The European Rett Syndrome Patient Registry places a high priority on ensuring that all data collection activities comply with GDPR regulations, particularly with respect to obtaining explicit consent from participants or their legal guardians. This section outlines the processes for managing and tracking consent throughout the registry.
Consent Collection
Consent is required before any personal or sensitive data can be collected from participants or their legal guardians. This includes demographic information, genetic data, medical history, and caregiver information.
Key Principles:
Explicit Consent: Consent must be clearly and explicitly given by the participant or legal guardian. No data is collected without this.
Informed Consent: Participants are provided with full details of how their data will be used, who will have access to it, and their rights under GDPR.
Right to Withdraw: Participants have the right to withdraw consent at any time. Upon withdrawal, their data will be anonymized or deleted as required by GDPR.
How Consent is Obtained:
Private Area Access: Consent is collected through the authenticated private area, where participants or legal guardians can view and agree to the data usage terms before interacting with any features.
File Uploads: Before uploading any documents (e.g., genetic reports), participants are required to give consent for the processing and storage of these files.
Surveys: Each survey sent to participants includes a consent prompt, ensuring that participants understand how their responses will be used.
Consent Tracking and Documentation
To ensure compliance, the system tracks and stores detailed information about each consent provided by participants. This information is maintained in the system as long as it is legally required.
Consent Tracking Includes:
Date and Time of Consent: The exact timestamp when consent was given.
Form or Action: The specific form or action (e.g., survey submission, onboarding, file upload) that required consent.
Participant Details: The identity of the participant or legal guardian who provided the consent.
IP Address: When necessary, the IP address from which consent was given may be logged for additional verification.
Audit Logs: All consent actions are recorded in an audit log for compliance and accountability purposes.
Consent for Minors and Legal Guardianship
In cases where the participant is a minor or unable to provide consent on their own, legal guardians are responsible for providing consent. The system accommodates this by allowing legal guardians to act on behalf of the patient.
Key Provisions:
Guardian Consent: Legal guardians must explicitly confirm their status and provide consent on behalf of the minor or dependent.
Verification: Additional verification steps may be taken to ensure that the person providing consent is the authorized legal guardian.
Right to Withdraw Consent
Participants or legal guardians have the right to withdraw consent at any time, in accordance with GDPR. The system is designed to facilitate this process smoothly.
Withdrawal Process:
Request for Withdrawal: Participants can submit a withdrawal request via the registry’s contact options or through the system's user interface.
Anonymization: Upon withdrawal, all personally identifiable information will be anonymized, ensuring that the participant’s data cannot be traced back to them.
Data Deletion: In cases where anonymization is not feasible, the data will be securely deleted from the system, and a record of the withdrawal will be stored in the audit logs.
Confirmation: Once the withdrawal is processed, the participant or legal guardian will receive confirmation that their data has been removed or anonymized.
Compliance with GDPR
The consent management process fully complies with GDPR, ensuring that participants are informed, their consent is obtained and tracked properly, and their right to withdraw is respected.
GDPR Key Requirements:
Transparency: Participants are fully informed of how their data will be used.
Data Minimization: Only the necessary data is collected, and participants are made aware of the scope.
Right to Access: Participants have the right to request access to the data collected on them, including their consent records.
Right to Erasure: Participants can request the erasure of their data if they withdraw consent or if the data is no longer necessary for the registry’s purposes.
Auditing and Accountability
All consent actions, including the provision and withdrawal of consent, are logged in the audit trail. This provides a clear record for regulatory bodies and helps ensure the registry’s compliance with legal and ethical standards.
Audit Logs: Every consent-related action is recorded, ensuring that compliance with GDPR is verifiable.
Regular Audits: Internal and external audits can be conducted to verify that consent is being managed in line with regulatory requirements.
Ongoing Consent Review
As the project evolves and new features are added, participants or their legal guardians may be asked to re-confirm their consent if new types of data are collected or if the data use changes.