First draft on legal framework for technical safeguards with a focus on cloud usage

This deliverable (D2.1) focuses on identifying legal requirements for privacy
and security safeguards that apply while sharing health data for research through a
FAIR Data Portal, with a focus on the use of cloud services. It begins by reviewing
applicable GDPR principles that must be respected across the data lifecycle,
including lawful basis, data minimisation (anonymisation and pseudonymisation),
technical safeguards, data subjects’ rights, and accountability. The concept of a
generic data governance model – applicable across the data lifecycle including
submission, storage, access and use – is introduced.
The deliverable then discusses the importance of data security in cloud
environments. The cloud offers flexible and scalable storage/compute
infrastructure and services to researchers. Cloud environments used in health
research are diverse – from hyperscale, to national to local. Clouds must find ways
to demonstrate high security standards, e.g., through certifications. Cloud users
face the challenge of having to ensure providers have adequate security measures,
and must also demonstrate that the measures in place actually correspond to the
cloud user’s own data protection obligations.