Sensitive Data

The de.NBI Cloud supports the processing of sensitive data by providing different services as well as technical infrastructure and local data processing agreements between project and hosting site. Data holders may use the de.NBI Cloud for different data access scenarios, creating tailored sensitive processing environments which depend on the specific requirements and framework conditions in which the data is to be accessed.

Secure Processing Environments

A Secure Processing Environment (SPE) in the de.NBI Cloud is a highly protected digital infrastructure providing controlled access to pseudonymized sensitive data for secondary research purposes to authorized users. An SPE implements technical and organizational measures to maximize data protection and privacy. An SPE also includes functionalities for data management, data governance, and project management, all within a tightly controlled and compliant environment. The technical and organizational requirements on an SPE are particularly defined by the legal frameworks that are relevant for accessing the sensitive data.

The de.NBI Cloud supports the operation of SPEs through General Data Protection Regulation (GDPR) and EHDS-compliant access to sensitive data, allowing to integrate technical, organizational, and regulatory safeguards to ensure secure data analysis across a wide range of research domains. Our SPE architectures is aligned with the EOSC-ENTRUST project.

Information security and certification

The de.NBI Cloud federation has established regular technical coordination structures to establish and maintain state-of-the-art technical and operational security across all locations. The cloud sites participate in mutual internal audits of their IT security management systems. The central cloud governance maintains a current inventory of each site’s technical and organizational measures (TOMs) and coordinates centralized functions like the user helpdesk, regular staff training for all cloud sites, legal consultations, as well as communication and coordination with local data protection officers. The sites at Bielefeld University (jointly operated with Forschungszentrum Jülich), University of Tübingen and University of Freiburg also have certified IT security management systems according to DIN EN ISO 27001. The site at BIH@Charité is developed to comply with the KRITIS requirements of Charité with a split de.NBI Cloud site between public usage and clinical cloud.

Applying for a Sensitive Data Project

Sensitive data processing in the de.NBI SPE follows the general roles and responsibilities defined in the GDPR, the German Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the EHDS. As a basis for using the de.NBI SPE, we assume that a data user (e.g. a researcher) submits a request to access a sensitive dataset for processing within the services provided by the de.NBI SPE. The data is made available by a health data holder, which may for example be a research institution that collected the data in the context of a study, or a higher-level entity responsible for regulating access to such data. In this context, the health data holder acts as the data controller under the GDPR and the EHDS. The data user applies for access to the health data via the respective Data Access Committee (DAC). Upon approval, the data user also assumes the role of an independent data controller for the specific secondary use purpose. A data use agreement is concluded between the health data holder and the data user, defining the scope, conditions, and obligations of the data user.

The data user can then initiate a project within the de.NBI SPE and agree to the applicable usage and access policies (see "Application Process For Sensitive Data"). The de.NBI SPE may act as a data processor on behalf of the data user, if required. In this role, the SPE may facilitate the transfer of the health data into the secure environment, control data access, provide processing services, and configure the environment according to the project’s needs and regulations. To enable this, the de.NBI SPE concludes a data processing agreement (DPA) with the respective health data holders, ensuring compliance with GDPR and EHDS requirements.

The following diagram visualizes the application process for a sensitive data project on the de.NBI Cloud infrastructure. Please note that the major difference to a regular project application concerns the preparation and signing of data processing agreement between the data controller (typically the project PI or a data providing organization) and the hosting cloud location.

The de.NBI Secure Processing Environment is based on the de.NBI cloud environment and implements additional technical and organizational processes to provide sufficient data protection features for working with sensitive data. All security-related infrastructure and operations processes are guided by the principles of separation and control and of least privilege.

Please note that due to the necessary legal preparations for sensitive data projects, the application process may require more time than regular project application.

Please contact us if you have further questions!