Useful Documentation
- Useful Links
- anDREa Consortium: https://www.andrea-cloud.eu
- Digital Research Environment (DRE): https://mydre.org
- Knowledge Base: https://support.mydre.org/portal/en/home
- Overview
- The DRE environment is based on the Microsoft Azure platform. Via a custom web-based interface, users can interact with “workspaces” (where data can be stored) and can connect and interact with data securely via virtual machines (VMs, remote compute resources). Essentially any virtual machine/storage configuration available within Microsoft Azure is available within in the DRE (e.g., linux, windows, multicore, high RAM). The unique feature of the DRE is the web interface and workspace structure, which allows for data to go into the system easily, but data regress (download) of data is not possible without explicit permission from the GDPR-labeled “controller” of the data. Thus, data can be securely shared into the DRE, where they remain unless an authorized (“controller”) allows for the data to be downloaded. This allows for host institutes to provide access to data without the need for collaborators to physically visit the host institute, and providing even more security as the DRE is unable to access the broader internet.
- How is your data protected within the DRE?
- Data which have been uploaded into the DRE by default cannot be removed without approval from a GDPR “controller”
- The DRE is also by default unable to connect to external network connections
- All DRE users must use two factor authenticationGDPR “controlers” can revoke access at any moment
- The DRE has an extensive data and process audit trails
- Pen tested
- Where is the DRE?
- The primary DRE instance is located on Microsoft Azure servers within the “Western Europe” classification.
- Is the DRE GDPR-compliant?
- Yes! See full details here.
- DRE Security / Confidentiality Classifications
- CIA (Confidentiality, Integrity, Availability) Classification:
- Confidentiality: High, Integrity: Medium, Availability: Medium
- Is the DRE ISO 27001 certified?
- Yes! See full details here.
- There are a lot of terms I don’t know related to the DRE…are there definitions?
- Yes! See here!
Which “roles” are available in the DRE?
*note: accountable and privileged member only differ on who is the budget holder for the DRE (i.e., only one accountable per workspace). See more on how these roles fit within GDPR/DRE
DRE Role | GDPR Role |
---|---|
Accountable | Controller |
Privileged Member | Controller |
Standard Member | Processor |
*note: accountable and privileged member only differ on who is the budget holder for the DRE (i.e., only one accountable per workspace).
See more on how these roles fit within GDPR/DRE
How are datasets imported into the DRE?
The web-based DRE interface allows users to upload data into the DRE via either a web browser or the Microsoft Azure Storage Explorer.
- Who will have access to the data?
- Only researchers approved by the GDPR controller will be given access to the data.
- How is access provided?
- Researchers must first submit a data request form to FAMILY data access committee. The data access committee will reach out to the appropriate researchers to secure approval for use of the respective datasets. If approved, the request will then go to the FAMILY steering committee for final approval. Once approved, the GDPR controller will grant access to the data to the user within the DRE.
- Can files be downloaded from the DRE?
- Yes. Each user can request that files be downloaded out of the DRE environment. The requests are mailed to (all) controlers of the workspace/data. Only upon approval from a controller will the DRE system allow data to be downloaded. The controler has access to the requested files, and can check whether or not sensitive information is inclueded.
- Whose responsibility is it to protect sensitive data?
- Everyones! Both data processors and controllers have the responsibility to ensure data are handled within the DRE under GDPR guidelines. While the controllers approve data download requests, the end responsibility also lies with the user to ensure they are not requesting to download sensitive data.
- What can be downloaded from the DRE?
- Technically, all files in the DRE can be downloaded with controller approval. Of course, there are very few circumstance where individual-level data should be downloaded, and almost no circumstance where a data processor would need individual-level data outside of the DRE. To streamline the controllers job of checking download requests, data processors should request ONLY A MINIMUM DOWNLOAD SET! This means, they should only request what they absolutely need for their scientific work, and nothing more. Further, while controllers approve requests, data processors still have the responsibility to not request to download any individual-level, identifiable data, as doing so is still considered a data leak and a breach of GDPR.
- Is joint controllership possible in the DRE?
- Yes, in the even that two or more parties would like to combine data into a single workspace, each party will have one member assigned as a GDPR controller in the DRE. When a download request comes, one of the controllers can approve the download, but only after written approval is obtained for all other joint controllers.