Dear user,
On May 25th, a new General Data Protection Policy (GDPR) comes into effect. GDPR implies new obligations and sharpened requirements to be imposed on organisations that process personal data, like SITS International. However, GDPR does not intend to hinder scientific research.
SITS International has requested legal advice on how to handle the new legislation, and what it entails for organisations like SITS International. Together, we have reached the following conclusion based on the current information in the legislation.
Regarding collection and processing of personal/sensitive data and informed consent
According to GDPR, active, informed consent is not required for collection and processing of personal data under the condition that a lawful basis applies. For SITS International, two separate legal bases apply, which are related to public interest and legitimate interests, for reference see Article 6.1 (e&f), GDPR Article 9.2(j), and Article 89(1). We do, however, reserve the right that our legal bases might be subject to change, as a result of further clarification of the legislation (through guiding judgments in courts of law for example).
For the current situation in SITS, Ethics Committee approval is obtained in Sweden for ongoing data collection in the SITS registry for retrospective analysis. The patient information part of this approval is still recommended, unless local/national ethics committees have recommended other procedures. The patient information includes instructions on how to deny participation and how to request cancellation of participation in the SITS registry.
For existing or archived data in the registry
For already collected data in the database, SITS can continue to process and keep previously collected data for scientific purposes related to our research topic(s). For reference, GDPR (Recital 50) states that: “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operation’s”, where Article 89(1) is respected.
GDPR-related changes in the database
GDPR requires appropriate safeguards to protect personal data, which means SITS will be implementing safeguards like data minimization, 2-factor authentication, and extended user terms and conditions by May 25th 2018.
2-Factor authentication (2-FA) verifies SITS users’ identity by using a second factor, e.g. SMS or email, containing a unique number entered at login. This method will confirm the user’s (claimed) identity by matching information about the registered user with the person accessing the database (by utilizing their chosen password in combination with the unique number sent by email/SMS). Furthermore, 2-FA will function as a verification of users’ contact information which is kept up to date, as well as removal of the option of multiple users to access the same account, which is a violation of our terms of use.
For “dataminimization”, personal data registered in SITS regarding both users and patients must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed. In order to comply with GDPR and implementation of acceptable safeguards, SITS will remove some data points unnecessary for data processing. These include, but are not limited to: Patient Initials and Date of Birth. Up until today, these data points were merely used to simplify/shorten the process of connecting a SITS patient file to the local patient file at the hospital. Instead, we suggest SITS users to register the SITS treatment file number (TFN) in their internal patient files, and create a safely stored local record with the SITS TFN and patient identification, to be used for identification of patients in the database and source data verification, if needed.
For the extended User Terms and Conditions, a SITS user must, after May 25th, accept SITS User Terms and Conditions before being allowed to register patients and access SITS data. SITS User Terms and Conditions will, for example, entail information regarding user data in the SITS database (name, email, hospital etc.), in addition to user rights, responsibilities, restrictions, and the right to be forgotten and removed from the system. User Terms and Conditions will also specify the limitation of our liabilities as well as the requirement to read our policies (related to patient information among others). More detailed information about SITS new terms and conditions will follow and content might be subject to change
In accordance to GDPR, we are revising our policies to adopt the new rules and regulations required for documentation. Our policies that will be revised are (subject to change):
- Data protection policy
- Data transfer policy
- Data retention & disposal policy
- Data processing policy
- Data breach & response policy
- Subject access request policy
- Confidentiality policy
These documents will be available to the public through our website to ensure transparency with our processes.
Responsibilities and GDPR guidelines
We are here to support you and your role within SITS as an LC/LU in SITS. We wish to be transparent with the changes that GDPR entails, and to provide you with information and guidelines related to how the new data protection legislation affects SITS. We want to emphasize that our responsibilities towards our users and patients are becoming increasingly important with the implementation of GDPR.
SITS will ensure GDPR compliance by May 25th, in addition to compliance with national/Swedish regulations, such as ethical committee approval, to continue collecting data for scientific purposes.
We wish to keep you up to date and informed, thus do not hesitate to contact us if you have any questions regarding GDPR, upcoming changes or your responsibilities.
We hope you will continue to be an important part of SITS, to continue adding patient data to work towards our common goal of reducing the global burden of stroke.
With kind regards,
The SITS International Coordination Office