Workspaces can be spun up < 15 minutes
If sources do not have their own myDRE, RIVM can spin up dedicated Workspaces
From the Data Holder assign Accountable or Privileged Member
No Data Transfer Agreement is needed
Data Processing Agreement and possibily Data Collaboration Agreement are needed
myDRE Workspaces can be used:
to collect - ingress manually or using the upload API ,
to pre-process; and,
to push data to the next 'stage'
Upload API or Workspace-to-Workspace transfer
Roles in myDRE workspace provide options to fine tune the access control
ISO 27001:2023 certified & anDREa's ISMS is publically available, allows to prefill DPIAs and other documents with standard answers
Helps also with BIO(2), NEN 7510 based control frameworks, and many if not most questions a CISO, SO, or DPO would ask, like:
myDRE CIA Classification - includes risks assessments, mitigations
myDRE Data Protection Impact Assessment - includes risks and mitigations
GDPR Compliance Assessment - includes what is anDREa's and what is Tenant's responsibility
myDRE features like:
Role-Based-Access-Control, see Roles in myDRE workspace
Periodic Access Reviews - ensures demonstrable proof that it is reviewed whether people still should have access
EHDS Secure Processing Environments (SPEs) are a special kind of Workspaces. Less freedom for the data users, more control by the admin/HDAB.
Some of the limitations EHDS SPEs will bring are in line with what some large studies like LifeLines and Ergo also desire; less freedom for the users in the workspace, more control from a central point of view. This is perfectly workable for some studies, but not all.
Some options that anDREa with myDRE can bring to the table:
Set-up your own SPE before getting it locked down to receive data
You need package x, y, z under version u ...no problem. Rstudio, Jupyter Notebook, Marimo Notebook, Stata, SPSS, etc ...no problem.
Deploy SPEs under the billing account of the organisation, but have the SPE controlled by HDAB
No financial risk for HDAB, no need to ping-pong invoices for consumption costs
Continue to use myDRE for non-EHDS requested data
anDREa as an organisation brings to the table:
Viability & continuity
OpEx only, no risks
As-a-service
An organisation whose governance is intertwined with UMCs and is open for other stakeholders
Yes.
Use APIs of AI/LLM providers
Deploy a VM using a suitable SKU
If you need something 'special', contact us
Including if your organisation has running something 'locally'
SURF promised to collaborate to make this possible.
Contact us, and we help to make this happen.
Soon a paper will be submitted by a research group at LUMC to Lancet Health with probably the title: "Beyond Ad-Hoc Agreements: A One-Time Legal Architecture for Secure, Scalable Medical Data Sharing via Trusted Research Environments in International Collaborative Research".
Vantage6 and Flower.ai were successfully deployed.
Yes.
anDREa is also looking into unburdening organisations in deploying MPC as a standalone; Roseman Labs, Linksight.
Yes.
BYOL - Bring Your Own License
This depends on the license conditions and might require that (sub)domains need to be allow listed
E.g. O365
Organisation's License Server (anDREa clients only)
License server will be connected to one or more groups (Azure Subscriptions), Workspaces are deployed in a specific group
i.e. access to a license depends on the workspace, not a person
When connected every member can make use of the license server
When a group (Azure Subscription) is not connected, none of the Workspaces deployed in that group can connect to the organisation's license server
Some academic licenses prohibit people non-academic use, this prevents that even own employees use their organisation's license in a non-academic setting