Info

Quality and Security

Our customers present personal health data for processing through the TraIT suite of tools in a so-called federated environment. With a cloud based ICT infrastructure, multiple platforms in various datacenters, subcontracted service providers and different application (open) standards, this requires a tailor-made management system to meet legal, customer and ICT-security requirements.

Quality Mgt. System for Compliant Security

Introduction

In this presentation a condense overview of the QMS-CS is presented. A more detailed introduction is available upon request.

Information Data Security

Following periodic compliance analysis and risk assessments, a number of both organizational and technical measures have been taken and will be updated when necessary, to safeguard the confidentiality, integrity and accessibility of the entrusted data, as required by the Wet Bescherming Persoonsgegevens. Among many other controls, here follows an non-exhaustive list:

ControlDescription

Governance Agreements

'Stichting TraIT' will enter into clear agreements with its clients to define roles and responsibilities. Principal Investigators, assigned by our clients, act as Data Controllers. Stichting TraIT and/or its subcontracted Service Providers can only act as Data Processor.

'Stichting TraIT' concludes and monitors Service Level Agreements with its subcontractors for providing hosting, operational and consultancy services to TraIT-clients. These agreements include at minimum the organizational and technical measures as defined in the TraIT QMS-CS.

Certified datacenters Tools are hosted and data are stored on servers in certified (ISO27001 or NEN7510) datacenters with periodic reporting on performance and security. Data traffic (up/downloads) to TraIT servers is encrypted.
Network controls TraIT uses HTTPS-protocols for network communication and certificates to verify connections
Access control

Verification of user identity, authorizations and connection authentication takes place in a monitored process following a standard procedure with registration of each step.

TraIT works with controlled access through user accounts and authorization at the study and role level. The data owner (data controller) decides who should have access to the study and indicates the role/authorization that should be applied to the user account. The data controller remains the owner of the data.

Change management All changes and patches in the TraIT suite of tools follow strict standard procedures with registration of each step, including prior testing in an acceptance environment before being taken into production,

Patient Identifying Data

 

Procedure 'data deviations or data leaks'

Principal Investigators as data controllers have the responsibility to make sure data is ano-/pseudonymised according to the rules set by their METC / Informed Consent (IC) or any other applicable regulation and legislation.

TraIT may not and does not check data with respect to adherence to applicable regulations. However, if by chance in the processing of data files, TraIT application operators encounter identifiable data that usually is not included in research studies, they will notify the data controller or his/her representative.
The procedure requires that identified dataleaks are forthwith reported to the data controller.

Events and Incident Management

Information security events and incidents are - by standard procedure - given an appropriate priority and managed accordingly by means of a call management and registration system called TOPDesk.

Back-up and disaster recovery procedures These provide for continuous availability of data within the boundaries of service levels, use policies and pricing model.

Transparency and audits

Because of the nature of the TraIT services, being provided in a federated  environment, a tailor made quality management system for compliant  security was required. The design and implementation of this QMS-CS is available for review by our customers. A registered auditor Third Party Memorandum conformable to ISAE3000 type 2 for the TraIT Services is currently being considered.