5. PROBE as Data Controller
When processing and storing individual personal data and sensitive health, PROBE becomes Data Controller, cf. GDPR, Art. 4(7). This implies that PROBE must keep records of all processing activities performed on the PROBE platform including the processing purpose, timestamp, and categories of personal data processed, Cf. GDPR, Art. 30.
The records shall be made available in writing upon request from the authorities.
6. Cloud hosting services as Data Processor’
The host of the cloud-platform where the personal data and health data of the person is stored and can be accessed by providers of clinical trial seeking for test persons, becomes Data Processor, cf. GDPR, Art. 4(8). Such data processors must sign a Data Processor Agreement with Probe that regulates the data processing services including control on access to personal data, storage and archiving.
It is recommended that PROBE use a cloud platform with ISO 27001 certification. This will ensure that all possible measures for securing data are taken and in accordance with applicable data security practices.
7. PROBE and securing personal data
Agreements with Data Processors are part of the data security measures on behalf of PROBE. To instruct Data Processors, Probe must have its own security policy in place. This includes that PROBE has procedures for data backup, data breaches, data erasure, rights of data subjects, cf. GDPR Art. 32.
Also, PROBE must perform risk assessment of all recognized security risks and perform risk mitigation to acceptable risk levels.
8. Information Security Management Systems (ISO 27001)
Implementing a security policy together with procedures for data backup, data breaches, data erasure, and rights of data subjects will be the start of establishing an Information Security Management System (ISMS).
Apart from the already established security policy and procedures, the following policies and procedures must be implemented:
- Quality Policy and Quality Objectives
- Company management and organizational setup
- Education and Training of personnel
- Performance evaluation
- Asset management, Physical and Environmental security
- Access control
- Cybersecurity and Cryptography
- Supplier relations (e.g. Data Processor Agreements)
- Business Continuity
ISO 27001 is an international standard on how to manage information security. Companies that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit.
ISO 27001 requires that company management
- Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
What controls will be tested as part of certification to ISO 27001 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
Other standards in the ISO 27000 family of standards provide additional guidance on certain aspects of designing, implementing and operating ISMS, for example the ISO 27701 for privacy information management which will ensure that PROBE is in compliance with GDPR.
9. ISMS Certification
A Quality Management System (ISMS) may be certified compliant with ISO 27001 by a number of Accredited Registrars. In some countries, the bodies that verify conformity of management systems to specified standards are called "certification bodies", while in others they are commonly referred to as "Registrars".
The ISO 27001 certification, like other ISO management system certifications, usually involves a threestage external audit process:
- Stage 1 is a preliminary, informal review of the ISMS for example checking the existence and completeness of key documentation such as the organization's information security and risk policies. This stage serves to familiarize the auditors with the organization and vice versa.
- Stage 2 is a more detailed and formal compliance audit testing the ISMS against the requirements specified in ISO 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation. Passing this stage results in the ISMS being certified compliant with ISO 27001.
- Ongoing involves follow-up audits from the certification body to confirm that the organization remains in compliance with the ISO 27001 standard. These follow-up audits occur at least one time annually
10. Conclusion
The assessor has identified four recommendations:
- Recommendation 1: Probe must obtain consent to the control and processing of the natural person’s personal data
- Recommendation 2: Probe must maintain records of all processing activities on the Probe platform
- Recommendation 3: Probe must sign Data Processor Agreements with cloud hosting services
- Recommendation 4: Probe must implement a security policy and procedures for data backup, data breaches, data erasure, and rights of data subjects
Implementing the four recommendations will ensure compliance with GDPR.
Implementing and certification of an Information Security Management System (ISMS) in accordance with ISO 17001 is not a regulatory requirement, but can very well become a customer requirement. Therefore, it is the assessor's recommendation to have ISO 27001 certification as a future objective