GDPR for open brain imaging

What is means for research to protect privacy?

GDPR in a nutshell 

Principle 1: lawfulness, fairness and transparency
- must have ethics approval to collect data and signed a consent form
- give a privacy notice*
- be transparent about how personal data will be used, and how research (de-identified) data will be used (i.e. shared publicly)
- tell them how personal data will be handled (and for how long, see principle 5)

*A note on privacy notice.

The privacy notice is a statement telling people for what purposes the personal data will be used. Following principle 2, an information sheet can contend something like: 'your personal data (name, address, GP) will be collected as to keep a record of your consent and of who is scanned with the intended use to contact you in case of an incidental finding. At the end of the study, consent forms will be archived in a secured location at the University of XXX for audit purposes and all other material with your personal data will be deleted and/or destroyed'.

In the information sheet, put the usual information (following the open brain consent): 'the research data collected will be de-identified and used 1. to answer directly research questions on xxxx (generic) and 2. to enhance knowledge about the brain in general, by sharing them publicly on the web.'

Principle 2: purpose limitation
- be explicit why personal data are collected and what is the intended use. Typically for healthy participants, the reason is to keep a record of consent and of who was scanned with the intended use to contact that person in case of an incidental finding. For patients, the reason is to keep a record of consent and who was scanned with the intended use to further access medical records (must be consented) and/or follow-up on patient care.

--> How do we apply new research question?*
The research data, if anonymized, are good to do whatever you want and thus use for new questions. What seems not possible (although not that clear to me), is to use personal data to check medical records and get new variables for a new research. So to me, you need to make clear what you will collect, you can also say you will collect such and such information from medical records for the next n years, but cannot go fishing for random variables**.

Principle 3: data minimisation
- only collect what is needed (eg. name, address, GP, possibly health ID)

Principle 4: accuracy

Principle 5: storage limitation
- keep personal data for no longer than necessary but you can keep indefinitely for archiving purpose (e.g. consent forms) and if the data is needed for scientific/statistical purposes (e.g. patients ID for health status follow-up, but you still need an end date for that).

--> how long to keep personal data linked to the data?*
looks to me that you need an end date - but if the purpose of your research is a long-term follow-up of patients, an end date in ten years from now is absolutely fine satisfying principles 2 and 5.

Principle 6: data security

Data Subjects' Rights

People are allowed to access, erase, restrict processing of personal data. Since publicly shared imaging data must be fully de-identified, this doesn't apply. If one keeps the record of patients personal data, however, then these enter into the subjects' right category, in particular, the restriction on processing the personal data (e.g. collecting more info), while the research one already collected are still good to play with.




* Thanks to Linda Douw for the questions!
** Discussion with Enrico Glenean, thx Slack :-)