myDRE, and documents and approvals

myDRE, and documents and approvals

version: 2022-10-15
type: opinion
This article should be considered as an opinion article, please consult the organization's policies and in doubt verify with the privacy contact person, privacy officer, or legal department.

Introduction

Do we need a data transfer agreement (DTA) or is a data processing agreement (DPA) sufficient when working with myDRE? This opinion article places DTA, DPA, and other organizational documents/approvals in the context of a Workspace.

Defining INTERNAL and EXTERNAL

A Workspace belongs to a specific organization. That organization is accountable and all people and data belonging to that organization can usually be considered INTERNAL. All other people and data usually must be considered EXTERNAL.


Documents/approvals Mapped

Based on the above definition, the following mapping can be made of documents and approvals. It is important to note that as a general rule of thumb, all approvals must be in place prior to the ingressing, storing, processing, egressing of data. The abbreviations will be explained below.


External
Internal
Data
  1. DTA
  1. DMP
  2. Study ID
  3. EC approval
  4. Data Custodian approval
  5. DPIA
  6. CIA
  7. TPE check
People / Services
  1. DPA


Documents/approvals explained

External

DTA - Data Transfer Agreement
A data transfer agreement (DTA) is a legal document that lays out the terms and conditions of sending or receiving personal data to another jurisdiction or organization. This agreement will include provisions for how data will be used and protected as a result of the transfer. Three scenarios have to be considered:
  1. Ingress of data
    A DTA is needed if the data is received from External.
  2. Storing and processing data inside the Workspace
    If #1 is being met, no DTA is needed, including for people external to your organization. As long as the work is being done inside the Workspace.
  3. Egress of data
    A DTA is needed if the data is received by a party that is External.

Internal

DPA - Data Processing Agreement
A data processing agreement, or DPA, is an agreement between a data controller (such as a company) and a data processor (such as a third-party service provider). It regulates any personal data processing conducted for business purposes. A DPA may also be called a GDPR data processing agreement. (GDPR Art 28).

anDREa B.V. has entered a DPA for all the Workspaces with each organization. If you like to know the details, the procurement department is a good place to ask.

DMP - Data Management Plan
Your organization most likely has a template for this. Not unlikely the DMP checks if the other items are available and approved as well.
https://en.wikipedia.org/wiki/Data_management_plan

If not covered by the DMP, the following might be required:
Study ID
For sure the processing of privacy sensitive data (in GDPR terms, Art 9) requires that there is a (central) record of all processing activities (GDPR Art 30). 

EC - Ethical Committee approval
Some studies require the approval of the Ethical Committee.

Data Custodian approval
Some studies require checking for:
DPIA - Data Privacy Impact Assessment
  1. GDPR Art 35.
  2. anDREa article/help: Data Protection Impact Assessment (DPIA).

CIA - Confidentiality, Integrity, Availability (and sometimes Auditability) assessment
  1. Required by some organizations (see wikipedia). The (Chief Information) Security Officer should be able to inform you.
  2. anDREa article/help: CIA (BIV) Classification.

TPE - Trusted Processing Environment Check
  1. The organization ideally should have a whitelist of TPEs and a list of criteria to evaluate non-whitelisted solutions.
  2. If myDRE is available, then there should be documentation/policy when myDRE for what type of data, processing, and/or collaboration is considered a TPE. anDREa article/help:
    1. anDREa B.V. obtains ISO 27001 certification
    2. Pentest and other security related reports
    3. CIA (BIV) Classification
    4. anDREa Service Level Agreement
    5. For many other questions, please check anDREa FAQ 

    • Related Articles

    • myDRE - why

      Why myDRE was created in <1.5 minutes For more information From organization perspective anDREa FAQ From user perspective myDRE Or contact a colleague: Pascalle Broer

    • Copying and Pasting in myDRE: Easy or Safe?

      Introduction In myDRE, you can't copy and paste information between your computer and a Virtual Machine (VM). This for example means that you can't copy and paste your code from your local desktop to your VM and vice versa. It might seem like a big ...

    • Can myDRE be used outside the EER / USA / etc?

      myDRE can be used outside the EER / USA / etc If your organization allows remote access (e.g. working from home) then there is no reason why myDRE cannot be used regardless of the geographic area you are in. Bypassing geo-restrictions is easy by ...

    • myDRE-Learning

      The myDRE-Learning platform expands your knowledge on a wide range of topics, from the basics of myDRE to Virtual Machines, Workspaces, Rroles, Costs and much more. Accessibility is at the heart of our platform. You can learn at your own pace and on ...

    • EMC myDRE Community Event

      Click to sign up for Erasmus MC myDRE Community Event on 13th of October 12:00-13:00