RADeep Legal Frame

RADeep Legal Frame

Personal data allowing patients' direct identification, as name and surname, national identity number or home address will not be received by RADeep. Instead, medical information will be received by RADeep along with a pseudonym generated by their medical doctors (at local level) through a pseudonymisation tool GDPR compliant. The use of a pseudonymisation tool offered by the EU-RD Platform in the context of rare disease registries (https://eu-rd-platform.jrc.ec.europa.eu/_en) is envisaged for this aim. The pseudonym is created at the local site and the link among the pseudonym and patients' identity is never tranferred to RADeep.

Pseudonymised medical information to be included in RADeep is the information gathered in the routine of medical care: date of birth, gender, diagnosis including genetics, blood parameters, clinical manifestations and therapeutic interventions. This information is the strictly necessary for the achievement of RADeep aims, corresponding to a set of parameters defined at the European level as "Common data elements" to all Rare diseases registries, and a consensus of experts involved in RADeep team. As the registry evolves, data elements will be reviewed by the Steering Committee for assessing if an update shall be required. Part of the pseudonymised data processed and stored in RADeep will be shared with the European Rare Blood Disorders Platform (ENROL), which applies the same level of safeguards to patients' data.

RADeep Policy enables participating stakeholders to comply with all legal and ethical considerations that apply to the processing and use of sensitive, personal information and health data in line with the General Data Protection Regulation (GDPR).

Pseudonymised data held in RADeep will be shared to third parties (researchers, patients' associations, policy makers, industry) in order to contribute to projects whose objectives are directly connected to improve healthcare provision for RADs, thus connected to RADeep's aims. As previously indicated, RADeep gathers pseudonymized data, which means that information allowing the direct identification of the patient has not been transferred to the platform. Thus, the risk of re-identification is residual. Accordingly, and for the avoidance of any doubt, these third parties will never have access to the information that may directly lead to patients identification. 

Third parties interested in accessing anonymized/pseudonymised data held by RADeep will be required to submit an application form that details the scientific purposes of the project for which the data is needed. Requests are reviewed by a Data Access Committee composed by Steering committee, representatives of the Scientific Subcommittees, and legal and ethical experts, that ensures that the request aligns with the purpose of RADeep and its Policy. Professional background of the researchers are also reviewed to ensure they are suitably qualified and have a track record of integrity as researchers in this area. When required by applicable law, scientific research is subject to the approval of Ethics Committees.

Researchers may come from both public and private institutions in any country, including non-EU countries. All third parties will be required to sign a Data Transfer Agreement respecting the EU legislation and committing them to: use the data only for the purpose intended and authorized; not attempt to re-identification, including merging RADeep's data to other sources of data; and not contact the patient directly. In addition, in cases that data is transferred to non-EU countries, the same level of protection and commitments with regard to data protection will be imposed according to the GDPR.

A Consortium Agreement defines respective roles, rights and relations among parties forming the Consortium as well as their equal responsibilities on data protection in terms of GDPR based on the Joint Controllership of data. More information on the coordinating institutions and roles are available at committee section.

The following diagram summarizes the pathways for RADeep data entry, data processing and data request. RADeep policy and agreements are currently under revision and will be available soon.

Where:

Providers of data

Any legal entity providing data to RADeep, including among others:

  • Healthcare providers 
  • European/national/regional registries 
  • Scientific networks registries

Users of data

Any stakeholder (legal entity) with interest on RADs, including aong others:

  • Healthcare providers 
  • Researchers from both public and private institutions including industry
  • Patient associations
  • Health Authorities
  • Regulatory bodies 

Legal binding documents:

  1. Informed consent
  2. Transfer agreement A (from Provider of data to RADeep)
  3. Consortium Agreement
  4. Application form for data request
  5. Transfer agreement B (from RADeep to User of data)

Euro Blood Net