| |
|
| PROGRAMMATIC DOCUMENT ON SECURITY (PDS) |
| |
|
| PURPOSES AND PRINCIPLES |
| - |
Principle of good faith:
the data have to observe the conditions regarding the fair collection |
| - |
Principle of porpuse:
the data have to be collected and processed only to the determinate, outspoken and legal extents. |
| - |
Principle of correctness:
the data have to be exact and updated. |
| - |
Principle of pertinence:
the data have to be pertinent, complete, and they do not have to exceed the finality to which they were subscribed. |
| - |
Principle of duration:
the data have to be preserved for the time necessary to the purposes for which they have been collected. |
| |
|
| DEFINITIONS |
| Personal data |
| - |
Any information related to natural person, legal person, company or association, identificated or identifiable even indirectly, through whatever information, including an identification number |
| - |
Identification data |
| - |
The personal data that permit the identification of the interested person |
| - |
Sensible data |
| Personal data suitable to reveal: the race and ethnic origin, the philosophy convictions or other belief, political convictions, the join to a party, unions, associations or organisations with religious or philosophic, political or trade-union aims, furthermore the personal data that reveal the state of health and the sexual life. |
| |
|
| SUBJECTS |
| PRINCIPAL (HOLDER) |
| |
The natural person or juridical person to whom belongs the decision about the purposes and the conditions of the personal data treatment and about the tools used for, including the security profile. |
| RESPONSIBLE |
| |
the natural person or juridical person, the public authority, company, association or agency in charge of the holder of the personal data. |
| DELEGATE |
| |
The natural person authorized by the principal or responsible to fulfil the operations of the personal data treatments. |
| INTERESTED PARTY |
| |
The natural person or juridical person, the public authority, company, association or agency to which the personal data belong. |
| FORMAL REQUIREMENTS |
| - |
Informative report (written and signed consent) |
| - |
Notification and communication (in case of variations of the data or of the treatment). |
| - |
Adoption of safety measures |
| - |
Responsible |
| SAFETY MEASURES |
| - |
Protection of the electronics' instruments and of the data from illicit treatments or non authorized access |
| - |
Keeping and updating of the PDS document |
| - |
Adoption of administration procedures for a credential certification |
| - |
Use of an authorization system |
| - |
Informatics Authentication |
| - |
Periodical updating of the treatment's ambit that is allowed to the technical personnel and to the technicians that have to manage and maintain the electronic instruments |
| - |
Adoption of procedures for the custody of back up copies and for the resetting of the data and of the systems |
| - |
Adoption of coding techniques for special data processing, that have to reveal the state of health |
| - |
Disjoint processing of the data, from the sensible to the others. |
| PROGRAMMATIC DOCUMENT ON SECURITY (PDS) |
| The PDS document, compiled and updated every year by 31 March, includes: |
| - |
Type of data and nature of treatment |
| - |
Allotments of duties and responsibilities |
| - |
Data risk analysis |
| - |
Measures adopted for guarantee the integrity and availability of the data |
| - |
Standards and procedures of resetting data, after a damage |
| - |
Estimated participations to professional training |
| - |
Measures adopted for guarantee the data security in case of the data have to be entrust to someone else, different from the owner |
| - |
Measures adopted for the coding or separation from the data, in case of sensible data |
| Anagraphic, clinical, laboratory and therapeutic data from patients affected by rare bleeding disorders (RBDs) will be stored in the international RBDs database (RBDD), located at the Luigi Villa Foundation, IRCCS Maggiore Hospital, Mangiagalli and Regina Elena, University of Milan, Via Pace 9, 20122 Milan, Italy. All records are rendered anonymous and carry a unique identifier code. The unique code is linked with the patient's/donor personal information (surname, first name, date of birth, sex, country, religion, kinship, ethnics) by a so-called link table. The link table is managed by the Luigi Villa Foundation, which will collect clinical information and linked biological samples and is the only structure with access to the personal records. The Luigi Villa Foundation is under no obligation to provide information on personal records. Although the records are stored in the database in an anonymous form, the highest level of data protection is applied. The strategy for anonymity is outlined below. |
The security architecture of the RBDD consists of the following components:
Security Policies and Security Plan
Data Confidentiality/Anonymity
The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed: |
| - |
Names |
| - |
All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code |
| - |
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death |
| - |
Telephone numbers |
| - |
Fax numbers |
| - |
Electronic mail addresses |
| Database Security |
| |
Patients' records in the system can be queried by authorised users through a single user interface. All requests require entry of a valid login and password (assigned to each enrolled delegate), as well as a valid account to distinguish whether the requester is authorised to receive general information, analysis or reports.
Internet Security
Direct access to raw patient data is only possible through the Luigi Villa Foundation intranet.
Site Security
All application and database servers are located in the high security section of the data processing service centre. Access is restricted to authorised personnel. Access to the intranet application requires a username and password authentication. All employees must comply with the Luigi Villa Foundation policies on privacy and those who violate these policies are subject to disciplinary action, up to and including termination of employment. |
| Audit Plan and Procedures |
| Auditing is the monitoring and recording of activities occurring within a specific application. The data warehouse and all web-based applications of the RBDD project are subject to audit. Different types of auditing procedures are appropriate for the different types of applications: |
| - |
ensuring that no unauthorised users are removing data or accessing tables that they do not have the privileges to see (security auditing) |
| - |
tracking creation, modification and deletion of information (audit trail) |
| Backup and Recovery Plan and Procedures |
The infrastructure of the Luigi Villa Foundation consists of different computers and operating systems. Therefore, a platform-independent central backup solution is in use. The backup media are magnetic tapes. A standard backup rotation strategy is used, with the following rotation scheme: one day weekly (every Friday) a full backup is made and incremental backups are performed daily. One tape is used for each day of the week. All daily media are replaced at least once a year in order to ensure that tapes and disks are not overused. All backup media are kept in a separate location from the computers which are protected from fires, floods and potential theft. Additionally, all backup files are stored in an encrypted form.
The recovery procedures will be thoroughly tested to ensure that: |
| - |
each operator knows how to perform all forms of recovery with confidence |
| - |
backup and recovery strategies are completely analysed. |
| Besides the technical operations, additional effort will be made to make managerial and all system support staff understand the various forms of backup and recovery available. |
| Risk analysis |
| |
Operators behaviour
removal of certifications' credentials; lack of consciousness; mind ness or negligence, unfaithful behaviour or fraudulent; material error.
Low risk
Events related to the instruments
Informatics virus or damaging programmes, acts of sabotage, instruments damaged or out of order, external access not authorized, wiretapping of information.
Low risk
Events related to the natural and physical contest
not authorized entrance in the restricted areas, removal of instruments within data;
Medium risk
damaging events: natural or artificial, accidental or fraudulent; complementary system damaged, human errors
Low risk |
| |
|
