data management plan - interim version...7 storage, backups and data recovery 52 8 archiving and...

“ThisprojecthasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeundergrantagreementNo690211”

DeliverableNumber:D7.7,version:2.0

DataManagementPlan-interimversion

CAREGIVERSPRO-MMDPROJECT

Ref. Ares(2017)3305207 - 30/06/2017

D7.7DataManagementPlan-InterimVersion

CAREGIVERSPRO-MMD

D7.7DataManagementPlan–InterimVersion:Page2of90

Documentinformation

ProjectNumber 690211 Acronym CAREGIVERSPRO-MMD

Fulltitle Self-managementinterventionsandmutualassistancecommunityservices,helpingpatientswithdementiaandcaregiversconnectwithothersforevaluation,supportandinspirationtoimprovethecareexperience

Projectcoordinator UniversitatPolitècnicadeCatalunya-BarcelonaTech

Prof.UlisesCortés,[email protected]

ProjectURL http://www.caregiversprommd-project.eu

Deliverable Number D7.7 Title DataManagementPlan-interimversion

Workpackage Number WP7 Title Dissemination,Communication,ExploitationandBusinessPlanning

Dateofdelivery Contractual 31/06/2017 Actual 30/04/2016

Nature ReportþDemonstratorpOtherp

DisseminationLevel PublicþConsortiump

Keywords

Authors(Partner) AtiaCortés(UPC),CristianBarrué(UPC),UlisesCortés(UPC),GabrielVerdejo(UPC),ParaskeviZafeiridi(UHull),AnastasiaMatonaki(QPL),IoannisPagliokas

(CERTH),IsabelleLandrin(CHU),RafadeBofarull(MDA)

ResponsibleAuthor CristianBarrué Email [email protected]

Partner UPC Phone +34934134011


CAREGIVERSPRO-MMD


DocumentVersionHistory

Version Date Status Author Description

1.0 26-06-2016 Draft AtiaCortés(UPC) IntegrationofEthicssectiontopreviousversion(D7.3)

1.1 07-07-2016 Draft CristianBarrué(UPC) Integration of anonymisationsection

1.2 15-07-2016 Draft Cristian Barrué (UPC),AtiaCortés(UPC)

IntegrationofPIA

1.5 30-11-2016 Draft Cristian Barrué (UPC),all

IntegrationofDatasets

1.6 13-01-2017 Draft UPC Annex 2: description ofdatasetsDocumentreview

1.7 20-04-2017 Draft Consortium, CristianBarrue (UPC), Rafa deBofarull(MDA)

UpdateofAnnex2,changesinthedatasets

1.8 15-05-2017 Draft UPC Integrationofnewsectionsforsecurity and data breachprocedures

1.9 01-06-2017 Draft UPC UpdateofAnnex2, reworkofsection3accordingly

2.0 26-06-2017 Draft Ioannis Pagliokas(CERTH), AnastasiaMatonaki (QPL),Paraskevi Zafeiridi (UHull), Marco antomarini (COOS), Isabelle Landrin (CHU), Cristian Barrué (UPC)

Review of the document,dataset refinement.Integration.


CAREGIVERSPRO-MMD


Executivesummary

This isa livedocumentthatdescribesthedifferentprocessesregardingdatamanagement,storage and exploitation that are to be agreed and adopted by every member of theCAREGIVERSPRO-MMD Consortium. Over the course of the project this document will bereviewedandupdated.Additionalinformationonthedatastructureorthemethodology,achangeinresponsibilityforataskorinthebudget,maybeincludedinfutureversionsoftheDataManagementPlan. This is the seconddeliverableof thisdocument, includingprivacyimpactassessment,ethicalaspectsofthedata,databreachprotocols,datasetsdefinitionatdatabaselevelandmoredetailsonthesharingpolicies.


CAREGIVERSPRO-MMD


ListofAcronyms

Acronym Title

AB AdvisoryBoard

CERIF CommonEuropeanResearchInformationFormat

CERTH CenterforResearchandTechnologyHellas

CHU CentreHospitalierUniversitairedeRouen

CNIL CommissionNationaledel’InformatiqueetdesLibertés

COOS CooperativaSocialeCOOSSMarche

C-MMD CAREGIVERSPRO-MMD

DMP DataManagementPlan

DoA DescriptionofAction

FUB Fundació-UniversitatdelBages

HONCode HealthOntheNetCode

HUL UniversityofHull

ICO InformationCommissioners’Office

MDA MobileDynamics

PIA PrivacyImpactAssessment

PLWD PersonLivingWithDementia

QA QualityAssurance

QC QualityControl

UPC UniversitatPolitècnicadeCatalunya

VM VirtualMachine


CAREGIVERSPRO-MMD


ListofTablesTable1ProjectFactSheet.......................................................................................................10

Table2PersonalDataset.........................................................................................................11

Table3ScreeningDataset.......................................................................................................13

Table4AdverseEventsDataset..............................................................................................15

Table5TreatmentDataset......................................................................................................16

Table6InterventionDataset...................................................................................................18

Table7DisseminationDataset................................................................................................20

Table8UserInteractionDataset............................................................................................20

Table9MedicalReportDataset.............................................................................................21

Table10UserGamificationModelDataset............................................................................23

Table11BackendGamificationModelDataset......................................................................24

Table12UserInterfaceDataset.............................................................................................26

Table13RecommenderDataset............................................................................................27

Table14PilotDataDataset.....................................................................................................28

Table15InterventionFeedbackDataset................................................................................30

Table16UserGamificationInteractionHistoryDataset.........................................................31

Table17GameHistoryDataset..............................................................................................32

Table18NotificationsDataset...............................................................................................33

Table19DatasetSummary.....................................................................................................34

ListofFiguresFigure1Anonymisation&SecuritySchema...........................................................................45

Figure2C-MMDInformationOverview..................................................................................57

Figure3C-MMDDataFlowdiagram.......................................................................................58

Figure4IfRestrictedDataispresentonthecompromisedsystem,theCriticalIncidentResponse(CIR)isfollowed..............................................................................................84


CAREGIVERSPRO-MMD


Tableofcontents

1 INTRODUCTION 9

2 PROJECTINFORMATION 10

3 DATA,MATERIALS,RESOURCESCOLLECTIONINFORMATION 113.1 DESCRIPTIONOFTHEDATA 11

PERSONALDATASET 11SCREENINGDATASET 13ADVERSEEVENTDATASET 15TREATMENTDATASET 16INTERVENTIONDATASET 18DISSEMINATIONDATASET 20USERINTERACTIONDATASET 20MEDICALREPORTDATASET 21USERGAMIFICATIONMODELDATASET 23BACKENDGAMIFICATIONMODELDATASET 24USERINTERFACEDATASET 26RECOMMENDERDATASET 27PILOTDATADATASET 28INTERVENTIONFEEDBACKDATASET 30USERGAMIFICATIONINTERACTIONHISTORYDATASET 31GAMEHISTORYDATASET 32NOTIFICATIONSDATASET 33DATASETSUMMARY 34

3.2 QUALITYASSURANCEPROCESS 39

4 PRIVACYANDSECURITYOFTHEDATA 404.1 INFRASTRUCTURE 404.2 ADOPTEDSECURITYMEASURES 414.3 OVERVIEWOFROLES 424.4 INFORMATIONSYSTEMARCHITECTUREANDDATA 434.5 PRIVACYIMPACTASSESSMENT 454.6 SECURITY/DATABREACHMANAGEMENT 474.7 ANONYMISATION 47

ANONYMISATIONIMPLEMENTATIONINC-MMD 48DATADISSEMINATION 49

5 ETHICS,INTELLECTUALPROPERTY,CITATION 495.1 ETHICS 495.2 INTELLECTUALPROPERTY 515.3 CITATION 51

6 ACCESSANDUSEOFINFORMATION 52

7 STORAGE,BACKUPSANDDATARECOVERY 52

8 ARCHIVINGANDFUTUREPROOFINGOFINFORMATION 53


CAREGIVERSPRO-MMD


8.1 BESTPRACTICESFORFILEFORMATS 54PROPRIETARYVSOPENFORMATS 54GUIDELINESFORCHOOSINGFORMATS 54SOMEPREFERREDFILEFORMATS 54

9 AUDITS 55

10RESOURCINGOFDATAMANAGEMENT 5510.1 ROLESINDATAMANAGEMENT 5510.2 FINANCIALDATAMANAGEMENTPROCESS 55

11REVIEWOFDATAMANAGEMENTPROCESS 55

ANNEX1-C-MMDPRIVACYIMPACTANALYSIS 56A1.1IDENTIFYINGTHENEEDFORAPIA 56A1.2DESCRIBINGINFORMATIONFLOWS 56

A1.2.1INFORMATIONOVERVIEW 56A1.3IDENTIFYINGPRIVACYANDRELATEDRISKS 58A1.4IDENTIFYINGANDEVALUATINGPRIVACYSOLUTIONS 63

ANNEX2-C-MMDDATASETS 66

ANNEX3-SECURITY/DATABREACHMANAGEMENTPROTOCOL 83


CAREGIVERSPRO-MMD


1 IntroductionThis document presents the second version of the DataManagement Plan (DMP) for theCAREGIVERSPRO-MMDproject.ProjectsfundedbyintheHorizon2020OpenResearchDataPilotare required todevelopseveralversionsofaDMP, inwhich theywill specify,amongothers,what datawill be kept for the longer term. In the case of CAREGIVERSPRO-MMD,which isnotparticipating in theOpenResearchDataPilot, theDMP ispresentedasa toolthat can improve pilot preparation and result analysis. The Consortium will follow theguidelines described in the OpenAire1 platform and the document “Guidelines on DataManagement in Horizon 2020”. A DMP describes the data management life cycle for alldatasetstobecollected,processedorgeneratedbyaresearchproject.Itmustcover:

• themanagementofresearchdataduring&aftertheproject;

• whatdatawillbecollected,processedorgenerated;

• whatmethodology&standardswillbeapplied;

• whetherdatawillbeshared/madeopenaccess&how;

• howdatawillbecurated&preserved.

The Data Management Plan has been updated during the project lifetime since versionpresented in D7.3. New versions of the DMP are also developed whenever significantchangesariseintheproject(mainlysubjecttoethicalapproval)suchas:

• newdatasets;

• changesinconsortiumpolicies;

• externalfactors.

1https://www.openaire.eu/opendatapilot-dmp


CAREGIVERSPRO-MMD


2 ProjectInformation

Inthissectionweprovideabrieffactsheetoftheprojectdetailsandassociateddatamanagementrequirements

Table1ProjectFactSheet

ProjectTitle CAREGIVERSPRO-MMD

ProjectDuration 36months(01/01/16-31/12/18)

Partners

• UniversitatPolitècnicadeCatalunya(UPC,Spain)• MobileDynamics(MDA,Spain)• UniversityofHull(HUL,UK)• Q-PLANInternationalLTD(QPL,Greece)• CooperativaSocialeCOOSSMarche(COO,Italy)• Fundació-UniversitatdelBages(FUB,Spain)• CentreHospitalierUniversitairedeRouen(CHU,

France)• CenterforResearchandTechnologyHellas(CERTH,

Greece)

BriefDescription

Self-management interventions and mutual assistance

community services, helping patients with dementia and

caregiversconnectwithothers forevaluation,supportand

inspirationtoimprovethecareexperienceUniversityRequirementsforDataManagement

UPCisresponsibleforallocatingdatainasafeenvironment,

maintainingback-upsandprocessingthedatageneratedFundingBody EuropeanCommission(Horizon2020PHC-25-2105)

GrantNumber 690211

Budget 4.087.198,75€

FundingBodyRequirementsforDataManagement

ForOpenDataprojects,theonesspecifiedinGuidelinesonDataManagementinHorizon20202.

2https://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/oa_pilot/h2020-hi-oa-data-mgt_en.pdf


CAREGIVERSPRO-MMD


3 Data,Materials,ResourcesCollectionInformation

Thepurposeofthissectionistoprovideafulldescriptionofthedatathatwillbegeneratedand stored during this project. The information provided below might be adapted orupdatedinfutureversionsofthisdocument.

3.1 Descriptionofthedata

Most of the datawill be generated through the use of the CAREGIVERSPRO-MMD onlineplatformbydifferentusergroups,i.e.healthandsocialprofessionals,caregiversandpeoplelivingwith dementia (PLWD). Each user categorywill have access to personalised contentand will be able to generate different types of information according to the permissionsgranted.

Foreachuseroftheplatform,differentdatasetsdescribedinthissectionmaybegenerated.Additionaldatasetsmaybegenerated in the future.Thedatawill alsobecollectedbeforeandafterthepilotphaseoftheprojectatthescreeningandbaselineresearchvisits.

Theplatformwillalsoprovidemeanstoassessandstoredatanotdirectlyproducedbyusersi.e. the interaction among users and the evolution on their activity in the social network,whichwillalsobesubjecttofurtheranalysis.

AnopensourcesurveyingtoolLimeSurvey3hasbeenconfiguredanddeployedtostoretheresults of the screening sessions that clinicians will perform every six months with pilotparticipants.Thistoolwillonlybeaccessedbyauthorisedhealthandsocialprofessionals.

PersonalDataset

Table2PersonalDataset

Datasetreferenceandname

C-MMD-Personal

Datasetdescription

This data set contains all the personal, demographic, medical and social datacaptured through the registration tools integrated in the C-MMDplatform for thedyad (PLWD and caregiver) and the health professionals. The registration toolcollectsstandard personal information. i.e. as described in EU Data ProtectionDirective(95/46/EC)4:

"Personaldata”shallmeanany informationrelatingtoan identifiedor identifiablenaturalperson ('DataSubject');an identifiableperson isonewhocanbe identified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortooneormore factors specific tohisphysical,physiological,mental,economic, culturalor

3http://www.limesurvey.org4http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML


CAREGIVERSPRO-MMD


socialidentity.

Therefore,thenatureofthedatacorrespondstothevaluesusedtorepresentsuchconcepts (e.g. text, integers). The specifics of the captured data is described insection2.3.1ofdocumentD1.3ScreeningStrategy.

DetailsonthisdatasetcanbefoundinAnnex2.

Standardsandmetadata

Datawillbestoredeachtimeauser(beitaPLWD,caregiverorhealthprofessional)registerstotheplatformormodifieshis/herprofile. It isexpectedthatdatawillbestored in aMySQL database, using noSQL database for complementary purposes.Recordswillalsoberelated(andidentified)withotherdatasetsandthedatewhenthedatawasrecorded.

Metadatawillincludeinformationabouttheprofilecreationtime,rangeofpossiblevalues, etc. This metadata will beassociated to each table and will follow theCommonEuropeanResearchInformationFormat(CERIF)metadatastandard5.

Datasharing

General

ThisdatasetwillnotbesharedoutsideoftheConsortiumboundariesforethicalandsecurity reasons. Each dataset record belongs to the user and to the Consortiumpartnerresponsiblefortheuser.Onlytheuser,peopleauthorisedbyhim/her(e.g.caregiver)andauthorisedpersonnelof theConsortiumpartner responsible for theuser,canaccesstherecord.

Platform

Datawill be available to the user and people authorised by them through the C-MMD platform. A small part of the dataset will be openly accessible by platformusers (i.e. name and profile picture or avatar) to enable social networking.Authorisedpersonnel6ofthepilotpartnergeneratingthedatawillbeabletoaccessaggregateddatainperiodicreportsandwillbeabletoaccessrawdatadumpedfromthe database in csv files or through aweb service.Each accesswill beidentifiableand traceable. The platform software will process the raw dataset to offer theplannedservices(seeD3.1DetailedsystemArchitecture).

Consortium

DatasetrecordswillbesharedamongdefinedConsortiumpartnersanonymisedforresearch purposes to be used for the tasks of the project. Anonymisation is thestandardprocedurefollowedtopreserveconfidentialityofparticipants.

Eachparticipant(e.g.PLWD,caregiver,healthcareprofessional)willsignaninformed

5http://www.eurocris.org/cerif/main-features-cerif6Pilotresponsiblewillbeinchargeofauthorisingpersonnel,employeesoftheConsortium.


CAREGIVERSPRO-MMD


consentatrecruitmentphaseauthorizingaccesstoalloftheirdata(raw,aggregated,anonymised)intheconditionsdescribedhereby.Userswillagreetotheanonymisedandaggregateddatabeingusedforresearchandpossiblycommercialexploitation.

ThedatarepositorywillbeintheC-MMDhostintheUPCpremises(moredetailsaregiven in section 6). UPC, CERTH andMDA software components will process thisdatasetanonymisedtooffertheplatformservices.

Specific data exchange agreements have been signed between the partnersproducingsoftwareandeachpilot.

Archivingandpreservation(includingstorageandbackup)

See§7and§8.

ScreeningDataset

Table3ScreeningDataset


C-MMD-Screening

Datasetdescription

Thisdatasetcontainsalltheclinicalandsocialdatacapturedthroughthescreeningtools integrated in the C-MMD platform for the dyad (PLWD and caregiver). Thescreening tools implementstandard evaluation scales for different conditions(physical, psychosocial, neurological, functional,etc.). Therefore, the nature of thedatacorrespondstothevaluesusedtoevaluatesuchscales.Detailsofthescreeningstrategy can be found in the documentD1.3 Screening Strategy,where the list ofusedscalesisdetailed



The data will be stored following the standard numeric scales defined by eachscreening tooleach timethatauser (be itPLWD,caregiverorhealthprofessional)usesoneofthescreeningtools.ThedatawillbestoredinaMySQLdatabase,usingnoSQL database for complementary purposes. Records will also be related (andidentified)withtheusertowhichtherecordeddatabelongandthedatewhenthedatawasrecorded.

Metadata will include information about the scale recorded, range of possible


CAREGIVERSPRO-MMD


values,etc.ThismetadatawillbeassociatedtoeachtableandwillfollowtheCERIFmetadatastandard.

Datasharing

General


Platform

Datawill be available to the user and people authorised by them through the C-MMD platform. A small part of the dataset will be openly accessible by platformusers (i.e. name and profile picture) to enable social networking. Authorisedpersonnel7ofthepilotpartnergeneratingthedatawillbeabletoaccessaggregateddata in periodic reports and will be able to access raw data dumped from thedatabase in csv files or through aweb service.Each accesswill beidentifiable andtraceable.Theplatformsoftwarewillprocess therawdataset inorder tooffer theplannedservices(seeD3.1DetailedsystemArchitecture).

Consortium


Eachparticipant(e.g.PLWD,caregiver,healthcareprofessional)willsignaninformedconsentatrecruitmentphaseauthorizingaccesstoallhis/herdata(raw,aggregated,anonymised)intheconditionsdescribedhereby.Userswillagreetotheanonymisedandaggregateddatabeingusedforresearchandpossiblycommercialexploitation.




See§7and§8.

7Pilotresponsiblewillbeinchargeofauthorisingpersonnel,employeesoftheConsortium.


CAREGIVERSPRO-MMD


AdverseEventDataset

Table4AdverseEventsDataset


C-MMD-AdverseEvent

Datasetdescription

This data set contains all the recorded adverse events for each user capturedthrough the specific tool integrated in the C-MMDplatform for that purpose. Theadverse events dataset records the description of the event, the starting and enddates,theseverityandoutcomes.



ItisexpectedthatdatawillbestoredinaMySQLdatabase,usingnoSQLdatabaseforcomplementary purposes. Records will also be related (and identified) with otherdatasetsandthedatewhenthedatawasrecorded.

Metadatawill includeinformationabouttheeventcreationtime,rangeofpossiblevalues, etc. This metadata will beassociated to each table and will follow theCommonEuropeanResearchInformationFormat(CERIF)metadatastandard8.

Datasharing

General


Platform

DatawillbeavailabletothehealthcareprofessionalandpeopleauthorisedbythemthroughtheC-MMDplatform.Authorisedpersonnel9ofthepilotpartnergeneratingthedatawillbeabletoaccessanonymiseddatainperiodicreportsandwillbeableto access raw data dumped from the database in csv files or through a webservice.Each access will beidentifiable and traceable. The platform software willprocess the raw dataset to offer the planned services (see D3.1 Detailed systemArchitecture).

8http://www.eurocris.org/cerif/main-features-cerif9Pilotresponsiblewillbeinchargeofauthorisingpersonnel,employeesoftheConsortium.


CAREGIVERSPRO-MMD


Consortium



ThedatarepositorywillbeintheC-MMDhostintheUPCpremises(moredetailsaregiven in section 6). UPC, CERTH andMDA software components will process thisdatasetanonymisedinordertooffertheplatformservices.



See§7and§8.

TreatmentDataset

Table5TreatmentDataset


C-MMD-Treatment

Datasetdescription

This dataset contains all the treatment information for each dyad. The treatmentinformationwillcomefrom:(1)aspecifictoolsetintegratedintheplatformforthatpurpose, (2) through the API to connect with national healthcare systems wherepossible. The nature of the data corresponds to medication descriptions, doses,schedules and follow-up of the adherence.More details on treatment adherenceserviceand information tobegatheredcanbe foundonsections10.2and10.3ofdeliverableD1.1AccessibilityReport.



Thedatawillbestoredfollowingthenumeric/textstandardseachtimethatauser(be it PLWD, caregiver or health professional) uses the treatment managementinterface to introduceormodify informationabout thepharmacological treatmentbeingfollowedandtheadherenceregimetothetreatment.Thedatawillbestored


CAREGIVERSPRO-MMD


inaMySQLdatabase,usingnoSQLdatabaseforcomplementarypurposes.Recordswillalsoberelated(andidentified)withtheusertowhichtherecordeddatabelongandthedatewhenthedatawasrecorded.

Metadatawillincludeinformationaboutthedatarecorded,rangeofpossiblevalues,etc. This metadata will beassociated to each table and will follow the CERIFmetadatastandard.

Datasharing

General


Platform

Datawill be available to the user and people authorised by them through the C-MMD platform. A small part of the dataset will be openly accessible by platformusers (i.e. name and profile picture) to enable social networking. Authorisedpersonnel10ofthepilotpartnergeneratingthedatawillbeabletoaccessaggregateddata in periodic reports and will be able to access raw data dumped from thedatabase in csv files or through aweb service.Each accesswill beidentifiable andtraceable.Theplatformsoftwarewillprocess therawdataset tooffer theplannedservices(seeD3.1DetailedsystemArchitecture).

Consortium








CAREGIVERSPRO-MMD


See§7and§8.

InterventionDataset

Table6InterventionDataset


C-MMD-Intervention

Datasetdescription

This data set contains all the intervention contents created by the consortiummembers during the lifetime of the project. These intervention contents includeposts,articles,tips,multimedia,tutorials,webinars,cognitivegamesandanykindofeducational content produced to support the caregiving process and the healthyageing lifestyle following the strategy outlined in deliverable D1.3 InterventionStrategy and Contents. These intervention contents will be introduced in theplatform through a specific tool designed for that purpose by the consortium.Standards inmultimediaand textposts storagewillbe followed.Tobenoted thatinteractive interventions (e.g. Serious Games) are settled in this dataset as well.Those interventions followadifferent route toupload their content and finallybeavailabletousers:theyareauthoredusingsoftwaredevelopmenttoolsexternaltothe C-MMD platform and finally they will become available through the standardcontentmanagementtoolsusedforotherinterventionsbyprovidingalink.




CAREGIVERSPRO-MMD


The data will be stored following the standard text/media formats following bestpracticesfordatamanagement(seesection6).Thedatawillbestored inaMySQLdatabase,usingnoSQLdatabase forcomplementarypurposes.Recordswillalsoberelated(andidentified)withtheuserauthoringthecontentsandthedatewhenthedatawasrecorded.

As explained in section 5.1 of DoA and later in this document in section 4, allcontentscreatedwillfollowtheHONCodeandwillprovideatraceablereviewboard.Ifthe interventionisnotanoriginalcreationoftheconsortium,theoriginalsourcewillbeproperlycitedandreferenced.

Metadatawillincludeinformationabouttheinterventionrecordedandalistoftagsorkeywordsthatrelatethecontentwithspecificsymptoms,conditionsorproblemsthat the content refers to (e.g. a video about Alzheimer could have the tagsAlzheimer,dementia,cognitivedecline,etc.)ThismetadatawillbeassociatedtoeachtableandwillfollowtheCERIFmetadatastandard.

Datasharing

EachdatasetrecordbelongstotheConsortiumpartnerresponsibleforcreatingitifitisoriginalcontent.AlltheConsortiumandsuitableusers11areauthorisedtoaccesstherecordedcontents.Datawillbeavailabletousersandpeopleauthorisedbythemthrough the C-MMD platform. Aggregated data about the amount of contentsgeneratedandspecificmetadata(e.g.tags)willbeavailableaswellasaccesstorawdatadumpedfromthedatabaseinfilestoselectedConsortiummembers.

Datasetrecords,particularlyaggregateddata,willbesharedamongtheConsortiumpartnersforresearchpurposestobeusedinthetasksoftheproject.

Original contents may be commercially exploited under internal ConsortiumagreementstobedefinedinthefutureD7.9.BusinessPlan–finalversion.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetails in§6).UPC,CERTHandMDAsoftwarecomponentswillprocessthisdatasetanonymisedtooffertheplatformservices.



See§7and§8.

11Inthecaseofpatientsorcaregivers,contentsshouldbeavailabledependingontheirspecificneeds


CAREGIVERSPRO-MMD


DisseminationDataset

Table7DisseminationDataset


C-MMD-Dissemination

Datasetdescription

This data set contains all the dissemination contents created by the consortiummembers during the lifetime of the project. These dissemination contents includescientificpapers,newsletters,multimedia,pressarticles,listsofevents,contactlistsand any kind of dissemination content produced to support the communicationactivitiesof theproject anddisseminationof results. These contents created fromdifferentsourceswillbestoredinadatabase/filesystem.


The data will be stored following the standard text/media formats following bestpractices for data management (see section 6). Records will also be related (andidentified)with the user authoring the contents and the datewhen the datawasrecorded.

Metadatawillincludeinformationaboutthedisseminationdatarecorded,thetargetaudience, identifier (i.e. DOI, URI), authors, title of the publication, time ofpublication, related event (e.g. conference, forum, etc.) and a list of tags orkeywords that relate thecontentwith specific topicsor results.ThismetadatawillbeassociatedtoeachtableandwillfollowtheCERIFmetadatastandard.

Datasharing

EachdatasetrecordbelongstotheConsortiumpartner/sresponsibleforcreatingit.Thesecontentsareopenforaccess.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetailsin§6).


See§7and§8.

UserInteractionDataset

Table8UserInteractionDataset



CAREGIVERSPRO-MMD


C-MMD-UserInteraction

Datasetdescription

Thisdatasetcontainstheaggregationofallthecontentcreatedbytheuserswhileinteractingwith C-MMD’s social network during the lifetime of the project. Theseusergeneratedcontentsincludenumberofposts,numberofcomments,numbersoflikes,numberofscalestaken,etc.




Metadatawill includeinformationaboutthecontentrecorded,thetargetaudience(e.g.friends),contextwhereitwaspublished,dateofpublishing,etc.ThismetadatawillbeassociatedtoeachtableandwillfollowtheCERIFmetadatastandard.

Datasharing

Eachdatasetrecordbelongstotheuserresponsible forcreating it.Thesecontentsareopen foraccess to theaudiencewhich thecreatoruserhasgrantedaccess to,and the members of the consortium for moderation and research purposes. Thedatasetisanonymised.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetails in§6).UPC,CERTHandMDAsoftwarecomponentswillprocessthisdatasetanonymisedtooffertheplatformservices.



See§7and§8.

MedicalReportDataset

Table9MedicalReportDataset


C-MMD-MedicalReport


CAREGIVERSPRO-MMD


Datasetdescription

Thisdata set containsall the content createdby the system integratingdata fromthe PLWD/caregiver’s personal, screening and treatment datasets. These recordscontain aggregated data of the evolution of the user for health professionalevaluation. These contents created from different sources will be stored in adatabase/filesystem.



The data will be stored following the standard numeric scales defined by theaggregationofdatacoming fromthescreening toolsaswellas the treatment tooleachtimethatthesystemperiodicallygeneratesareportforaPLWD/caregiver.ThedatawillbestoredinaMySQLdatabase,usingnoSQLdatabaseforcomplementarypurposes. Recordswill also be related (and identified)with the user towhich therecordeddatabelongandthedatewhenthedatawasrecorded.

Metadata will include information about the scales aggregated, range of possiblevalues,graphicalrepresentations,etc.ThismetadatawillbeassociatedtoeachtableandwillfollowtheCERIFmetadatastandard.

Datasharing

General


Platform

Datawill be available to the user and people authorised by them through the C-MMDplatform.Authorisedpersonnel12ofthepilotpartnergeneratingthedatawillbeabletoaccessaggregateddatainperiodicreportsandwillbeabletoaccessrawdatadumped from thedatabase incsv filesor throughaweb service.Eachaccesswillbeidentifiableandtraceable.Theplatformsoftwarewillprocesstherawdatasettooffertheplannedservices(seeD3.1DetailedsystemArchitecture).

Consortium

DatasetrecordswillbesharedamongdefinedConsortiumpartnersanonymisedforresearchpurposesinordertobeusedforthetasksoftheproject.Anonymisationisthestandardprocedurefollowedtopreserveconfidentialityofparticipants.



CAREGIVERSPRO-MMD



ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetailsin§6). UPC, CERTH and MDA software components will process this datasetanonymisedinordertooffertheplatformservices.



See§7and§8.

UserGamificationModelDataset

Table10UserGamificationModelDataset


C-MMD-UserGamificationModel

Datasetdescription

Thisdatasetcontainsalltheinformationrelatedtothegamificationmodelofeachuser (gamification profile). This profile may contain data records like role in thegame, games enrolled, metrics, rules or earned rewards. An initial gamificationprofile should created -as an extension to the existing user profile- when a userentersinthesystemandevolveswiththeparticipationoftheuserintheplatform.There is an additional short gamification model to be used for limited but fastreferencestothegamificationstatusofaregistereduser.



Aninitialprofilewillbestoredeachtimeauser(beitPLWDoracaregiver)registersto the platformormodifies their profile settings. This process of user registrationand enrolment in one or more gamification proposals (‘games’) is madeprogrammatically from the social platform using the gamification API. From atechnicalpointofview,gamificationcanbeappliedonlytoregisteredusers.

DatawillbestoredinaMySQLdatabase.Recordswillalsoberelated(andidentified)withotherdatasetsandthedatewhenthedatawasrecorded.Theprofileanddatarecordedchangesastheuserparticipatesinthegamifiedplatform(e.g.gettingpoint


CAREGIVERSPRO-MMD


andbadgeswhenfollowingthewishedbehaviour,achievinggoals,etc.).

Metadatawillincludeinformationabouttheprofilecreationtime,thesetoggamesauserisenrolled,etc.Thismodelisinternaltothegamificationengine.

Datasharing

The user gamification model is defined by HCP and administrators and is not accessibleopenlyintheplatformtotheusers.Eachdatasetrecordbelongspartiallytotheuserandto the platform itself that auto-generates some recorded data. Only the user’s HCP,people authorised by him/her, administrators of the platform and authorisedpersonneloftheConsortiumpartnerresponsiblefortheusercanaccesstherecord.DatawillbeavailablethroughthegamificationcomponentoftheC-MMDplatform.

Dataset records will be shared among the Consortium partners anonymised forresearch purposes to be used in the tasks of the project. Anonymisation is thestandardprocedurefollowedtopreserveconfidentialityofparticipants.

Each participant will sign an informed consent at recruitment phase authorizingaccess to all his/her data (raw, aggregated, anonymised). Users will agree to theanonymisedandaggregateddatabeingused for researchandpossiblycommercialexploitation.

Thedata repositorywill be allocated in the gamificationhost in theUPCpremises(more details in section 6). CERTH and MDA software components will process thisdatasetanonymisedtooffertheplatformservices.


See§7and§8.

BackendGamificationModelDataset

Table11BackendGamificationModelDataset


C-MMD-BackendGamificationModel

Datasetdescription

Thisdatasetcontainsalltheinformationrelatedtothebackendgamificationmodelfor each ‘game’. This profile may contain data records like game rules, actionsrelatedtothesocialplatform,detailsoftheawardingsystem,etc.Aninitialprofileiscreatedwhenagame-master(game-creator)entersthegamificationfront-endandcreatesagameforagroupofCMMDplatformusers.



CAREGIVERSPRO-MMD



Aninitialprofilewillbestoredeachtimeagame-mastercreatesanewgame.DatawillbestoredinaMySQLdatabase.Thegameprofileanddatarecordedchangesasthe game-creators make changes in the core elements of the game (number ofpointsearnedforeachuseraction,detailsofquests,numberandtypeofrules,etc.).

Metadata will include information about the profile creation time, targeted usergroups,etc.Thismodelisinternaltothegamificationengine.

Datasharing

General

ThisdatasetwillnotbesharedoutsideoftheConsortiumboundariesforethicalandsecurityreasons.EachdatasetrecordbelongstotheuserandtotheConsortiumpartnerresponsiblefor the user. Only the user, people authorised by him/her (e.g. caregiver) and authorisedpersonneloftheConsortiumpartnerresponsiblefortheuser,canaccesstherecord.

Platform

Datawillbeavailabletothegame-masters(normallyonepersonperpilotsite)andpeopleauthorised by them through the C-MMD platform. Authorised personnel13 of the pilotpartnergenerating thedatawillbeable toaccessaggregateddata inperiodic reportsandwill be able to access raw data dumped from the database in csv files or through awebservice.Eachaccesswillbeidentifiableandtraceable.Theplatformsoftwarewillprocesstherawdatasettooffertheplannedservices(seeD3.1DetailedsystemArchitecture).

Consortium

DatasetrecordswillbesharedamongdefinedConsortiumpartnersanonymisedforresearchpurposestobeusedforthetasksoftheproject.Anonymisation isthestandardprocedurefollowedtopreserveconfidentialityofparticipants.

Each participant (e.g. PLWD, caregiver, healthcare professional) will sign an informedconsent at recruitment phase authorizing access to all his/her data (raw, aggregated,anonymised) in the conditions described hereby. Userswill agree to the anonymised andaggregateddatabeingusedforresearchandpossiblycommercialexploitation.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetailsin§6).CERTHandMDAsoftwarecomponentswillprocessthisdatasetanonymisedtooffertheplatformservices.

Specific data exchange agreements have been signed between the partners producingsoftwareandeachpilot.


See§7and§8.



CAREGIVERSPRO-MMD


UserInterfaceDataset

Table12UserInterfaceDataset


C-MMD-UserInterface

Datasetdescription

Thisdatasetcontainsalltheinformationrelatedtotheuserinterfaceconfigurationprofileofeachuser.Theseprofilesmaycontaindatarecordslikecomplexitydegree,coloursettings,brightnessandalphasettings,etc.Aninitialprofileiscreatedwhenauserentersinthesystemandcanbeeitherre-configuredorenrichedbytheuserorbyanadministrator.



An initial profilewill be storedeach timeauser (be it patient, caregiverorhealthprofessional)registerstotheplatformormodifieshis/herprofilesettings.Althoughat this moment the registering tool and profile management tool have not beendefinedyet,itisexpectedthatdatawillbestoredinaMySQLdatabase,usingnoSQLdatabaseforcomplementarypurposes.Theprofileanddatarecordedchangesastheuser re-configures it to fit their needs or preferences (e.g. changing theme,simplifyingtheUI,changingcolourpalette,etc).

Metadatawillincludeinformationabouttheprofilecreationtime,rangeofpossiblevalues,etc.ThismetadatawillbeassociatedtoeachtableandwillfollowtheCERIFmetadatastandard.

Datasharing

Thisdatasetisonlyavailabletotheuserownerofthedataandtheadministratorsoftheplatform(i.e.theyarerequestedtomodifysomeparametersoftheuserUI).NopartofthedatasetwillbesharedoutsideoftheConsortiumboundariesforethicalandsecurity reasons.Eachdataset recordbelongs to theuserand to theplatformitselfthatauto-generatessomerecordeddata.Onlytheuser,peopleauthorisedbyhim/her (i.e. caregiver), administrators of the platform and other authorisedpersonneloftheConsortiumpartnerresponsiblefortheusercanaccesstherecord.DatawillbeavailabletousersandpeopleauthorisedbythemthroughtheC-MMDplatform.


Each participant will sign an informed consent at recruitment phase authorizing


CAREGIVERSPRO-MMD


access to all his/her data (raw, aggregated, anonymised). Users will agree to theanonymisedandaggregateddatabeingused for researchandpossiblycommercialexploitation.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetailsin§6).CERTHandMDAsoftwarecomponentswillprocessthisdatasetanonymisedtooffertheplatformservices.

Specific data exchange agreements have been signed between the partners producingsoftwareandeachpilot.


See§7and§8.

RecommenderDataset

Table13RecommenderDataset


C-MMD-Recommender

Datasetdescription

This data set contains all the information related to the recommendation engineprofile of each user that provides tailored educational contents to them. Theseprofilesmaycontaindatarecordssuchaspreferences,past likedcontents,contentevaluations,visitedcontents,etc.An initialprofile iscreatedwhenauserenters inthesystemandevolveswiththeparticipationoftheuserintheplatform.



An initial profile will be stored each time a user (be it PLWD, caregiver or healthprofessional)registerstotheplatformormodifiestheirprofilesettings.Datawillbestored in aMySQL database, using noSQL database for complementary purposes.Recordswillalsoberelated(andidentified)withotherdatasetsandontologiesandthedatewhenthedatawasrecorded.Theprofileanddatarecordedchangesastheuserparticipatesintheplatform(e.g.readingarticles,commenting,likingproposed


CAREGIVERSPRO-MMD


contents,fillingscreeningtasksthatfirerecommendations,etc).

Metadatawillincludeinformationabouttheprofilecreationtime,rangeofpossiblevalues, etc. This metadata will beassociated to each table and will follow theCommonEuropeanResearchInformationFormat(CERIF)metadatastandard14.

Datasharing

Thisdatasetisinternaltotherecommendersystemandwillnotbesharedwiththeusersof theplatform.Someaggregated informationof thisdatasetmaybesharedfortechnicalevaluationwiththeadministratorsandsomewillbeintegratedwiththeperiodic report for the HCP. Thewhole dataset will not be shared outside of theConsortiumboundariesforethicalandsecurityreasons.Eachdatasetrecordbelongspartially to theuser and to theplatform itself that auto-generates some recordeddata.



ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetailsinsection6).UPCsoftwarecomponentswillprocessthisdatasetanonymisedtooffertheplatformservices.



See§7and§8.

PilotDataDataset

Table14PilotDataDataset


C-MMD-PilotData

Datasetdescription

14http://www.eurocris.org/cerif/main-features-cerif


CAREGIVERSPRO-MMD


Thisdatasetcontainsalltheclinicalandsocialdatacapturedthroughthepilottool(see3.1)thatcollectsthedatathatclinicalpractitionersintroduceafterascreeningsessionwiththePLWD/caregiver.Thescreeningdataintroducedcorrespondstotheevaluations specified in the study protocol (physical, psychosocial, neurological,functional,etc.).Therefore,thenatureofthedatacorrespondstothevaluesusedtoevaluatesuchscales.



The data will be stored following the standard numeric scales defined by eachscreeningtooleachtimethatanauthorisedpilot’spersonintroducesdataofauser(beitPLWDorcaregiver)capturedduringaface-to-facescreeningsession.ThedatawillbestoredinaMySQLdatabase.Recordswillalsoberelated(andidentified)withtheusertowhichtherecordeddatabelongandthedatewhenthedatawasrecorded.TheLimesurveydatabaseisnotconnectedinanywaywiththeC-MMDplatformdatabase.

Metadata will include information about the scales recorded, range of possiblevalues, identity of the person introducing the data, etc. This metadata willbeassociated to each table and will follow the Common European ResearchInformationFormat(CERIF)metadatastandard15.

Datasharing

ThisdatasetwillnotbesharedoutsideoftheConsortiumboundariesforethicalandsecurity reasons. Each dataset record belongs to the user and to the Consortiumpartnerresponsiblefortheuser.OnlyauthorisedpersonneloftheConsortiumpilotpartnerresponsiblefortheusercanaccesstherecord.Authorisedpersonnelofthepilotpartnergenerating thedatawillbeable toaccessaggregateddata in reportsandwillbeabletoaccessrawdatadumpedfromthedatabaseincsvfilesorthroughawebservice.Eachaccesswillbeidentifiableandtraceable.



ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetailsinsection6).TheLimesurveyinstanceismanagedbyFUB,theclinicalleaderoftheproject.

15http://www.eurocris.org/cerif/main-features-cerif


CAREGIVERSPRO-MMD



See§7and§8.

InterventionFeedbackDataset

Table15InterventionFeedbackDataset


C-MMD-InterventionFeedback

Datasetdescription

Thisdatasetcontainsalltheinformationrelatedtothefeedbackprovidedbyausertoaninterventionthathasbeenproposedtohim.Thesefeedbackreferencesiftheinterventionhasbeenshared,ifhasbeenviewed,timespentconsumingit,etc.



Aninitialfeedbackdatasetwillbecreatedeachtimeaninterventionisprovidedtoauser (be it PLWD, caregiver or health professional) and it will update as the userinteracts with the intervention through time. The data will be stored in aMySQLdatabase. Records will also be related (and identified) with other datasets andontologiesandthedatewhenthedatawasrecorded.

Metadata will include information about the feedback creation time, range ofpossible values, etc. Thismetadatawill beassociated toeach tableandwill followtheCommonEuropeanResearchInformationFormat(CERIF)metadatastandard16.

Datasharing

Thisdatasetisinternaltotheplatformandtherecommendersystemandwillnotbesharedwiththeusersoftheplatform.Someaggregatedinformationofthisdatasetmay be shared for technical evaluation with the administrators and somewill beintegratedwiththeperiodicreportfortheHCP.ThewholedatasetwillnotbesharedoutsideoftheConsortiumboundariesforethicalandsecurityreasons.Eachdatasetrecord belongs partially to the user and to the platform itself that auto-generatessomerecordeddata.


Each participant will sign an informed consent at recruitment phase authorizing16http://www.eurocris.org/cerif/main-features-cerif


CAREGIVERSPRO-MMD


access to all his/her data (raw, aggregated, anonymised). Users will agree to theanonymisedandaggregateddatabeingused for researchandpossiblycommercialexploitation.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetails in section6).UPC ,CERTHandMDAsoftwarecomponentswillprocess thisdatasetanonymisedtooffertheplatformservices.



See§7and§8.

UserGamificationInteractionHistoryDataset

Table16UserGamificationInteractionHistoryDataset


C-MMD-UserGamificationInteractionHistory

Datasetdescription

ThisdatasetcontainsalltheinteractionsmadebyauserinthegamificationcontextwhileinteractingwiththeC-MMDplatformduringthelifetimeoftheproject.Theseusergeneratedcontentsincludepiecesofinformationrelatedtowishedbehaviourslike typeofactionsperformed,pointsawardedby theseactions,enter/drop/winagame,etc.




Metadatawillincludeinformationaboutthedatetimeanactiontookplace,thedatacomingwiththisactionandtheresultsgeneratedbythisaction(asoutput).This isaninternaltothegamificationenginedatamodel.

Datasharing

Eachdatasetrecordbelongstotheuserresponsible forcreating it.Thesecontents


CAREGIVERSPRO-MMD


areopen foraccess to theaudiencewhich thecreatoruserhasgrantedaccess to,and the members of the consortium for moderation and research purposes. Thedatasetisanonymised.

ThedatarepositorywillbeallocatedintheC-MMDhostintheUPCpremises(moredetails in§6).UPC,CERTHandMDAsoftwarecomponentswillprocessthisdatasetanonymisedinordertooffertheplatformservices.



See§7and§8.

GameHistoryDataset

Table17GameHistoryDataset


C-MMD-GameHistory

Datasetdescription

Thisdatasetcontainsalltheactionsperformedinagamificationproposal(‘game’)during the lifetimeof theproject.Thecontentsof thisdataset include informationrelatedtothechangesperformedintherulesofagame,theseasons(timeperiodsthe game was active), the time it was created and was set enabled/disabled,datetimesof‘reset’actions,etc.





Datasharing



CAREGIVERSPRO-MMD






See§7and§8.

NotificationsDataset

Table18NotificationsDataset


C-MMD-GamificationNotification

Datasetdescription

This data set contains all the information regarding the gamification notificationsystemandwill store in thedatabaseall thenotifications automatically generatedduring the lifetimeof theproject.Thecontentsof thisdataset include informationrelatedtothetitleandtextofthenotification,theduration(timeperiodtobeinthe‘hottopics’list,etc.).DetailsonthisdatasetcanbefoundinAnnex2.




Datasharing



CAREGIVERSPRO-MMD






See§7and§8.

DatasetSummary

Table19DatasetSummary

Dataset Who Ownership Access17

PersonalDataset

User Yes Yes,full

Partner(recruiting)

Yes Yes,fulltoauthorisedpersonnel

Others in theplatform

No Onlyauthorisedbytheuser

RestofConsortium

No Yes,onlyanonymisedandaggregateddata

World No No

ScreeningDataset

User Yes Yes,full

Partner(recruiting)


Othersintheplatform


17UserscangrantAccesstosomeoralloftheirprofileinformationtotheplatformuserstheyliketoundertheirownresponsibility.Thisaccesscanonlybegrantedinsidetheplatform.


CAREGIVERSPRO-MMD


RestofConsortium


World No No

AdverseEventsDataset

User Yes Yes,full

Partner(recruiting)


Othersintheplatform


RestofConsortium


World No No

TreatmentDataset

User Yes Yes,full

Partner(recruiting)


Othersintheplatform


RestofConsortium


World No No

InterventionDataset

User No Yes,dependingontheirneeds

Partner(authoring)


RestofConsortium

No Yes,fulltoauthorisedpersonnel

World No Limitedanddependingonprojectneedsandexploitationpolicies

UserInteraction

User Yes Yes,full

Partner Yes Yes,fulltoauthorised


CAREGIVERSPRO-MMD


dataset (recruiting) personnel

Othersintheplatform


RestofConsortium


World No No

DisseminationDataset

User No Yes

Partner(authoring)

Yes Yes

RestofConsortium

No Yes

World No Yes

MedicalReportDataset

User Yes Yes

Partner(dyadmanager)


Othersintheplatform


RestofConsortium


World No No

UserGamificationModelDataset

User Yes No

Partner(admin) Yes Yes,fulltoauthorisedpersonnel

Othersintheplatform

No No

RestofConsortium


World No No

Backend User Yes Yes


CAREGIVERSPRO-MMD


GamificationModelDataset


RestofConsortium


World No No

Othersintheplatform


UserInterfaceDataset

User Yes Yes

Partner(admin) No Yes,fulltoauthorisedpersonnel

Othersintheplatform


RestofConsortium


World No No

RecommenderDataset

User Yes No

Partner(admin) No Yes,fulltoauthorisedpersonnel

Othersintheplatform

No No

RestofConsortium


World No No

PilotDataDataset

User Yes No

Partner(authoring)


RestofConsortium


World No No


CAREGIVERSPRO-MMD


InterventionFeedbackDataset

User Yes No

Partner(authoring)


RestofConsortium


World No No

UserGamificationInteractionHistoryDataset

User Yes No

Partner(authoring)


RestofConsortium


World No No

GameHistoryDataset

Gamecreator Yes Yes

Partner(authoring)


RestofConsortium

No No

World No No

NotificationsDataset

Users Yes Yes


RestofConsortium

No No

World No No


CAREGIVERSPRO-MMD


3.2 QualityAssuranceProcess

Data collection process is susceptible to contamination in the absence of adequatepreventive measures. Data contamination results from a process or phenomenon, otherthantheoneofinterest,whichcanaffectthevariablevalues.Datacontaminationresultsinerroneousvaluesinthedataset.Ingeneral,therearetwotypesoferrorsthatcanoccurinadata set. Firstly,errorsof commission are the resultof incorrector inaccuratedatabeingincluded in the data set. This may happen because of a malfunctioning instrument thatproducesfaultyresults,datathataremistypedduringentry,orotherproblems.

Errorsofomissionarethesecondtypeoferrors.Theseresultfromdataormetadatabeingomitted. Situations that result in omission errors occur when data are inadequatelydocumented,whentherearehumanerrorsduringdatacollectionorentry,orwhenthereareanomaliesinthefieldthataffectthedata.

Quality assurance/quality control (QA/QC) activities should be an integral part of anyinventorydevelopmentprocessesastheyimprovetransparency,consistency,comparability,completenessandaccuracy.

Qualitycontrol(QC) isdefinedasasystemofcheckstoassessandmaintainthequalityofthe data inventory being compiled. Quality control procedures are designed to provideroutinetechnicalcheckstomeasureandcontrolthedataconsistency,integrity,correctnessandcompleteness;andtoidentifyandaddresserrorsandomissions.Qualitycontrolchecksshould cover everything from data acquisition and handling, application of approvedprocedures andmethods, and documentation. Examples of general quality control checksinclude:

• checkingfortranscriptionerrorsindatainput,introducingtwiceeachvariable;• checkingthatscalemeasuresarewithintherangeofacceptablevalues;• checkingthatproperconversionfactorsareused;• revisitingintroduceddata

In future versions of this document we will provide more details on the QC protocolsadoptedduringtheprojectlifetime.

Quality assurance (QA) is a planned system of review procedures conducted outside theactual inventory compilation by personnel not directly involved in the inventorydevelopment process. It is a non-biased, independent review of methods and/or datasummariesthatensuresthatthe inventorycontinuesto incorporatecorrectlythescientificknowledge and data generated. Quality assurance procedures may include expert peerreviewsofdatasummariesandauditstoassessthequalityoftheinventoryandtoidentifywhere improvements could be made. If deemed necessary, selected members of theAdvisoryBoard(AB)mayperformthistaskinthecourseoftheprojectlifecycle.


CAREGIVERSPRO-MMD


4 PrivacyandSecurityofthedata4.1 Infrastructure

The purpose of this subsection if to provide an overview of the resources and securitymechanisms involved in the hosting of the IT system for the CAREGIVERSPRO-MMD EUfundedprojectthatperformsprocessingofsensitivepersonalinformationinthepremisesofUniversitatPolitècnicadeCatalunya–BarcelonaTech(UPC).

ThisITsystemishostedinadedicatedhardwarepurchasedspecificallyfortheproject:

1xDellNetworkingN4032 (networkconnectivity)

2xPowerEdgeR320 (hardwareredundancy)

TheserverislocatedintheUPCcampusDataCenter(CPD).Thisdatacenterisadedicated250m2 facility with controlled access, personal ID cards for authorized staff and videosurveillance 24x7. The server has dedicated bandwidth and backup power system toguarantee availability. Our Data Center has two different sensor systems to detect andrespond electrical or fire problems. The first monitor system is an optical-heat detectionschemeandthesecondoneislaserbasedtoextinguishfireusingHFC227gas.

This hardware hosts different software modules developed by three partners of theCAREGIVERSPRO-MMDproject,amongthemUPC.

The company MobilesDynamics develops the core software module that gathers,processes and stores highly sensitive information fromusers of different EU countries(UnitedKingdom,Spain,Italy,France).Thedataincludes:

● personaldata(e.g.name,age,postalcode,etc.)● medicaldata(e.g.diseases,comorbities,allergies,etc.)● treatmentdata(e.g.medications,schedules,etc.)● Othernon-sensibledata

TheUPCdevelopsasoftwaremodulethatprocessesanonymiseddatathatcomesfromtheaforementionedsoftwaredevelopedbyMobilesDynamics.


CAREGIVERSPRO-MMD


The Centre for Research and TechnologyHellas (CERTH), develops a softwaremodulethat processes anonymised data that comes from the aforementioned softwaredevelopedbyMobilesDynamics.

4.2 AdoptedSecurityMeasures

Securityruleshadbeenadoptedatdifferentsystemlevelstoprovidesafeguardstotheoperatingsystem,webapplications,databasesanduserdata.

• OperatingSystem(OS)level:OurLinuxsystemshaveanIPfirewallconfiguredinordertomonitorandgrantaccessonlytoauthorisedprotocolsandverifiedIPaddresses.WeprovideonlySecureShell(SSH18)protocoltomakecyphercommunicationsmandatoryend-to-end.DenyHostsservicehasbeenconfiguredtodetect“bruteforce”passwordattacks.Whenawronguserlog-inpasswordisusedthreetimes,thesystemwillblockanyconnectionfromthesourceIPaddressandlogstheaction.

• Webserverapplicationlevel:WeuseonlytheHyperTextTransferProtocolSecure(HTTPS)foruserconnectionstoencryptdatainterchangebetweentheusersandthewebapplication.

• Databaselevel:ThedatabaseserverisisolatedfromtheInternetandisconnectedonlytotheapplicationserver.Furthermore,theserverhasitsownIPfirewallservicetoallowonlyconnectionsfromthededicatednetworkbetweenthewebserverandthedatabaseserver.

• Physicalaccesslevel:OurserversareplacedinacontrolledenvironmentatUPCDataCenter.AnauthorisedpersonalcardisrequiredtoaccesstothefacilitiesandaCCTVsystemprovidesvideosurveillance.

We use a Linux based system (Ubuntu 16.04 LTS x64) as an operating system for theapplications and database servers. This Unix-like system ensures password encryption19services forevery systemuser.Moreover,a strict fileanddirectorypermissionsystem20 isimplemented as a system default behaviour to ensure data protection between differentsystemusers.18https://en.wikipedia.org/wiki/Secure_Shell

19http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

20https://wiki.archlinux.org/index.php/File_permissions_and_attributes


CAREGIVERSPRO-MMD


Legal regulationsaboutdataprivacy (LORTAD) require to identifyandkeepavailable foratwo year period of time the accounting files of the server’s access services. We haveidentifiedthisrequiredinformationinthefollowinglogfiles:

/var/log/syslog

/var/log/authlog

/var/log/denyhosts

/var/log/nginx/error.mmd.log

TheSecurityChief(see4.3:OverviewOfroles)willbenotifiedmonthlyabouttheselectedlogfilesandthebackupprocedures.

The system administrator (root) canmanage thewhole system and change/revoke user’saccessrightsifrequested.Italsocreatesanddeletesystemusers.Ayearlypasswordchangepolicyisadoptedforsecurityregulations.

Thedifferentservicesaremonitoredthoughaplethoraofcomplementarysystemsprovidingalarmsandreactivesolutions(e.g.):

• Cloudservices(virtualization):OpenNebula

• Servers:PandoraFMS

• Datanetwork:Cacti/RRDtool

4.3 OverviewofRoles

The machines where software is hosted and data is stored can be accessed by the nextstakeholders:

○ Systemadministrators:theyhavefullaccesstothesystemandtheirroleisto keep the system running, update the operative system and othersoftwarestackpiecesas required,performbackups,ensure thesecurityofthesystem.

○ Security Chief: audit at least monthly the access control logs, the backupproceduresandothersecuritymeasuresandelaborateareportfortheDataOfficeratUPCMr.VictorHuerta.

○ Programmers: they have partial access to the machines, in repositorieswheretheycanupload/downloadcode.


CAREGIVERSPRO-MMD


○ System owner: This role is filled by the staff member or managementmemberwhohasresponsibilityforthebusinessfunctionperformedbythesystem. In this case the system owner of the software that processessensibledataisMobilesDynamics.

○ Dataowner:Thisroleisfilledbythestaffmemberormanagementmemberwhohasresponsibilityforthedatastoredinthesystem.Inthiscase,itcanbeoneresponsiblefromeachCAREGIVERSPRO-MMDpilotsite.

○ Endusers:OnlythesoftwaredevelopedbyMobilesDynamicshasendusers.They access to this website through a specific static URL, introduce theirdataandreceiveservices.

Thesestakeholderswillbenotifiedwitha formabout their (different) responsibilitieswithregardssystemsecurityaswellastheconsequencesofnotbeingcompliantwiththem.

UPC

The management of the CPD (refrigeration, access control, electrical maintenance andwiring,etc.) isperformedbypersonnel from theUPCnetS.L. companycreatedbyUPC fortheICTservicesmanagement.TheCPDismonitored24/7byUPCnetpersonnel.

Theserverandservicesmanagement isperformedbyRDLabpersonnel,belongingtoUPC.OnlyauthorizedRDLabSystemadministratorsandSecurityChiefwillhavephysicalaccesstothehardwarestoredinthedatacenter.RDLabpersonnelprovidesservicesonworkdays(9-14h and 15-17hMonday to Thursday and Friday from 9-14h) and intensive timetable onmorningsofsummerseason.

Servicerequestscanbeperformed24/7throughtherdlab.cs.upc.eduwebsiteortheemailaddressrdlab@cs.upc.edu.

4.4 InformationSystemArchitectureandData

Theplatformserver isexecuted inavirtualmachine(VM1)thathasaccesstothe Internetand where end users will connect to the static platform URL through encrypted httpsconnections. The databases are stored in a different virtual machine (VM2) that has noaccess to the Internet, is allocated in a private network which only accessible by VM1.Consequently,dataisisolatedfromtheInternetandonlytheC-MMDplatformhassecuredaccesstoit.


CAREGIVERSPRO-MMD


As we can see in blue in Figure 1, only the Personal Dataset (PD) dataset/table containspersonaldataand isnotanonymisedbecause theC-MMDplatformneeds toaccess thesedata.Ontheotherhand,therestofdatasets(ingreen)relatedwithC-MMDapplicationwillbe pseudo-anonymised just in case of intrusion into these particular datasets. Keys to re-identificationarekeptinPD.

VirtualMachines

Recommendersystem

The recommending system developed by UPC that processes C-MMD data, receivesanonymiseddatafromtheplatformfrompersonaldatasets,screeningdatasets,interventiondatasetsandstoresprocessedprofiles intherecommenderdataset.MoredetailsonthesedatasetscanbefoundintheannexeddocumentD7.3DataManagementPlan.Thesoftwareis hosted in a virtual server running a linux setup as described in section 2. The personresponsiblefortheseservicesisLuisOliva([email protected]).

GamificationandUIpersonalizationsystem

Thegamificationserver ishostedbyUPCandmanagedbyCERTH. It is installedinavirtualmachinewithWindows10(x64)Professionalwithfirewallinstalled,automaticupdatesandwindowsdefenderactive. Ithasdisabledall thewindows shared servicesandcanonlybeaccessed remotely via VNC with a specific IP range belonging to CERTH machines.Thissystem provides different services to the c-mmd platform processing anonymous datagathered via API.More details on these datasets can be found in the annexed documentD7.3 DataManagement Plan. The person responsible formanaging this service is IoannisPaliokas([email protected]).

ThePilotTool

Asinthepreviouscase,thePilotToolwillruninadedicatedvirtualserverVM3withaccessto the internet and data will be stored in a different virtual machine VM4 in a privatesubnetworkwithnointernetaccesswhereonlyVM3canaccess.Inthiscase,alldatasetsinPDD(inblue)willbepseudo-anonymised(i.e.usingkeyed-hashfunctionswithstoredsecretkey)withnopersonalidentificationsstored.Thekeysforre-identificationwillbekeptbytheCROofeachpilotsitefollowingthesecurityprotocolsstablishedbythem.


CAREGIVERSPRO-MMD


Figure1Anonymisation&SecuritySchema

4.5 PrivacyImpactAssessment

The Privacy Impact Assessment is a tool used by organizations aiming to identify possiblerisks during the processing of personal data and tominimize its impact. According to theArticle35of the2016/679Regulation,"whereatypeofprocessing inparticularusingnewtechnologies, and taking into account the nature, scope, context and purposes of theprocessing,islikelytoresultinahighrisktotherightsandfreedomsofnaturalpersons,thecontroller shall, prior to the processing, carry out an assessment of the impact of theenvisaged processing operations on the protection of personal data. A single assessmentmayaddressa setof similarprocessingoperations thatpresent similarhigh risks." Privacy


CAREGIVERSPRO-MMD


impactassessmentwillhelptheC-MMDConsortiumtoidentifyandreducetheprivacyrisksoftheprojectwhileallowingthegoalsoftheprojecttobeachieved21.ThisPIAwillbeusedduring the development and implementation of the project through its managementprocesses.

PIAs are an integral part of the privacy by design approach, which is also one of theprinciplesof theDataPrivacyDirective22 and it is recommended to implement them fromthe early phase of a project. PIAs aim to promote good practices for personal dataprocessing, improveorganizations'transparencyandincreasethepublic'sunderstandingofhowtheirinformationisused.

AccordingtotheICOPIAscodeofpractice21,aPIAshouldincorporatethefollowingsteps:

• IdentifytheneedforaPIA• Describetheinformationflow• Identifytheprivacyandrelatedrisks• Identifyandevaluatetheprivacysolutions• SignoffandrecordthePIAoutcomes• Integratetheoutcomesintotheprojectplan• Consultwithinternalandexternalstakeholdersasneededthroughouttheprocess

Oneof themost critical points is the identificationof privacy risks. The ICOhas identifiedthreemain categories of possible risks: (i) risks to individuals; (2) corporate risks; and (3)compliancerisks.

TheCNIL23providesamethodforestimatingtherisklevelintermsofseverity(ormagnitudeoftherisk)and likelihood (orthepossibilityforarisktooccur).Moreover,theyproposeacyclicapproach,wherethePIAisevaluatedaftera4-stepprocessuntilthePIAisaccepted.Theapproachisstructuredasfollows:

1. Context:presentationof theprojectand itsobjectives,stakeholders,processingofpersonaldata

2. Controls:descriptionofthelegalcontrolfollowingtheDataPrivacyDirectiveandtheriskmanagementplandefinedbytheorganizationsinvolvedintheproject

3. Risks:detaileddescriptionof thepotential risksandthreats thatmayoccurduringtheprojectanddeterminetherisklevel.

4. Decision: to validate the PIA according to the preceding steps and, if accepted,prepareandactionplanforalltheplannedcontrols.

TheC-MMDPIAisfullydescribedinAnnex1.

21Conductingprivacyimpactassessmentscodeofpractice20140225(InformationCommissioners’Office)https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf22Directive95/46/ECandRegulation2016/67923ComissionNationaldel'Informatiqueetdeslibertés:https://www.cnil.fr/fr/node/15798


CAREGIVERSPRO-MMD


4.6 Security/DataBreachManagement

Organisations which process personal data must take appropriate measures againstunauthorisedorunlawfulprocessingandagainstaccidentalloss,destructionofordamagetopersonaldata24.Oneofthosemeasurescanbethedesignandadoptionofaprotocoltodealwithadatasecuritybreach.

Adatasecuritybreachcanhappenforseveralreasons,e.g.:

• Lossortheftofdataorequipmentonwhichdataisstored

• Inappropriateaccesscontrolsallowingunauthoriseduse

• Equipmentfailure

• Humanerror

• Unforeseencircumstancessuchasafireorflood

• Hackingattack

• Socialengineeringwhereinformationisobtainedbydeceivingtheorganisationwhoholdsit.

The C-MMD consortium will follow the data breach management protocol described inAnnex3.

4.7 Anonymisation

Directive95/46/EContheprotectionofindividualswithregardtotheprocessingofpersonaldata and on the free movement of such data defines "a personal data shall mean anyinformation relating to an identified or identifiable natural person ("data subject"); anidentifiable person is one who can be identified, directly or indirectly, in particular byreference to an identification number or to one or more factors specific to his physical,physiological,mental,economic,culturalorsocialidentity;"

Anonymisationandpseudonymizationconceptsrisefromtheneedtoprotecttheprivacyofthedatasubjectswhile theirdata isbeingprocessedor transferredby telecommunicationnetworks.Anonymisation is theprocessof turningdata intoa form thatdoesnot identifyindividualsandwhereidentificationisnotlikelytotakeplace.Thisallowsforamuchwideruseof the information25. For instance, in theC-MMDcontextwheredifferent researchersmustprocesspilotparticipant'sdatainordertoextractscientificconclusions,anonymisationisrequiredinordertoensuredataprivacyofthepilotusers.Amongthepersonaldata,wedistinguishPersonallyIdentifiableInformation(PII), informationthatcanbeusedonitsownorwith other information to identify, contact, or locate a single person, or to identify anindividualincontext26.

24https://ico.org.uk/media/for-organisations/documents/1562/guidance_on_data_security_breach_management.pdf25https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/26https://en.wikipedia.org/wiki/Personally_identifiable_information


CAREGIVERSPRO-MMD


Inordertobeabletoprocessandresearchwithcollectedpersonaldata,theso-calledPIIiseitherbeingdeleted(anonymisation)orreplacedbyneutralidentifiers(pseudonymization).

According to ICO’s ‘Anonymisation: managing data protection risk’27, there are manyadvantagesofusinganonymisation:

• itprotectsagainstinappropriatedisclosureofpersonaldata;fewerlegalrestrictionsapply.

• itcanbeeasiertouseanonymiseddatainnewanddifferentwaysbecausethepurposelimitationrulesdonotapply;

• itallowsorganisationstomakeinformationpublicwhilestillcomplyingwiththeirdataprotectionobligations;and

• thedisclosureofanonymiseddataisnotadisclosureofpersonaldata–evenwherethedatacontrollerholdsthekeytoallowre-identificationtotakeplace.

Itmustbekeptinmindthatinthelastyears,technologyhasmadeitpossibletore-identifyanonymiseddata,matchinganonymiseddatabackwithindividualpersonswhosedatawasextractedfromorevenwhentheoriginaldatadidnotbelongtothedatasetassuch:

• Sweeney28 demonstrated that 87% of all Americans could be uniquely identifiedusingthreepiecesofdata:birthdate,sexandZIPcode.

• Horvát et al29 published a study on social networks proving that "using machinelearningonecanreacha85%predictionratewhethertwonon-membersknownbythe samememberof the social network are connectedor not. Thus showing thattheseeminglyinnocuouscombinationofknowledgeofconfirmedcontactsbetweenmemberson theonehandandtheiremail contacts tonon-memberson theotherhand provides enough information to deduce a substantial proportion ofrelationshipsbetweennon-members."

Consequently,theprojectconsortiumwillcarefullyconsiderre-identificationrisksinthePIAand implement the anonymisation procedures accordingly, performing re-identificationtests.

AnonymisationImplementationinC-MMD

InC-MMDcase,wearehandlinganopensocialnetworkthatmanagesseveraldatasetswithdifferentaccesslevels.Fromtheapplicationpointofview,datawillnotbeanonymisedasitwould oppose the social network philosophy andwhere access control ismanaged by itsownusers.Thus,C-MMDwillprovideallendusersthepossibilitytomanagetheaccesslevelof all the generated data related to them, be it personal data, questionnaires completed,informationabouttreatment,etc.MoredetailsondefaultsettingscanbefoundinAnnex1,wheredataflowisdescribed.

27https://ico.org.uk/media/for-organisations/documents/1042731/anonymisation_code_summary.pdf28NateAnderson.Anonymiseddatareallyisn’t—andhere’swhynot.September2009.Availableathttp://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/29Emöke-ÁgnesHorvát,MichaelHanselmann,FredA.Hamprecht,KatharinaA.Zweig.OnePlusOneMakesThree(forSocialNetworks).April2012.Availableathttp://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0034740#pone.0034740-Jernigan1


CAREGIVERSPRO-MMD


Whenweleavebehindtheapplicationlevelandweconcentrateinthelowlevel(database,table,server,etc.),theproposedconfigurationcanbeseeninFigure1,wherewecanseeaclear separationbetweenC-MMDplatformand thePilot Tool30 in termsof execution anddatastorage.

DataDissemination

DatathathastobesharedoutsideoftheConsortiumboundariesforscientificdissemination(e.g. aggregated data in a scientific paper) will require stronger anonymisationmeasuresthanpseudo-anonymisation,as itcouldbethecasethatC-MMDdisseminateddatacanbecrossedwith other existing records anduser identity could bededuced. In order to avoidthis,wewillfollowanonymisationrecommendationsofArticle29DataProtectionWorkingParty31,combiningseveralstrategiesinordertoavoidtheweaknessesofeachapproach(i.e.randomizationandgeneralizationtechniques).Datadisseminationwillnothappenuntiltheend of the pilot experimentation, so the Consortium has time to prepare detailed andtailored anonymisation strategies to ensure that re-identification is not possible. Specifictechnicaldetailsofthesemeasureswillbedetailedinfutureversionsofthisdocument.Theobjectivesofanonymisingdatatobeopenlydisseminatedwillbetoavoid:

• Singlingout,thepossibilitytoisolatesomeorallrecordswhichidentifyanindividualdataset

• Linkability, the possibility to link, at least, two records concerning the same datasubjectoragroupofdatasubjects

Inference,thepossibilitytodeducewithsignificantprobabilitythevalueofanattributefromthevaluesofasetofotherattributes

5 Ethics,IntellectualProperty,Citation5.1 Ethics

The lack of ethical principles standardization at international levelmaypotentially lead tothe abuse of data collection, use and storage by exploiting differences between societieswith regard to established ethical standards. Ethics of data collection, and data use andstorage inmedicalapplications, isofgrowing importancesince thequalityandquantityofmedical data usage is growing quickly both in Europe andworldwide. Great concerns areraised about data protection and privacy issues in the area of biometric and healthapplications with growing markets that might be affected by insufficiently protectedsensitiveinformation.

The success of the C-MMD project depends greatly on having all project partners beingaware of the ethical challenges involved in the inception and implementation of the

30see3.131Opinion05/2014onanonymisationTechniques.http://ec.europa.eu/justice/data-protection/index_en.htm


CAREGIVERSPRO-MMD


proposedplatformandservices.TheC-MMDConsortiumwillrespecttheethicalguidelinesdescribedin:

• CharterofFundamentalRightsoftheEuropeanUnion(2012/C326/02);• ConventionfortheProtectionofHumanRightsandFundamentalFreedoms;• WorldMedicalAssociationDeclarationofHelsinki.EthicalPrinciplesforMedical

ResearchInvolvingHumanSubjects;• Directive2001/20/ECoftheEuropeanParliamentandoftheCouncilonthe

approximationofthelaws,regulationsandadministrativeprovisionsoftheMemberStatesrelatingtotheimplementationofgoodclinicalpracticeintheconductofclinicaltrialsonmedicinalproductsforhumanuse;

• ConventionfortheProtectionofHumanRightsandDignityoftheHumanBeingwithregardtotheApplicationofBiologyandMedicine:ConventiononHumanRightsandBiomedicine.

HerebywedescribeasummaryofthefundamentalconceptsrelevantforC-MMD:

Ondataprivacy

• Clinical trials with human subjects must ensure methods of protecting theindividual'sdignityandidentity.

• The protocol presented to the Ethic Committee shall include the process ofanonymisationofpersonaldataforlateranalysis.

Ontherightofbeinginformed

• The persons undergoing research have been informed of their rights and thesafeguardsprescribedbythelawfortheirprotection

• Human subjects have the right to be informed about the outcomes of the clinicaltrial.

Oninformedconsents

• People participating in clinical trials have the right to be informed about the risksandbenefitsofthestudy

• Peopleshallnotparticipateinaclinicalstudywithoutsigningaformalconsent• Peoplehavetherighttowithdrawtheclinicaltrialonceithascommenced.• Incaseofincapacitatedadultsorpeoplewithdementia,alegalrepresentativemust

consenttoparticipate.

Ontheaccesstohealthcare

• The main priority for clinicians shall be to guarantee their clients wellbeing andinterveneincaseofriskofadverseeffects.

• An individual has the right to continuewith its regularmedical treatment even iftheyhavewithdrawnconsenttoparticipateinthestudy.


CAREGIVERSPRO-MMD


A full review on the above-mentioned list is provided in D8.3 Report on Legal andRegulatoryFramework.

5.2 IntellectualProperty

Regardingpropertyandownershipofmedicaldataandrecords,therearetwodistinctviews.From the standpointofpractitioners (i.e.,healthcareproviders,hospitals),patientmedicalrecordsare thepractitioner'spropertybecause theyare theoneswhowrite, compileandproduce the records (data producers). At the same time, patients tend to believe thatmedicalrecordsbelongtothemastheyprovidetherelevantinformation.

Nevertheless, the project will produce data assets that do not correspond to medicalrecords.Forinstance:

• Interventioncontentsandguidelines;• Gamificationreports;• Treatmentadherencereports;• Aggregatedmedicaldatareports;and• Reportsandstatisticsofplatformusage.

The resulting ownership agreementswill be compliantwith corresponding legislation (i.e.DataProtectionAct,Copyright,FreedomofInformationAct,etc.).

5.3 Citation

Anarticle,paperorpresentationthatrefersto,ordraws,informationfromadatasetshouldcite thedata set, just as itwould citeother sources suchasbooks andarticles.A citationgivesappropriatecredittothedatasetcreator(s),andallowsinterestedreaderstofindthedataset so theycanconfirmthedata isbeingcorrectly represented,orcanuse it in theirownwork.Thereisnouniversalstandardforformattingadatasetcitation.

Therearemanydifferentstylesforformattingcitations,suchasAPAandChicagoManualofStyle. In addition, most scientific publications have their own style, either unique tothemselves or based on an existing style. A few of these styles, such as APA 6th edition,specifyhowtocitedatasets.However,mostcitationstylemanualsdonotcurrentlycovercitingdatasets.Consequently,adaptationofthestyles’generalformatcanbeappliedtotheneedsofdatasets.

Atthisearlystage,theinformationusedtociteC-MMDdatasetscouldbe:

• Author(s)(theprincipalinvestigatorcanbeusedasthe“author”ofadataset)• Title• YearofPublication• Publisher(partnerproducingthedataset)


CAREGIVERSPRO-MMD


• Version• Accessinformation(doiorurl)

6 AccessandUseofInformation

OneoftheobjectivesoftheCAREGIVERSPRO-MMDprojectistodevelopthesolutionintoacommercialproduct.ThisisthemainreasonwhytheConsortiumhasdecidedthatselected,potentiallypublishablesummarydatawillnotbeavailableforopenaccessuntiltheendoftheproject,oncetheexploitationpathshavebeendefined.

However, results of the pilot execution and platform evaluation will be made publiclyavailablethroughthedeliverablesD6.1–Mid-Pilotpreliminaryanalysisreport,D6.2–FinalPilotanalysisreportandD6.3–Userfeedbackandusabilityreport.

Moredetailsonspecificdatasetaccessregimesaredefinedin§3.1.

7 Storage,BackupsandDataRecoveryInordertosafeguardtheappropriatepreservationofthedata,aportionofthebudgethasbeenallocatedtodatastorageandbackupsduringthelifespanoftheprojectandatleastforthetwoyears32followingthegrantduration.

The data will be stored in databases installed on the same server that holds theCAREGIVERSPRO-MMD platform. These Databases are only accessible locally (i.e. onlyavailabletotheserveritself)topreventanyconnectionfromoutside.Thesystemandserverconfigurationhavebeenarrangedtosupportlocaldataencryptiontoavoidphysicalaccesstotheharddiskdrive.Thismeasurewouldpreventaccesstothedataifthephysicalstoragewasstolenoraccesseddirectly.

TheserverhasalocalfirewallthatonlyallowssecurewebconnectionstotheInternetandverified IP addresses fordevelopment/updatesof theC-MMDapplication. Every access totheserverisrecordedatalocallogfile.

A daily backup procedure has been designed to ensure data integrity and recovery. Thisbackuphastwomainsubsystems:

1. File system backup: A daily copy of every file in the file system is stored incompressedformat.

2. Databasebackup:Adailydumpofeverydatabase/tableisstoredinasinglefileinthesameserver.

32InthecasethatanyoftheConsortiumpilotmembersrequiretokeepthedatastoredforalongerperiod,UPCwilltransfersecurelythecorrespondingdatatothepartnersoitcancontinuethecuration.


CAREGIVERSPRO-MMD


The backup system that stores and holds a daily copy of file system and databases is anautonomous system to ensure security integrity of data. On one hand provides anindependent servicewith disk redundancy (RAID33), thus is not affected for any failure ormalfunctionofthemainstoragesystem.Ontheotherhand,itcontrolsandrestrictaccesstoproperITstaffbecauseithasaspecificrightsmanagement.

A25-30-daywindowbackupsystemhasbeenprogrammedandenoughdiskspacehasbeenreserved foramonthlyoperation.Theaccess to thebackupdata isonlyavailable forUPCsystemadministratorsandisalsologged.Therecoverytimedependsontheamountofdatatoberecovered,intheframeofworkday,canbefrom1to4hours.

Our Data Centre management staff provide a pay-per-use service for external backupplacementifneededforlegalregulations,privacyorsecurityissues.

8 ArchivingandFutureProofingofInformation

The national legislation (European compliant) of the server site (Spain) compels UPC topreservealldataandaccessrecordsfortwoyears34aftertheprojectcompletion.Theserverwillremaininthesamesafelocationtopreservephysicalandlogicalaccess.Consequently,thedatawillbekeptintheserverandwillbeaccessibleunderthesametermsthatwillbeagreedamongpartnersduringtheprojectlifespan.

All public project deliverables will be available at least for five years after the projectcompletionattheprojectportal.

Selected datasets, databases, standalone documents, and even software may be madepublicoropenforexploitationattheendoftheprojectifthatfactiscompliantwithethicsand data protection guidelines described in this document. These resources may proveuselesswithoutexplanatorynotes(metadata)accompanyingthem.Metadatawillbeclearlylinked to the materials so that they can adequately inform any future user about thematerial. For example, a published dataset will typically be accompanied by a metadatadocumentthatexplainsthevariousfields, theirusefulnessandsummarisesthepurposeofthe dataset in general. These documentswill be stored alongwith the dataset andmadeaccessible in the same manner as the dataset (e.g. online, or download). Contactinformation will be provided accordingly in case that the future user needs furtherclarification.

33https://en.wikipedia.org/wiki/RAID

34InthecasethatanyoftheConsortiumpilotmembersrequiretokeepthedatastoredforalongerperiod,UPCwilltransfersecurelythecorrespondingdatatothepartnersoitcancontinuethecuration.


CAREGIVERSPRO-MMD


8.1 BestPracticesforFileFormats

Thefileformatsusedhaveadirectimpactontheabilitytoopenthosefileslaterandontheabilityofotherpeopletoaccessthosedata.

ProprietaryvsOpenFormats

Datashouldbesavedinanon-proprietary(open)fileformatwhenpossible.Ifconversiontoan open data formatwill result in some data loss from the files, it should be consideredsavingthedatainboththeproprietaryformatandanopenformat.Havingatleastsomeoftheinformationavailableinthefutureisbetterthanhavingnone.

Whenitisnecessarytosavefilesinaproprietaryformat,itwillbeincludedareadme.txtfilethatdocumentsthenameandversionofthesoftwareusedtogeneratethefile,aswellasthecompanywhomadethesoftware.

GuidelinesforChoosingFormats

Whenselectingfileformatsforarchiving,theformatsshouldideallybe:

§ Non-proprietary;§ Unencrypted;35§ Uncompressed;§ Incommonusagebytheresearchcommunity;§ Adherenttoanopen,documentedstandard:

o Interoperableamongdiverseplatformsandapplicationso Fullypublishedandavailableroyalty-freeo Fully and independently implementable bymultiple software providers on

multiple platforms without any intellectual property restrictions fornecessarytechnology

o Developedandmaintainedbyanopenstandardsorganizationwithawell-definedinclusiveprocessforevolutionofthestandard

SomePreferredFileFormats3637

• Containers:TAR,GZIP,ZIP• Databases:XML,CSV• Geospatial:SHP,DBF,GeoTIFF,NetCDF• Movingimages:MOV,MPEG,AVI,MXF• Sounds:WAVE,AIFF,MP3,MXF• Statistics:ASCII,DTA,POR,SAS,SAV• Stillimages:TIFF,JPEG2000,PDF,PNG,GIF,BMP• Tabulardata:CSV• Text:XML,PDF/A,HTML,ASCII,UTF-8• Webarchive:WARC

35DatawillbeencryptedintheUPCserverforsecurityreasons36http://www.digitalpreservation.gov/formats/37http://www.loc.gov/preservation/resources/rfs/data.html


CAREGIVERSPRO-MMD


9 AuditsAninternalauditprocedurewillbeperformedatleastevery18monthstoverifythatalltheaforementionedmeasuresareimplementedandarecompliantwithregulations.

10 ResourcingofDataManagement

This section outlines the staffing and financial details of the datamanagementwithin theCAREGIVERSPRO-MMDproject.Theformeraspectprovidesinformationabouttheroleandresponsibilitiesof thepartners thatgeneratethedataandthosewhocontrol it.The latteraspectdescribesthefinancingprocessfordatamanagementanddatastorage.

10.1 RolesinDataManagement

Eachpilotpartner(HUL,COO,FUB,CHU)isresponsibleforthedatageneratedintheirownpilotsbythedifferentstakeholdersoftheplatformasdataproducers.Eachpilotpartnerwillassigna responsibleperson fromhisorher institution for this task tobedesigned for thenextversionofthisdocument.

The UPC is responsible for all the aspects related with data storage and backup as dataprocessor.

MDAandCERTHasthemaindevelopersoftheC-MMDplatformwillberesponsibleasdataprocessorandserviceproviderofalltheaspectsrelatedwithdatagathering,dataintegrity,accesslogging,etc.,relatedtothesoftwarecomponentstheydevelop.

Asspecifiedin§5.1.3ofDoA,specificagreementswillbesignedamongpartnersinordertograntaccesstothedifferentdatasetsforthedifferentuses(datastorage,dataprocessing,serviceprovision).

10.2 FinancialDataManagementProcess

Asmentionedbefore,theConsortiumhasreservedaportionoftheprojectbudgetfordatahostingandbackup.

11 ReviewofDataManagementProcess

The follow-up of this plan will be reported in future versions of this document, wheredetailedprotocolsandmeasureswillbedescribedtoensurethecompliancewiththeplanalongwithpreliminary results on theobservedevolution.UPCasmain contributor to thisplan,supportedbytherolesdescribedinsection8.1,willperformthefollow-up.

ExternalreviewersoftheConsortiumaswellasselectedmembersoftheABwillsupportthepeer-reviewprocess.


CAREGIVERSPRO-MMD


Annex1-C-MMDPrivacyImpactAnalysis

A1.1IdentifyingtheneedforaPIA

CAREGIVERSPRO-MMDprojectaimstobuildadigitalplatformtailoredforpeoplelivingwithdementiaandtheircaregivers,consideringthis"dyad"astheunitofcare.Theplatformwillofferbothavarietyofadvanced,personalizedservicesthatwillimprovethequalityoftheirlivesandenablethemtolivewellinthecommunityforaslongaspossible.

TheservicesofferedbytheCAREGIVERSPRO-MMDplatformwillbebasedonthecollectionandanalysisofdataprovidedbytheend-usersorgeneratedthroughtheir interactionwiththe system. Accessible through user-friendly and easy-to-use interfaces for smartphones,tabletsandwebbrowsers,theseserviceswillinclude:

• clinicalandpsychologicalscreening;• treatmentadherenceservices;• educationalinterventionstailoredtoeachuser'ssymptoms;• socialnetworkingwithotherpeoplelivingwithdementia,caregiversandclinicians;• a service for reporting to doctors and medical staff about treatment adherence

levelsandotherimportantclinicalinformation.

Inall,theC-MMDplatformisanITsystemthatwillbestoringsensiblepersonalandhealthdataofitsusers.Someofthisdatawillbesharedbetweensomeusers(i.e.PLWD-caregiverorPLWD-doctor).Thebulkof thecaptureddatawillalsobeused for researchstudiesandsomepartofthisdatamightbesharedwiththeresearchcommunityandsociety.

Thus,wehaveasystemthatwillbemanagingandstoringverysensibleinformationsubjecttoethicalandlegalconsiderationsandpotentiallysubjecttoprivacyrisks.Consequently,theConsortiumhasundergonethetaskofwritingaPIAthatdepictspossiblerisksandmitigationmeasures so it canbeused through thedevelopment and implementationof theC-MMDproject.

A1.2Describinginformationflows

A1.2.1InformationOverview

In previous sections we have described the different datasets that compose the C-MMDecosystemandinordertoperformamoredetailedPIA,weprovideadescriptionofhowtheinformationthatenrichesC-MMDisobtained,usedandretained.InError!Referencesourcenotfound.wecanseeaschemaofthedifferentstakeholders interactingwiththeC-MMDplatformandthePilotTool,whichdatasetsaretheygeneratingandfinallytheaccessroleofeachstakeholderonthosedatasets.


CAREGIVERSPRO-MMD


Figure2C-MMDInformationOverview

WecanobservethatthemainstakeholdersinteractingandintroducingdataintheC-MMDplatformarePLWD,theircaregivers,healthprofessionalsandsocialworkers. It isassumedthat as in any IT system, administrators have access to the system andmay set up initialconfigurations for some services. In section 3.1we can find a description of the differentdatasetsandabroaddescriptionofownershipandaccess todatadepending if it isauser(PLWD-caregiver),aConsortiumpartnerco-owningthedata(healthorsocialprofessional,orresearcherworkingwiththeusersineachpilotsite),amemberoftherestoftheConsortiumor an external person of the project. In Figure 2we can seewhich stakeholder produceseach dataset and which stakeholder can access each of them. Where is stated ‘Partial’access,means thatnotall thedataset isavailable (i.e. a socialworkerwillonlybeable toaccessscreening informationrelatedtosocialaspects,butnotclinical). InFigure3wecanseethedataflowdiagramofC-MMD,wherestakeholders(inred)interactwiththeplatform,introducedatathatcomposesdatasets(boxesinlightred)andfireprocesses(purplecircles)thatcangeneratenewdatasets,logsorITdatarepositories.


CAREGIVERSPRO-MMD


Figure3C-MMDDataFlowdiagram

A1.3Identifyingprivacyandrelatedrisks

Atthisstage,wehavedescribedthekindofinformationexchangedamongstakeholdersanditsrelevance.Withinthisscenario,wemustidentifywhichthreatsaremorelikelytooccuraswellastheirpossiblesourceandseverity.Sinceeachorganizationwillevaluatetherisksandthepossiblesolutionsaccordingtotheirowncharacteristicsandresourcestheoutcomeofthisstudyisnecessarilysubjective.

Severity38representsthemagnitudeofarisk.Itisprimarilyestimatedintermsoftheextentof potential impacts on data subjects, taking account of existing, planned or additionalcontrols.Theseveritylevelobtainedmayberaisedorloweredinrelationto(1)thelevelofidentification of personal data; (2) the nature of the risk source; (3) the number of

38DefinitionfromCNIL


CAREGIVERSPRO-MMD


interconnections (especially with foreign sites); (4) the number of recipients (whichfacilitatesthecorrelationbetweenoriginallyseparatedpersonaldata).

Likelihood39 represents the feasibility of a risk to occur and is estimated in terms ofvulnerabilities of the supporting assets involved and the capabilities of the risk source toexploitthem.ThejustificationofthelikelihoodisprovidedbytheproposedcontrolsolutionspresentedinA1.4.

According the guidelines provided by CNIL, there are three potential data breaches: (i)illegitimate access to personal data, (ii) unwanted modification of personal data and (iii)disappearance of personal data. The following table describes the possible threats thatmight be present in the C-MMD project categorized within the aforementioned databreaches.

39DefinitionfromCNIL


DATABREACH # TYPEOF

SUPORTINGASSET THREATS ACTION RISKSOURCES SEVERITY LIKELIHOOD JUSTIFICATION(oflikelihood)

Illegitimate

accessto

personaldata

1 HWinpilotsiteUncontrolledaccesstodata

byunauthorizedpersonalObserved

Internal/external

humanLimited

Dependson

eachpilot

Negligibleifpersonaldataisstoredinaroom

protectedbyaccesscode.Maximumincaseof

beinginunprotectedroomsorinpublicareas

2 HWinpilotsite

UseofUSBflashdrivesor

disksthatareill-suitedto

thesensitivityofthe

information

Used

inappropriatelyInternalhuman Negligible Negligible

Nodataexportmeansoutsidetheprotected

DBsorsecuredprotocolswillbeallowed

3 HWatUPCserver Lostofequipment(theft) LostInternal/external

humanLimited Negligible

Protectedroomwithcontrolledaccess.

Protectedserverwithphysicallock.Backup

andencryptionstrategiesfordataprotection

4 SWatUPCserverInfectionbymaliciouscode,

hackingDBAltered

Internal/external

humanornon-

humansource

Maximum Negligible Protectedaccess

5 SWatpilotsitesInfectionbymaliciouscode,

hackingDBAltered

Internal/external

humanornon-

humansource

SignificantDependson

eachpilot

Securitypolicyofeachpilotsitewill

determinethelikelihood

6 SWpilots&server

Errorsduringupdates,

configurationor

maintenance;replacement

ofcomponents

Altered

Internal/external

humanornon-

humansource

Limited Limited Accessrestrictedtoauthorizedtrainedstaff

D7.7DataManagementPlan-InterimVersionCAREGIVERSPRO-MMD


7

Peopleinpilots,

UPCserver

controllersand

technical

developers

Abuseofuseofpersonal

dataforotherpurposes

(transactional,navigationor

geo-localizationdata;

behaviourmonitoring,

profilinganddecision

making)

Manipulated Internalhuman Significant Negligible

Previoustrainingonethicalandregulatory

dispositionsmakesunlikelytheuseof

informationforunplannedandillegitimate

purposes

8

Peopleinpilots,

UPCserver

controllersand

technical

developers

Breachofconfidentialityof

personaldatabyemployees

oftheorganization

Observed Internalhuman Significant Negligible

Previoustrainingonethicalandregulatory

dispositionsmakesunlikelythedisclosureof

personalinformation

9

Peopleinpilots,

UPCserver

controllersand

technical

developers

Unauthorizedaccessto

personaldata

Used

inappropriatelyInternalhuman Limited Negligible Accessrestrictedtoauthorizedtrainedstaff

10 Peopleinpilotsite

Obtaininganinformed

consentdoubtful,corruptor

invalidforthetreatmentof

transferofpersonaldata;

hinderwithdrawalof

consentoroppositionto

treatmentordisposal

Used

inappropriatelyInternalhuman Limited Negligible

Clinicalpartnersarecommittedtothe

protocolpresentedandapprovedbyan

EthicalCommitteefollowingtheFundamental

HumanRights

Unwanted

modification

ofpersonal

data

11 HWatUPCserver

Uncontrolledaccesstodata,

noback-upstrategy,abuse

ofstorageperiod

Used

inappropriately

Internal/external

humanLimited Negligible

Serversstoredinaroomwithcontrolled

access.Backupprotocol

12

Computer

channelsatUPC

server

Man-in-the-middleattackor

otherattacks

Used

inappropriately

Non-human

sourceSignificant Negligible Allcommunicationchannelsareencrypted

D7.7DataManagementPlan-InterimVersionCAREGIVERSPRO-MMD


13 SWUnwantedmodificationson

DB,erasureoffiles

Used

inappropriately

Internal/external

humanLimited Limited Backupprotocol

14 SWpilots&server

ExceedingDBsize,injection

ofdataoutsidethenormal

rangeofvalues,denialof

serviceattack

Overload

Internalhuman

ornon-human

source

Negligible NegligibleAllDBmodificationsarecheckedbefore

commit

15 HWpilots&server

Storageunitfull,power

outage,processingcapacity

overload,overheating,

denialofserviceattack

Overload Internalhuman Negligible NegligibleServerallocatedindatacentrethatcoversall

thesecases

Disappearanc

eofpersonal

data

16Paperdocuments

inpilotsites

Replacementoforiginalfiles

(falsifications)Altered

Internal/external

human,non-

humansource

Significant LimitedProtectedroomswithbadgereaderand/or

accesscode.

17 Paperdocuments

Theftoffilesfromoffices,

mailfrommailboxesor

retrievalofdiscarded

documents

Lost

Internal/external

human,non-

humansource

Significant NegligibleProtectedroomswithbadgereaderand/or

accesscode.

18 HWandSW Technologyobsolescence OverloadNon-human

sourceNegligible Negligible

Toolsselectedtobevalidduringtheproject

lifetime


A1.4Identifyingandevaluatingprivacysolutions

RISK CONTROLS RESULT

1 1.Avoidpubliclocationsinsidehospitals(e.g.corridors,sharedworkingspaces) Reduced

21.Controlledaccesstodata

Eliminated2.Activitylog

3

1.Restrictedandcontrolledphysicalaccess

Eliminated2.Encryption

3.Externalbackup

4.PhysicalHWprotection

4,5,6

1.Securitypolicy

Reduced

2.Disciplinarysanctions

3.Encryption

4.Datadisassociation&anonymisation

5.Activitylog

7

1.Defineaprivacypolicyvisibleandaccessible

Reduced

2.Transparentreportingontheuseandpurposeofcookies

3.Dissuasivesanctions

8

1.Trainingondutiesandresponsibilitiesregardinginformationconfidentiality

Reduced


3.Disciplinarysanctionsforstaffmemberswhobreachthedutyofsecrecyandconfidentialitypoliciesoftheorganization


CAREGIVERSPRO-MMD


9

1.Promoteawarenessontheobligationofprofessionalsecretregardingpersonaldata

Eliminated

2.Disciplinarysanctions

3.Officialcommunicationchannelswiththoseworkersinformingabouttheresponsibilitiesandconsequencesofaccessingpersonaldata

4.Officialcommunicationchannelwithauthoritiesreportinganyconfidentialitybreach.

10

1.Promoteawarenessofgoodpractices

Reduced2.Disciplinarysanctionsforthosewhobreachtherightofrejectionorwithdrawalofhumansubjectsparticipatinginmedicalresearch

11

1.Identificationofauthorizedusers

Eliminated

2.Assignationofsecurityresponsible&securitypolicy

3.Activitylog

12

1.Securitypolicy

Reduced2.Officialcommunicationwithauthoritiesreportingtheattack

131.Activitylog

Eliminated2.Recoverystrategy

141.Initialestimationofrequirements

Accepted

2.Emergencyplan

151.Initialestimationofrequirements

Accepted

2.Emergencyplan


CAREGIVERSPRO-MMD


161.Securitypolicy(non-transferablepersonaldataamongpilots)2.Disciplinarysanctions Accepted


171.Physicalsecurity

Reduced2.Dissuasiveanddisciplinarysanctions

18 1.AddcriteriawhenconsideringHW/SWoptionsinthearchitecturedesign Eliminated


CAREGIVERSPRO-MMD


Annex2-C-MMDDatasets

PERSONALDATASET(personaldata,demographics,medical,social)

Personaldata

Property Description DataType Nullable Unique

User_permalink(autogenerated)*

Uniquealphanumericcoderepresentingtheuser

String False TRUE

User_Id(autogenerated)* AuniqueIdentifier(auto-increment) Longint FALSE TRUE

NickName* Auseridentifiertoappearinpublic String FALSE TRUE

Email* Theprimaryemailaddressofuservalidatedbythe

RFC5322Section3.2.3

String FALSE TRUE

City Nameofcity String FALSE FALSE

Province/County Nameofprovince String FALSE FALSE

ZIPCode Postalcode String False False

CountryCode Internationalcountrycodevalidatedbythe ISO3166-1

String FALSE FALSE

SHA256*(technical,auto-generated)

SecureHashAlgorithmCode String FALSE TRUE

SALT(technical,auto-generated)

Thesaltkeyfortheone-wayhashingofpassword

String FALSE FALSE

ConfirmationDate DatetheuseraccountwasconfirmedvalidatedbyISO8601

DateTime FALSE FALSE

RegistrationDate DatetheuseraccountwascreatedvalidatedbyISO8601


Role_Id* Integerexpressionoftheuserrole:[0:normaluser,1:PWLD,2:caregiver;3:socialprofessional;4:healthprofessional]

Integer FALSE FALSE

Photo Imageoravatar Image FALSE FALSE

Demographics

Gender** ‘M’forMalesand‘F’forFemales.‘O’ Char FALSE FALSE


CAREGIVERSPRO-MMD


usedforotherornull.

Birthdate** DateofbirthvalidatedbyISO8601 DateTime FALSE FALSE

PreferredLanguage PreferredlanguageoftheinterfacevalidatedbyISO639-1fromthelistofavailablelanguages

String FALSE FALSE

EducationLevel [ISCED2011]

Earlychildhoodeducation

Primaryeducation

Lowersecondaryeducation

Uppersecondaryeducation

Post-secondarynon-tertiaryeducation

Short-cycletertiaryeducation

Bachelor’sorequivalentlevel

Master’sorequivalentlevel

Doctoralorequivalentlevel

Byte TRUE FALSE

Livingstatus(where) [OnlyforPLWD]Ownhouse

Relative'shouse

SocialHousing

Shelteredaccommodation

Nursinghome

Byte TRUE FALSE

Livingstatus(withwhom) [ForPLWD]

alone

withthemaincaregiver(onlyas2)

withotherfamilymembers).[ForCG]

alone

withthecarereceiver(onlyas2)

withthecarereceiver(withothers)

Byte TRUE FALSE

Workingcondition [OnlyforCG]retired

housekeeper

fulltimeemployed

parttimeemployed

Byte TRUE TRUE


CAREGIVERSPRO-MMD


free-lancer

unemployed(lookingforajob)

student

Workingbenefit [OnlyforworkingCG]Doyoubenefitofanymeasureforthoseprovidingcare(e.g.authorisedworkingpermitsforcaring)

Boolean TRUE TRUE

Othersupport [OnlyforCG]

Nosupport

Formalandprofessionalcarer(serviceprovidedbypublichealthandsocialsystem)

Formalandprofessionalcarer(serviceprovidedbyprivatehealthandsocialprovider)

Volunteersfromcommunitycharitiesandassociations

Otherrelatives

Byte TRUE FALSE

ICTorTechnologicaldevices Subjectiveestimationofcomputerdrivingskills

Willingtouse

Casual

Expert

Byte TRUE TRUE

Hobbies Animals/pets/dogs,Arts,Astrology,Astronomy,Baseball,Basketball,Beach/Suntanning,Birdwatching,Boating,BonsaiTree,CakeDecorating,Calligraphy,Camping,CasinoGambling,Ceramics,Church/churchactivities,Collecting,Music,Computeractivities,Cooking,Crafts,CrosswordPuzzles,Dancing,Photography,Dominoes,Drawing,Eatingout,EducationalCourses,Electronics,Exercise(aerobics,weights),Falconry,Fishing,Floorball,FloralArrangements,Football,Games,Gardening,Cinema,Golf,Guitar,HomeRepair,Internet,Puzzles,Macramé,Painting,Photography,Piano,Reading,Shopping,Spendingtimewithfamily/kids,StampCollecting,Swimming,Tennis,Traveling,TVwatching,VideoGames,Violin,

ArrayofStrings

TRUE FALSE


CAREGIVERSPRO-MMD


Volunteer,Walking,Writing,Yoga

Healthliteracy Abilitytoaccessinformationonmedicalorclinicalissues

Abilitytounderstandmedicalinformationandderivemeaning

Abilitytointerpretandevaluatemedicalinformation

Abilitytomakeinformeddecisionsonmedicalissues

Byte TRUE TRUE

Interests(self) D1.4Domains(binarytree,multipleselection)(p.35-39).SeesampleinDomainfieldofinterventions.TheseinterestsareselectedbythePLWDhim/herself

Array FALSE FALSE

Interests(caregiver) D1.4Domains(binarytree,multipleselection)(p.35-39).SeesampleinDomainfieldofinterventions.TheseinterestsareselectedbythePLWD’scaregiver.

Array FALSE FALSE

Interests(doctor) D1.4Domains(binarytree,multipleselection)(p.35-39).SeesampleinDomainfieldofinterventions.TheseinterestsareselectedbyPLWD’sdoctor.

Array FALSE FALSE

Medical

Cognitivedisorder MCI/Dementia String TRUE FALSE

Typeofdementia [Ifdementia]

AlzheimerDisease

FrontotemporalDementia

VascularDementia

UnknwontypeofDementia

Byte TRUE FALSE

Diagnosisdate DiagnosisdatevalidatedbyISO8601 Date TRUE FALSE

Disorder [OnlyHCP]

Belongstodisordergroup

• BloodConditiono Anemia

• Cardiovasculardiseaseso Atrialfibrillationo Arterial

Hypertension

ArrayList TRUE FALSE


CAREGIVERSPRO-MMD


o Heartfailureo Chronicmyocardic

ischemiao Recentmyocardic

infarctiono Cerebralvascular

diseaseo Peripherialarterial

disease• Endocrineandmetabolism

disorderso Diabeteswith

insulintreatmento DiabetesIIwith

oraltreatmento diabeteswith

complicationso Hypercholesterole

miao Hypothyroidismo Obesityor

overweighto Malnutritiono Dehydration

• Genitourinarydisorderso Urinarytract

infectiono Urinary

incontinence• Liverandgastrointestinal

disorderso Chronichepatitiso Gastritisorulcero Constipation

• NervousSystemdisorderso Parkinsondiseaseo Epilepsyo Strokesequellae

• Psychologicandpsychiatricdisorders

o Insomniao Anxietyo Depressiono Psychosiso Confusiono Apathyo Behaviour

disturbance• Rheumatologicdisorders

o Arthrosiso Jointpain

• Sensoryimpairmento Deafnesso Visualimpairment


CAREGIVERSPRO-MMD


• Toxico Alcoholismand

otheraddiction• Nephrology

o Chronicrenalinsuffiency

• Respiratorydiseaseo Chronicpulmonary

diseaseo Respiratory

infection• Cancer

o Malignancy

Dateofdiagnosis

UIimpact(gradedbyitsimpactseverity)

• Audioimpairment(influencingtheaccesstoplatformservices)

• Visualimpairment(influencingtheaccesstoplatformservices)

• Physicalimpairment(influencingthecaringactivities)

• Pharmacologicaltherapy

Weight Inkg/pound int TRUE FALSE

Height incm/feet int TRUE FALSE

Social

Relationships Idsofrelationshipswithotherusers.(primarycaregiveridisincludedtoo).


Privileges Privilegesofarelationship

• Readposts• Readscales• Readevents• Readmedicalinfo• Readactivity


PrimaryCaregiver_Id

(initialphase-->onlyonecaregiverperPLWD)

Idoftheuserwithprimaryresponsibilityofthecaregiving

Longint TRUE FALSE

Groups_Id Arrayofgroupnamestheuserparticipatesin

ArrayofStrings

TRUE FALSE


CAREGIVERSPRO-MMD


ConnectionDegree Thenumberofnodesdirectlyconnectedtothisnode(personalcircle’ssize)

Integer TRUE FALSE

Centrality Arrayofsocialnetworkcentralitymetricsastripletvectorsof:[GroupName,CentralityType,CentralityValue](Seebelowfordetails).

Array TRUE FALSE

SCREENINGDATASET

Inordertodevelopthesurveyengineformakingsurveysonline,thedatastructureusedisdescribedhere.

SurveyId Idofeachsurvey Integer

Participantsurveys Infoabouteachtimeaparticipantfulfillsasurvey

Location Placewherethesurveyhasbeentaken

Notes Commentsaboutthesurvey

Score Finalscoreofthesurvey,incaseitisperformedoffline

Status undone:0,in_course:1,finished:2

ParticipantSurveyPartialScores

Infoaboutpartialscoresofonesurvey,ifneeded

Name/domain Nametoidentifythepartialscore

Score Scoreforafragmentofasurvey

Participantanswers Answersofeachparticipanttoeachproposedsurveyanswer

Participantanswerid Belongstoaparticipantsurvey

Question_id Belongstoaquestion

Answerid Belongstoananswer

Content Freetextforafreetextanswer

Is_answered Trueifitisanswered,falseotherwise


CAREGIVERSPRO-MMD


ADVERSEEVENTSDATASET

Description Descriptionofadverseevent(adiagnosisispreferred)

String FALSE FALSE

Startdate DatevalidatedbyISO8601 DateTime FALSE FALSE

Enddate DatevalidatedbyISO8601 DateTime FALSE FALSE

Severity Severityoftheevent:YES/NO Boolean FALSE FALSE

Relatedtoinvestigationalproduct Relationshiptotheinvestigationalproduct

Boolean FALSE FALSE

HasmanyCountermeasures: Outcomes

• Ongoing• Resolved• Notresolved

Serious:YES/NO


TREATMENTDATASET

Medication Nameofthedrug String FALSE TRUE

Prescribeddate Datefortreatmentending.Askfordurationinstead.


End_date Dateoftreatmentend DateTime FALSE FALSE

Dosage_array 7x4matrixindicatingnumberofpills/quantityforeachweekdayx4timesaday.


Condition Towhichdisorderthistreatmentisintendedfor(seelistinPersonaldataset)

String FALSE FALSE

atc Anatomical,Therapeutic,Chemicalclassificationsystem

String FALSE FALSE

Administrationroute

Oral

Intravenous

Nasal

Respiratory(inhalation)

Transdermal

Other

https://www.fda.gov/drugs/developmentapprovalprocess/formssubmissionrequirements/el

Byte FALSE FALSE


CAREGIVERSPRO-MMD


INTERVENTIONDATASET

Intervention_ID AuniqueIdentifier(auto-increment) Longint FALSE TRUE

Dateofcreation Automatic Timestamp FALSE FALSE

Author Nameofcontentcreator String FALSE FALSE

Author_contact_details

Authorcontactdetails Srring FALSE FALSE

Author_qualification String FALSE FALSE

Language CodesofLanguages String FALSE FALSE

Intendedaudience Role-basedcontent Arrayofstrings

FALSE FALSE

Socialexchange Preventive/Palliativecontent String TRUE FALSE

DOMAIN D1.4Domains(binarytree,multipleselection)(p.35-39)

• Understandingdementiao Symptomso Diagnosiso Anxietyandconfusiono Memorylosso Physicalchangeso Progressiono Behaviourthatchallengeso Medicationo RecognisingIamacarer

• Dailylifeo Eatinganddrinkingo Livingathomeo Usingpublictoiletso Washinganddressingo Shoppingo Drivingo Goingtothetoiletand

continenceo Daysoutandholidayso Safetyo Communicationo Hidingthings

Array FALSE FALSE

ectronicsubmissions/datastandardsmanualmonographs/ucm071667.htm

Adherence eachrowisadosage(taken,nottaken,missinginfo)

Byte TRUE FALSE


CAREGIVERSPRO-MMD


o Copingwithmyreactions• Whocanhelp?

o Dementiasupportandgroups

o Otherhelpfulorganisationso Carers’supportandgroupso Paidcarerso Carehomeso GPsandothermedical

peopleo Hospitalo Moneyo Socialcareo Daycareo Plannedrespiteo Emergencyrespite

• Lookingaftermyselfo Appreciatethepresento Myhealtho Havingalaugho Frustrationo Stayingpositiveo “Me”timeo Calmo Sleepo Someonetotalkto

• MyRelationshipo Seeingthepersono Powerandcontrolo Maintainingindependenceo Maintainingarelationshipo Arguingo Caringatadistanceo Livingbetterwithdementiao Decidingthingstogethero Doingthingstogether

• FriendsandFamilyo Faithandcommunityo Supportgroupso Friendso Enjoyingafamilylifeo Helpingothersto

understando Supportfromfamily

memberso Enjoyingasociallifeo Keepingfriendshipsgoingo Dementiafriendly

communities• Planningforthefuture

o Endoflifeo Helpingmylovedoneto

acceptchangeso Decisions


CAREGIVERSPRO-MMD


o Gettinghelpo ManagingcarewhenIam

unwello Preparingforthefutureo Anticipatingchangeso Knowingmylimitso Plannedrespite

[TYPEOF]

• DementiaAdvisors• PostDiagnosticGroups• Signposting• PeerSupportGroups• Stress/Anxietymanagement• Reminiscence• AssistiveTechnology:adviceand

support• CognitiveTraining(CT)• PhysicalExercisetherapy• Fallprevention• Homemodification• MusicTherapy• Othercontents

Byte FALSE FALSE

format • Informationaboutlocalservices• Personaladvice• Practicalsuggestions• Seminar/conference• Trainingevent• Personalexperience• Monitoringtools• ExternalResources• Entertainmentsolutions• Rewardsystem

Array TRUE FALSE

delivery • Infographic• Video• How-to• Guideline• Casestudy• Tipsandtricks• Studies• Appsandgames

Array TRUE FALSE

frequency Frequencyindays(e.g.,every3days) Int TRUE FALSE

repetitions Amountoftimes(e.g.,once) int TRUE FALSE

Version Idofeachversionoftheintervention. String FALSE TRUE

Is_active Onlyoneofthedifferentversionsoftheinterventionispublished.

Boolean FALSE FALSE


CAREGIVERSPRO-MMD


Editor_Notes Commentsandnotesabouttheintervention String TRUE FALSE

Tags Definedtags(disorders) Array TRUE FALSE

Sources Sourceofthecontent,referralsormentions String FALSE FALSE

content pathtorawfile,informationstructureofrichcontent

String FALSE TRUE

USERINTERACTIONDATASET

NoOfPosts Numberofmessageposts Integer TRUE FALSE

NoOfLikes NumberofLikes Integer TRUE FALSE

NoOfReviews NumberofReviews Integer TRUE FALSE

NoOfArticleViews Numberofarticlesviewedbytheuser Integer TRUE FALSE

NoOfArticleAuthored Numberofarticlesauthoredbytheuser Integer TRUE FALSE

NoOfScalesTaken NumberofScalestakenbytheuser Array TRUE FALSE

NoOfInvitationsReceived Numberofinvitationsreceived Integer TRUE FALSE

NoOfInvitationsSent Numberofinvitationssent Integer TRUE FALSE

[InteractionHistory] [Arrayofinteractions-logfile] Array TRUE FALSE

USERGAMIFICATIONMODELDATASET

User Theuserstable:user_id,nickname,role_id


Role TheRolestablestoresadescriptionoftheuser’sidaccordingtotherolesinphysicallifeandthehealthconditions:id,description


Games Thisisthetablecontainingthegamestheuserparticipatesin:game_id,title,description,etc.


Details Alltheinformationmentionedintheshortgamificationprofile,butorganizedpergametitle(points,badges,tangibleobjects,privileges).



CAREGIVERSPRO-MMD


GAMEMODELDATASET

Game_Id Auniqueidentifierforeachnewgame int TRUE FALSE

Metrics Thetableofmetricslistsallkindsofmetricsusedtomonitoruser’sactivityandawardingback:metric_id,name_metric,type_metric,description


Actions Containsthelistofactionandbasicdescriptors:actionId,title,description


Quests ListofquestIds(timedobjectivesfortheplayersproposedtotheminordertogainaspecificreward)withdescriptorslikequestId,title,startDate,endDate,rewardId.


Leaderboards Listofleaderboards,theirdetailsandtheirrangeinplayersandteam:leaderboard_Id,leaderboard_name,leaderboard__description,leaderboard_entity_type(players/team)


Rewards Thetypesofrewardstobeappliedinthegame:Reward_id,reward_type,reward_verb,reward_condition


CreationDate Thedatetimethegame-mastercreatedthisgame

Datetime TRUE FALSE

SHORTGAMIFICATIONMODELDATASET

[Game_Ids] ArrayofgameIDstheuserparticipatesin ArrayofIDs TRUE FALSE

TotalPoints Vectoroffourelements:Thesumofallpointsearnedinallgames(likeawalletwithpointsearnedbysocialnetworking,communicationactivities,treatmentadherenceandeducation/training).communicationactivities,pointsearnedbytreatmentadherenceandpointsearnedbyeducation/training

Array TRUE FALSE

Badges Arrayofallbadgesearnedinallgames Array TRUE FALSE


CAREGIVERSPRO-MMD


TangibleObjects Arrayofpairs:objectnameandquantity Array TRUE FALSE

Privileges Forfutureuse Array TRUE FALSE

RECOMMENDERDATASET

USER

USER_ID AuniqueIdentifier Longint FALSE TRUE

FEATUREVECTOR Representstheuserprofile Arrayofdoubles

FALSE FALSE

INTERVENTION

INTERVENTION_ID AuniqueIdentifier Longint FALSE TRUE

FEATUREVECTOR Representstheitem Arrayofdoubles

FALSE FALSE

PILOTDATADATASET(contentintroducedbyclinicpartners)

ScalesScores

Arrayofpairs[psychological,medicalandbehavioralscalesandscores]

Array TRUE FALSE

Additionalnotes Notesassociatedtoapilot’svisit String TRUE FALSE

INTERVENTIONSFEEDBACKDATASET

userId Identifiestheuserthathasprovidedfeedback

Longint FALSE TRUE

interventionId Identifiestheinterventionthathasreceivedsomefeedbackfromthegivenuser(includinginteractiveinterventionslikeSeriousGamesforcognitivetraining)

Longint FALSE TRUE

timeStamp Datetimeoftheintervention Datetime FALSE TRUE

shared Storesiftheuserhassharedtheinterventionornot

Boolean TRUE FALSE


CAREGIVERSPRO-MMD


Views Views(ortries)istheamountoftimestheuserhasconsumedtheintervention

Integer FALSE FALSE

links_used_counter Numberoftimesofusageforthelinksinsidetheinterventions

Integer FALSE FALSE

Consumptiontime Timespentbytheusertoconsumethisintervention.Incaseofinteractiveinterventionsthisisthetotaltimeofplayingagame.

Integer TRUE FALSE

Consumptiontimeforsubtask

Timespentbytheusertoperformeachsubtaskoftheintervention

Array TRUE FALSE

Successrate Numericdescriptorofthelevelofsuccess.Ininteractiveinterventionsthiswillbethemainperformanceindicator(e.g.75%completed).Foranarticlereadwithwillbeeither0%(notconsumed)or100%(fullyconsumed),oriftheinterventionhassubsectionsthentherateofthecompletedsubsectionstothetotalnumberofsubsections(e.g.75%for3outof5thingsdone).

Float TRUE FALSE

Score Numericexpressionofthesuccessrateifany.Inthecaseofgamesthisisthescore(numberofpointsearned).Incaseofaquestionnaireoraninterview(givenasintervention)thisnumbercouldbethenumberofquestionsansweredorthedegreeofuserparticipation.

Float TRUE FALSE

Other Generalpurposefieldrelatedtothetypeoftheintervention.Forexample,insomegameswemayneedstoretheAverageResponseTime.

USERGAMIFICATIONINTERACTIONHISTORYMODELDATASET

UserGamificationHistoryId Theidofaninteractionperformedbytheuser

Int FALSE TRUE

Timestamp Thedateandtimetheinteractionperformed

DateTime FALSE TRUE

userId Theidoftheuser(player)whoperformed Int FALSE FALSE


CAREGIVERSPRO-MMD


theinteraction

gameId Theidofthegamethisinteractionwasperformed

int FALSE FALSE

actionId Theidoftheregisteredactionrelatedtothisinteraction

int FALSE FALSE

scoreEarned Thechangeinthesumpointsasaresultoftheinteraction

int TRUE FALSE

awardId Theidofanaward–ifany-gainedbytheuseratthetimeofthisinteraction

int TRUE FALSE

levelId Theidoftheleveltheuserwasplayingatthetimeoftheinteractionevent

int TRUE FALSE

questId Theidofthequestpossiblythisinteractionwasrelatedto

int TRUE FALSE

questStatus Anindicatoriftheinteractionresultedintheenrolmentoftheuserinaquest(value1),orthedrop-outofthequestbytheuser(value1)orthewinningofthequest(value2)

int TRUE FALSE

gameStatus Anindicatorifthegamestatusresultedbythisinteractionevent,enrolmentinthegame(value1),orthedrop-outofthegamebytheuser(value1)orthewinningofthegame(value2)

int TRUE FALSE

GAMEHISTORYDATASET

gameHistoryId Theidofaneventperformedonthegame int FALSE TRUE

Timestamp Thedatetimeaneventoccurredinagame Datetime FALSE TRUE

GameEventId Ashortdescriptionofthegameeventlike:

Enablegame,disablegame,notification,reset,additions,updatesanddeletionsofgameelements(e.g.rules,actions,awards,etc.).

ArrayList FALSE FALSE

userId Theidofthegame-masterwhomadethischangeonthegame

Int FALSE FALSE

Details Moreinformationdependingonthetypeofgameevent(e.g.contentofthenotification,

String TRUE FALSE


CAREGIVERSPRO-MMD


nameoftherule,etc.).

NOTIFICATIONSMODELDATASET

notificationId Theuserstable:user_id,nickname,role_id ArrayList TRUE FALSE

notificationCategory ArrayList TRUE FALSE

nbotificationTitle ArrayList TRUE FALSE

notificationText

lifecycle Time

notificationStatus ArrayList TRUE FALSE

userIds

Atypeissaidtobenullableifitcanbeassignedavalueorcanbeassignednull,whichmeansthetypehasnovaluewhatsoever.


CAREGIVERSPRO-MMD


Annex3-Security/DataBreachManagementProtocol

Identification

The identification phase of incident response has as its goal the discovery of potentialsecurity incidents and the assembly of an incident response team that can effectivelycontainandmitigatetheincident:

a. Identifyapotentialincident.Theincidenthandlermaydosothroughmonitoringofsecurity sensors. Systemownersor systemadministratorsmaydo sobyobservingsuspicious system behaviour. Any user of the system may identify a potentialsecurity incident though external complaint/notification, or other knowledge ofimpermissibleuseordisclosureofRestrictedData.�

�

b. Notify: users of the system that suspect an IT system has been accessedwithoutauthorizationmustimmediatelyreportthesituationtordlab@cs.upc.edu.Oncetheincident handler is aware of a potential incident, s/he will alert local systemadministrators.

c. Quarantine:Theincidenthandlerwillquarantinecompromisedhostsatthetimeofnotification unless they are on the Quarantine Whitelist. If they are on theQuarantineWhitelist, the incident handler will promptly reach out to the systemadministratoror systemowner to createaplan to contain the incident.Note thatthe incident handler may notify on suspicious behaviour when they are notconfidentofasecuritycompromise;inthesecasestheydonotquarantinethehostimmediately,butwait24-48hoursandquarantineonly if the registeredcontact isunresponsive.


CAREGIVERSPRO-MMD


Figure4IfRestrictedDataispresentonthecompromisedsystem,theCriticalIncidentResponse(CIR)isfollowed.

Verification

This phase also precedes Critical Incident Response (CIR), and has the primary goal ofconfirming that the compromise is genuine and presents sufficient risk to engage the CIRprocess:

a. Classify:TheCIRmustbeinitiatedif…i. The system owner or system administrator indicates that the system is a

high-criticalityassetii. OR the system owner or system administrator asserts that the system

containsRestrictedData.iii. ORsomeoneofappropriateauthority (forexample, theRector)with input

fromacognizantUPCofficerdeterminesthatthesystemposesauniqueriskthatwarrantsinvestigation.

b. Verify:TheCIRprocessshouldbeinitiatedONLYif…


CAREGIVERSPRO-MMD


i. Theincidenthandlerverifiesthatthetriggeringalert isnotafalsepositive.The incidenthandlerwilldouble-checkthetriggeringalert,andcorrelate itagainstotheralertingsystemswhenpossible.

ii. AND the type of data or system at risk is verified to be of an appropriateclassification, as determined above. The system owner or systemadministrator should provide a detailed description of the data at risk,including approximate numbers of unique data elements at risk, and thenumber,location,andtypeoffilesitisstoredin.

Theorderofthestepsabovecanvaryfromincidenttoincident,butfortheCIRprocesstobeinitiated the criticalityof theassetmustbe confirmed, and itmustbe confirmed that thetriggeringevent isnota falsepositive. Incaseswhere theCIRprocess isnot required, theincidenthandlercanresolvethecaseasfollows:

a. Obtain a written (email is acceptable and preferred) statement from the systemownerorsystemadministratordocumentingthatthesystemhasnoRestrictedDataandisnotahigh-criticalityasset.�

b. Obtainawrittenstatementfromthesystemownerorsystemadministratorthatthesystemhasbeenreinstalledorotherwiseeffectivelyremediatedbeforequarantineislifted.�

c. For incidents involving an unauthorized wireless access point, obtain a writtenstatementthattheaccesspointhasbeendisabled.

Containment

ThecontainmentphaserepresentsthebeginningoftheCIRworkflowandhasthefollowinggoals:

a. Ifthehostcannotimmediatelyberemovedfromthenetwork,theincidenthandlerwill initiateafull-contentnetworkdumptomonitortheattacker'sactivitiesandtodeterminewhetherinterestingdataisleakingduringtheinvestigation.�

b. Eliminateattackeraccess:Wheneverpossible, this isdonevia the incidenthandlerperforming network quarantine at the time of detection AND by the systemadministratorunpluggingthenetworkcable.Inrarecases,theincidenthandlermayrequestthatnetworkoperationsstaffimplementaport-blocktoeliminateattackeraccess. In cases where the impact of system downtime is very high, the incidenthandler will work with system administrators to determine the level of attackerprivilegeandeliminatetheiraccesssafely.�


CAREGIVERSPRO-MMD


c. Theincidenthandlerwillcollectdatafromsystemadministratorsinordertoquicklyassessthescopeoftheincident,including:

i. Preliminarylistofcompromisedsystems�ii. Preliminarylistofstoragemediathatmaycontainevidenceiii. Preliminaryattacktimelinebasedoninitiallyavailableevidence

d. Preserveforensicevidence:i. System administrators will capture first responder data if the system is

turnedon. The incidenthandlerwill provide instructions for capturing thisdatatotheindividualperformingthattask.�

ii. The incident handler will capture disk images for all media that aresuspected of containing evidence, including external hard drives and flashdrives.

iii. Theincidenthandlerwilldumpnetworkflowdataandothersensordataforthesystem.

iv. Theincidenthandlerwillcreateananalysisplantoguidethenextphaseoftheinvestigation.

This is the most time-sensitive and the most contextually dependent phase of theinvestigation.Theactionsthatneedtobetakenwilldependontheuptimerequirementsofthecompromisedsystem,thesuspectedlevelofattackerprivilege,thenatureandquantityofdataat risk,andthesuspectedprofileof theattacker.Themost importantgoalsof thisphasearetoeliminateattackeraccesstothesystem(s)asquicklyaspossibleandtopreserveevidenceforlateranalysis.

Additionally, this is thephasewhere the incidenthandlerworksmost closelywith systemadministratorsandsystemowners.Duringthisphase,theyareexpectedtotakeinstructionfrom the incident handler and perform on-site activities such as attacker containment,gatheringfirstresponsedata,anddeliveringhost-basedanalysisifrequired.

Analysis

Theanalysisphaseiswherein-depthinvestigationoftheavailablenetwork-basedandhost-based evidence occurs. The primary goal of analysis is to establish whether there isreasonable belief that the attacker(s) successfully accessed Restricted Data on thecompromisedsystem.Secondarygoalsaretogenerateanattacktimelineandascertaintheattackers'actions.

All analysis steps are primarily driven by the incident handler, who coordinatescommunications between other stakeholders, including system owners, system


CAREGIVERSPRO-MMD


administrators,andrelevantcomplianceofficers.Questionswhicharerelevanttomakingadeterminationaboutwhetherdatawasaccessedwithoutauthorizationinclude:

a. Suspicious Network Traffic: Is there any suspicious or unaccounted for networktrafficthatmayindicatedataexfiltrationoccurred?�

b. AttackerAccesstoData:Didattackershaveprivilegestoaccessthedataorwasthedataencryptedinawaythatwouldhavepreventedreading?�

c. Evidence that Data was Accessed: Are file access audit logs available or are filesystem mactimes intact that show whether the files have been accessed post-compromise?�

d. LengthofCompromise:Howlongwasthehostcompromisedandonline?�e. Method of Attack: Was a human involved in executing the attack or was an

automated"drive-by"attacksuiteemployed?Didthetools foundhavecapabilitiesusefulinfindingorexfiltratingdata?�

f. Attacker Profile: Is there any indication that the attackers were data-thieves ormotivatedbydifferentgoals?

InthecaseofapotentialBreachofsensibledata(SD),thisanalysiswillincludetheC-MMDCoordinator,theUPCDataOfficerandtheRDLabSecurityManager.Theywillconductariskassessment to determine the probability that the security or privacy of the C-MMDmachineshasbeencompromisedbasedonanevaluationoftheelementsaboveinadditiontothefollowingfourfactors:

a. thenatureandextentoftheSDinvolved, includingthetypesof identifiersandthelikelihoodofre-identification,�

b. theunauthorizedpersonwhousedtheSDortowhomthedisclosurewasmade,�c. whethertheSDwasactuallyacquiredorviewed,and�d. theextenttowhichtherisktotheSDhasbeenmitigated.

Usingthesefactors,UPCDataOfficerwilldeterminethedegreeoftechnicalprobabilitythatthesecurityorprivacyoftheSDhasbeencompromised,butthefinaldeterminationbelongstotheaffectedC-MMDPilotPartner.Inordertomakethisdetermination,theDataOfficerat theaffectedPilotPartnerwilldocumenteach impermissibleuseanddisclosureand theriskassessmentconductedforeach.

ExceptionstothedefinitionofaBreachofSDare:

a. Any unintentional acquisition, access, or use of protected health information by aworkforcemember or person acting under the authority of a covered entity or abusiness associate, if such acquisition, access, or usewasmade in good faith and


CAREGIVERSPRO-MMD


withinthecourseandscopeofauthorityanddoesnotresultinfurtheraccess,useordisclosure.�

b. Any inadvertent disclosure by a person who is otherwise authorized to accessprotected health information at a covered entity or business associate to anotherperson authorized to access protected health information at the same coveredentity or business associate, or organized health care arrangement in which thecovered entity participates, and the information received as a result of suchdisclosure is not further accessed, used or disclosed in a manner not permittedunderLOPD.�

c. A disclosure of protected health information where a covered entity or businessassociate has a good faith belief that an unauthorized person to whom thedisclosure was made would not reasonably have been able to retain suchinformation.

Attheconclusionoftheanalysis,butbeforethefinalreportiswritten,apeerreviewshouldbe requested of the other RDLab technical staff. Complete the write-up of the notes,including conclusions, and archive processed source materials (e.g., grep-results, file-timelines,andfilteredflow-records).Thepeerreviewmayresultinsomeissuesthatmustbeaddressedandsomeissuesthatmayoptionallybeaddressed.Allrecommendationsshouldberesolvedoracknowledgedanddeferred.Theincidenthandler'sroleistodetermine,fromatechnicalperspective,whetherthereisareasonablebeliefthatRestrictedData,includingSD,wasavailabletounauthorizedpersons.ThedeterminationofwhetherthecircumstanceswarrantaBreachnotificationwillbemade jointlyby theUPCDataOfficerconveneduponreviewoftheresultsoftheinvestigationandthetechnicalopinionofRDLab.

Recovery

The primary goal of the recovery phase is to restore the compromised host to its normalbusinessfunctioninasafemanner.

a. The system administratorswill remediate the immediate compromise and restorethe host to normal function. This is most often performed by reinstalling thecompromisedhost;although if the investigationconfirmsthat theattackerdidnothaveroot/administratoraccessotherremediationplansmaybeeffective.�

b. The system administratorswillmake short-term system, application, and businessprocesschangestopreventfurthercompromiseandreduceoperatingrisk.


CAREGIVERSPRO-MMD


DataRetention

a. Theincidenthandlerwillarchivethefinalreportincaseitisneededforreferenceinthefuture;reportsmustberetainedforsix(6)years.�

b. Incidentnotesshouldberetainedforsix(6)monthsfromthedatethatthereportisissued. This includes the confluence investigation page, processed investigationmaterialslikegreppedfile-timelinesandfilterednetwork-flows,etc.�

c. Raw incident data should be retained for thirty (30) days from the date that thereport is issued. This includes disk-images, unfiltered netflow-content, raw file-timelines, and other data that was collected but deemed not relevant to theinvestigation.�

UserNotification

a. IftheriskassessmentdeterminesthataBreachhasoccurred,theUPCwillprovidewrittennoticewithoutunreasonabledelayandinnoeventlaterthansixty(60)daysfromincidentdiscovery,totheuseror:

i. Iftheuserisdeceased,thenextofkinorpersonalrepresentative.ii. Iftheuserisincapacitated/incompetent,thepersonalrepresentative.iii. Iftheuserisaminor,theparentorguardian.

b. Written notificationwill be in plain language at an appropriate reading levelwithclearsyntaxandlanguagewithnoextraneousmaterials.

c. Writtennotificationwillbesentbyfirst-classmailtothelastknownaddressofthepatient or, if deceased, the next-of-kin, or if specified by the user, by encryptedelectronicmail.

d. Writtennotificationwillcontain:i. AbriefdescriptionofwhatoccurredwithrespecttotheBreach,including,to

theextentknown,thedateoftheBreachandthedateonwhichtheBreachwasdiscovered;

ii. Adescriptionof the typesof compromiseddata thatwere involved in theBreach;

iii. A description of the steps the affected individual should take in order toprotecthimselforherselffrompotentialharmresultingfromtheBreach;

iv. A description of what the UPC is doing to investigate and mitigate theBreachandtopreventfutureBreaches;and

v. Contact procedures for individuals to ask questions or learn additionalinformation,whichwillincludeatelephonenumber,anemailaddress,Websiteorpostaladdress.


CAREGIVERSPRO-MMD


e. If theUPCdetermines theusershouldbenotifiedurgentlyofaBreachbecauseofpossible imminent misuse of compromised data, the UPC may, in addition toproviding notice as outlined in steps b-d above, contact the user by telephone orothermeans,asappropriate.

data management plan - interim version...7 storage, backups and data recovery 52 8 archiving and...

Documents