Data Protection Impact Assessment
Background
The General Data Protection Regulation (GDPR) mandates a data protection impact assessment (DPIA) to be performed for data processing that is likely to result in a high risk to the rights and freedoms of natural persons. GDPR states in the first paragraph of Article 35 that:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
It should be noted that the DPIA is a data controller responsibility. The data processed in Viedoc that Viedoc Technologies is controller of is limited to name, email-address, optional contact details and some usage data of the platform users. This data should not result in high risk to the rights and freedoms of natural persons. On the contrary, the information is necessary to maintain information security of the platform and thereby mitigate risk and protect such rights and freedoms. However, Viedoc is delivered using infrastructure provided by the U.S. software company Microsoft and their Azure services, and as the EU court of justice in July 2020 invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield, this DPIA is performed to determine and analyze any new risks that have emerged as part of this.
GDPR further states in paragraph 3 of Article 35 that:
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: […] (b) processing on a large scale of special categories of data referred to in Article 9 […]
Article 9 paragraphs 1 and 2:
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes […]
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […]
Viedoc is a software platform developed to facilitate clinical research involving natural persons having given their informed consent to participate in clinical trials. The collective data processed on the Viedoc platform by customers of Viedoc Technologies must be regarded large scale. Although Viedoc Technologies have no insight into the data processed on the Viedoc platform, it must also be considered special categories of data as enumerated by Article 9, in particular data revealing racial or ethnic origin, genetic data and data concerning health. Despite Viedoc Technologies not being the data controller of this data, this is brought into the scope of this DPIA to surface risks and educate customers.
Description, purpose, necessity, and proportionality of data processing
Data flow
Data controller - processor relationship
Lawful grounds for processing:
* Consent by user upon registration (GDPR Art 6(1)(a)).
** Instructions in Data Processing Agreement appendix to Master Services Agreement between Viedoc Technologies and the Customer.
*** Typically consent (GDPR Art 6(1)(a)), contract (GDPR Art 6(1)(b)), public interest (GDPR Art 6(1)(e)) or legitimate interests pursued by the controller (GDPR Art 6(1)(f)) depending on data subject and situation.
Data subjects
Viedoc user / usage data
The personal information processed for this data subject does not contain special categories of data as enumerated by GDPR Article 9, and is limited to:
- Name
- Email address
- Optional phone number and postal address
- Preferred language
- Usage data
- o IP address used to access Viedoc
- o Time and length of access
- o Browser footprint (“User agent”)
- o URL used to access each resource in Viedoc
- o URL that provided the link to Viedoc (“Referrer URL”)
The purpose of this information processing is to authenticate users, maintain authenticity and protect the confidentiality and integrity of the information processed on the platform. This is deemed the minimum amount of information necessary to achieve this objective, and proportional considering the sensitivity of the research data described in the next chapter.
The data collection is initiated, and the lawful ground is established with, the following actors and sequence of events:
Study subject / research data
Viedoc Technologies is a “blind” processor of this data. Thus, the specifics of the personal information processed for this data subject is not known to Viedoc Technologies. But it is likely to contain special categories of data as enumerated by GDPR Article 9, such as data revealing racial or ethnic origin, genetic data and data concerning health.
The purpose of this information processing is to conduct scientific studies involving clinical research, and the necessity and proportionality is a responsibility of the study sponsor (in most cases the same as the Customer of Viedoc Technologies). The data collection is outlined by a study protocol that typically undergoes review and approval by ethical committees and competent regulatory authorities.
The data collection is initiated, and the lawful ground is established with, the following actors and sequence of events:
Data locality, sub-processors
European instance
The primary infrastructure of the European instance of Viedoc is located in France with sub-processor Microsoft and their Azure platform. Backup storage and email/SMS gateways are also located in Europe with sub-processors AWS, OVH Cloud, MailJet, Elastic Email and SMS-Teknik.
This instance is recommended for customers that must maintain GDPR compliance.
Japan instance
The primary infrastructure of the Japan instance of Viedoc is located in Japan with sub-processor Microsoft and their Azure platform. Backup storage and email/SMS gateways are located in Japan and Europe with sub-processors AWS, HENNGE, Elastic Email, and SMS-Teknik.
This instance is recommended for customers that must maintain APPI compliance.
China instance
The primary infrastructure of the China instance of Viedoc is located in mainland China with sub-processor 21ViaNet and their national instance of the Microsoft Azure platform. Backup storage and email/SMS gateways are also located in China with sub-processors AliYun and AWS China.
This instance is recommended for customers that must maintain compliance with HGR and CSL.
US instance
The primary infrastructure of the US instance of Viedoc is located in US with sub-processor Microsoft and their Azure platform. Backup storage is also located in US with sub-processor AWS. Email/SMS gateways are located in Europe with sub-processors MailJet, Elastic Email and SMS-Teknik.
Risk to data subjects and risk mitigation
Processing context
Viedoc is a data collection platform for clinical research but is not designed to be used as a medical device or clinical decision support system for treatment of study subjects. This is clearly stated in the General Terms and Conditions (GTC) that all customers enter into, as well as in the Terms of Use that all platform users enter into.
In addition, the GTC also state that whenever the Viedoc alert functionality is utilized for safety procedures, e.g. as a means for serious adverse event awareness, this functionality cannot be solely relied on. There must be additional safety procedures implemented.
These statements serve to avoid risks that inappropriate platform usage could result in. If used according to the platform terms, erroneous data in, or unavailability of, Viedoc, should not pose a direct physical risk to the natural persons whose information is processed on the platform.
This assessment focuses on risks concerning confidentiality and privacy as these directly impact the data subjects whose information is processed on the platform. Risks related to data integrity and availability are identified and managed but are more of business risk character and will not be discussed here.
Privacy by design and risk avoidance
The Viedoc platform, the Viedoc service offering and the Viedoc Technologies organization is designed with privacy and information security in mind. Some of the measures to ensure privacy by design and to avoid the worst risks include:
- Structured processing of all data, detailed data inventory and mapping of data processing
- Full transparency into data processing in public privacy policy
- Any updates to privacy policy must be acknowledged by users
- Self-service features for Rectification, Erasure and Data downloads in a portable format
- GTC statement that it is a customer responsibility to pseudonymize data before input
- Organizational and technical access controls that prevent Viedoc Technologies employees from accessing customer data
Baseline risk minimization and mitigation measures
Viedoc Technologies have implemented a risk-based Information Security Management System (ISMS) that facilitates a structured and continuous approach to information security. All ISO 27001 annex A controls are included in our scope of applicability, some of which are:
- Continuous information security awareness training of all staff
- Separation of duties
- Separation of development and production environments
- Use of the principle of least privilege
- Network segmentation, firewalls
- Continuously updated anti-malware
- Management of technical vulnerabilities
- Security testing built into development lifecycle
- Continuous vulnerability scans
- Recurring third party penetration tests
- End to end encryption in transit both externally as well as internally
- Encryption at rest
- Audits of, and data protection agreements with, our sub-processors
Risks
Risk management is continuous work. The context Viedoc Technologies operate in is constantly changing and we have implemented procedures to continuously identify and treat new risks. Below we summarize the main categories of risks that we have identified so far.
Hacking and subsequent information theft or disclosure
The risk of being hacked is present to anyone that delivers software over public endpoints. We have gone to great lengths to identify and treat risks associated with potential malicious attacks.
In the Viedoc Technologies risk database there are a number of treated risks that relate to this: #13, #14, #97, #105, #107, #108, #110, #117 with residual risk rating 3 on a scale that goes from 1-25. #100, #106, #109, #111, #112, #114, #115 with residual risk rating 4. Risks #122, #123 with residual risk rating 6.
Sub-processor SLA or DPA breach and subsequent information disclosure
In the Viedoc Technologies risk database there are a couple of treated risks that relate to this: #190, #194, #203 all with a residual risk rating of 3 on a scale from 1-25.
Human error or procedure failure and subsequent information disclosure
In the Viedoc Technologies risk database there are a number of treated risks that relate to this: #183, #195, #247 with residual risk rating of 3 on a scale that goes from 1-25. #152, #180, #182, #188, #229 with a residual risk rating of 6.
Unwarranted data transfer to the US by sub-processor and subsequent information disclosure to foreign government surveillance agency
The European instance of Viedoc is served using infrastructure in the two French regions of Microsoft Azure, located in Paris and Marseilles. Although the Service Level Agreement guarantee data to be localized within these regions, Microsoft is a U.S. company and thus bound by the U.S. CLOUD Act (2018), U.S. FISA Amendments Act §702 (2008) and U.S. Executive Order 12333 (1981), which under some circumstances may require them to disclose information stored on their infrastructure to the U.S. intelligence or surveillance agencies.
Microsoft claims full transparency and publishes reports on all such requests. They further assure that they will require a court order, reject or challenge requests that exceeds the authority or jurisdiction of the requesting agency, never disclose encryption keys and notify the customer (Viedoc Technologies) if not prohibited by law. [4.1]
On July 10, 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). With this decision, it is now considered that personal data can flow safely from the EU to US companies participating in the Framework. [4.2] Microsoft have announced that they are “committed to embracing the new framework and will go beyond it by meeting or exceeding all the requirements this framework outlines for companies” [4.3]
Before the Adequacy Decision, back in November 2020, the European Data Protection Board (EDPB) issued recommendations on measures that supplement the SCCs to ensure compliance with the EU level of protection of personal data. [4.4] In annex 2 of these recommendations there are examples of transfer scenarios and whether or not effective supplemental measures could be found. Mapping the data processing in the Viedoc platform to these scenarios we arrive at the following:
- [Use Case 1] Data storage for backup and other purposes that do not require access to data in the clear
The technical measure deemed effective can be summarized in strong encryption without exposing the encryption keys to the storage provider. This is how Viedoc Technologies has implemented backup storage. - [Use Case 2] Transfer of pseudonymized Data
Customers and their designated users will manage all data entries in studies on our platform. While some functionality in our platform does not naturally support pseudonymization of subject data (such as some entries in the eTMF feature), in the Data Processing Agreement between us and our customer, we have included as standard requirement that research subject data input into Viedoc should be pseudonymized. There are a few exceptions to this that fall under Use Case 5. - [Use Case 5] Split or multi-party processing
The technical measure deemed effective is to require two or more independent processors located in different jurisdictions to make sense of the data. Viedoc allows for collection of phone numbers and/or email address to research subjects for the purpose of having the system remind them about pending events or activities. As this information can be used to de-pseudonymize and reveal the identity of research subjects, Viedoc Technologies have implemented asymmetric encryption and multi-party processing of this information. This means Microsoft only holds encryption keys, and whenever reminders are to be sent, the encrypted information is forwarded to another intermediate hosting provider that holds the decryption keys and that decrypts the information before it is sent onwards to the SMS and email gateways. This is treatment to risk #262 in the risk database with a residual risk rating of 8 on a scale that ranges from 1-25. - [Use Case 6] Transfer to cloud services providers or other processors which require access to data in the clear
The EDPB did not identify any effective measures in this case. There is one type of data that falls in this scenario: Viedoc user / usage data [2.3.1]. As this information does not contain special categories of data as enumerated by GDPR Article 9, is often publicly available at sources such as LinkedIn and would be unlikely to induce interest from surveillance or intelligence agencies, Viedoc Technologies have rated this as data processing with low risk. It is described as risk #290 in the risk database with a risk rating of 6 on a scale ranging from 1-25.
We welcome the Adequacy Decision and all other developments that help make data flows safe in our industry. Viedoc Technologies will continue to maintain the supplemental measures listed above.