Safe use of personal data in researchAntti Pursula, CSC2.9.2016

Health and well-being data in research

• Health and well-being data collected by individuals, healthcare, registers, …, has great potential for advancing biomedical research

• Digital data collections in Nordics is dubbed as goldmine for researcho Biobanks, health registers, longitudinal data collections, nationwide studies, etc.

• Promises of biomedical research: Personalized medicine, cure of diseases, improved life quality, …o Society benefits when these data collections are made available for research!

• However…

Protect and empower the individual

• Health and well-being data collections are highly sensitive, personal datao Even after deindentification of data it is possible to pinpoint individuals

• Research use of health data requires data protection, ethical considerations, empowerment of data subjects, secure data transfer and secure analysis possibilities

• Altogether enabling only authorized use of data while still utilizing it for the benefit of society and individuals

Need for secure IT services

• To grasp the promise of accelerated research based on health data, and simultaneously taking into account the limitations, we need IT solutions that implement the necessary preconditions

• Need also legal and ethical and societal discussion and guidelines and regulations

Possible use case

1. Data collecting organization offers health-related data for research purposes (biobank, genome center, research institute, register-holding organization, hospital, …)

2. Researchers can apply for access to data setso Review process takes place to decide on the application

3. For approved requests data set is prepared and moved in a secure server where researchers can access it

4. Researchers perform the analysis5. After the research project access to data is closed

Services from CSC

• CSC has developed secure IT services to realize MyData related workflows for research use of personal data.

• Components to support the Use Case:o Digital authorization management tool REMSo Secure cloud infrastructure CSC ePoutao Human-centric identity and access management Eduuni-ID

• Service components at CSC are developed according to national strategies, and in the close relation to European and Global initiatives (like ELIXIR research infrastructure and GA4GH)

Why services from CSC?

• CSC – IT Center of Science Ltd. is government owned non-profit organization dedicated provide IT services to support research & education in Finlando Research Data. Cloud Infrastructure. Supercomputing. Network connections. Open

Science. Higher Education Data Management. Scientific Software.

• Why CSC:o Data stays at CSC’s servers and storage within Finland (i.e. in EU, and not using

commercial providers)o No commercial interest on the data (neutral player)o Publicly ownedo Suited ideally as a “research data bank” or “secure analysis environment” or

“genome data platform”

Authorization management with REMS

• REMS provides complete process for managing entitlements

• Demo available at https://remsdemo.csc.fi/

Principalinvestigat

orApplicant

Research groupMembers of the

application

Metadata on dataset

1&2

Dataset 1

Dataset 2

DAC 1Approver

DAC 2Approver

REMS

Workflow

Reports

Entitlements

IdP

IdP

IdP

SP

1. Apply for access

4. Approve

5. Access

3. Circulate to approver

2. Commit to licence terms

CSC ePouta

• Cloud computing environment designed for processing sensitive data.

• Closed environment that meets elevated information security regulations (VAHTI) as defined by the governmental authorities.

• The cloud resources are accessed through a dedicated secure connection.

Free your identity from silos

10

Organisational Directories

IdentityFederations

User Directories of cloud services

Consumer Services and their identities- human-centric identity and access management

User Directory

11

Sign in methodsOrganisational Personal

Services

Step Up AuthID: exxxxxxxxxPerson is not identified

- ID is given to a person e.g. sequential number (mxxxxxxxxx). One or more sign in methods can be attached to it.

Person is identified- Confirmed email or GSM is attached to another ID e.g. sequential number (exxxxxxxxx).- mxxxxxxxxx is attached to one or more exxxxxxxxx.

Person¶s profile- Person can create and manage profiles for services. Profiles can be used by services with user¶s consent. (My Data)

A)

B)

C)

Only organisational sign in methodsID: exxxxxxxxx

Only peronal sign in methods

ID: exxxxxxxxxUser Profile

chosen by user

D) All sign in methodsID: mxxxxxxxxxStep Up Authentication

(two-factor)

Summary – Data Platform

• The presented components are integral components of a Data Platform for health data researcho Support data submission, archiving and sharing processeso Integrated with secure cloud services for data processing o Enables sharing of data to third parties who have the approriate access permissions.

• Providing such data platform is a collaborative effort between (at least) the data collecting organization, IT infrastructure provider and research community

• Contacts:o Antti.pursula@csc.fi o Sami.saarikoski@csc.fi (Eduuni-ID)