Security

Data protection is key to any data science project. It is required by legislation and it is mandatory to build and maintain trust with the data owners. Data protection means in particular allowing access to data only to parties that have received explicit informed consent by the data owners. In addition to that, data security implies management of the data based on security aspects, regular verification that security is continually assured, and protection against data loss. The MIDATA IT Platform enforces data protection by:

  • Allowing a citizen to register to the platform and become an account owner
  • Authenticating each data owner using the platform
  • Securely managing the data of each data owner
  • Allowing a data owner to share data with another user or with a third party conducting a data science project
  • Managing the access to the data of each data owner
  • Allowing a data owner to delete his/her data
  • Allowing a data owner to withdraw from the platform and have all data optionally exported and then deleted
  • Identifying each researcher using the platform
  • Managing descriptions provided by researchers of each of their data science project as a basis for receiving explicit informed consent
  • Managing the consent of each data owner willing to participate in the data science project and sharing part of his data in nominative, coded or anonymized form
  • Allowing each participant to withdraw a consent to MIDATA-related aspects of a project. In addition to the services provided by the MIDATA IT Platform, additional organizational measures have been taken like:
  • Identifying users as real persons in order to prohibit fake users
  • Managing the register of the researchers using the MIDATA IT Platform
  • Managing and vetting the MIDATA administrators of the MIDATA IT Platform
  • Review the ethical quality of services by a dedicated ethics committee. On the MIDATA IT Platform, each data item is stored and managed as a single record. Each record is encrypted with a first key, which is stored with other similar keys in an access permission set. This access permission set is encrypted with a second key. In a third step, this second key is encrypted with the public key of the data owner. A data owner willing to access his/her data will use his/her primary key to decrypt the second key that allows him to decrypt and read the access permission containing the keys to finally decrypt, access and read the data. All those operations are triggered by the user but executed by the MIDATA IT Platform, thus hiding this complexity to the user. For a data owner giving consent to share data (referenced in one of his access permission sets) with a researcher or with another user, the second key which had been used to encrypt that access permission set will then be encrypted with the public key of the researcher or of the other user. In this way the researcher or the other user use his/her primary key to decrypt the second key which allows him to decrypt and read the access permission containing the keys to finally decrypt, access and read the data. Security audits are run by external independent and recognized security expert organizations on an annual basis. These audits check that no unauthorized access to the platform and the managed data is possible. Some of those intrusion tests are run with no user login available to attempt access to any data, other tests are run with a user login with the intent to access more data than allowed.