GitLab

The DPIA will be the governance review of our processes. Is this required and what should it describe?

Suggestion form Karen Melham in issue #14 that the open repository should not be the place where de-identification takes place. De-identification should be managed by the researcher (and their ethics) and handed over to the open repository for curation once already de-identified. Note however that XNAT is a very useful tool for the deidentification services we want to run (e.g. dicom strip). This makes a strong case for two XNATs (names TBC!): One as a researcher resource ("Research XNAT") and one as a public facing portal ("Public XNAT").

Q:

1. What DPIA etc. does Jalapeño have in place? This will be equivalent to what we need for Research XNAT. Probably includes DMP.
2. Do we need to have a secondary DPIA for Public XNAT? For the purposes of the DPIA screening, we can consider that this repository contains no identifiable information in most cases (as suggested by Karen Melham). "Edge cases" (e.g. where identifiable disease group) will still be protected under our DUA.