SIDEfxHUB Data-User Impact Assessment

Data Collection

• Information collected by SIDEfxHUB is irrelevant to stated purposes

• Implement “Purpose Limitation” measures to ensure that collection, storage, management, analysis, monitoring and evaluation are limited to clearly defined and stated purposes. These purposes will be aligned to the charity’s mission, it’s stakeholders and ethical considerations
• Prioritise Core Data Elements
• Ensure “opt-in” consent is obtained from the data subject for clearly stated intended uses
• Provide clear reasoning and justification whenever an individual is asked to provide information
• Develop data collection protocols that specify the types of data to be collected alongside standardised elements and formats to ensure consistency and relevance
• Include relevant stakeholders, including the data subject, researchers, healthcare workers in the design and development of data collection and the registry as a whole

• Description and information relating to purposes pursued by SIDEfxHUB is not clear or transparent

• SIDEfxHUB will provide clear, concise and easily understandable information to individuals about the purposes of data collection and subsequent processing.
• Technical jargon or other specialist terminology will be avoided wherever possible to enhance comprehension

• Information provided by SIDEfxHUB  at the time of collection is insufficient for the data subject to make an informed choice as to whether to provide that data

• Ensure that privacy notices and protection policies, which outline collection methods, purposes, recipients, retention periods and the rights of data subjects will be easily accessible through multiple channels, including the website, Registry, mobile apps or other electronic written materials
• Encourage open communication to ensure that feedback and the opportunity to ask questions or raise concerns about the clarity or transparency of data collection practices

• Privacy and security concerns resulting from accidental or unlawful breaches and/or unauthorised access to personal and health information

• Integrate privacy considerations into the design and development of data storage systems
• Ensure only authorised personnel have access to individual’s data
• Ensure adequate training of all authorised personnel
• Will inform individuals should a breach of privacy incident occur

Data Management

• Inaccurate or incomplete data recorded

• Implement data quality checks to identify and correct errors, inconsistencies or missing information
• Implement standardised data collection practices with clear instructions, guidelines and training on to record accurately
• Conduct regular audits and reviews to monitor data quality

• Loss of control over information provided

• Ensure that data subject is continually made aware of their rights to access, rectify, transfer data or withdraw consent
• Implement privacy-enhancing technologies such as pseudonymisation, encryption or anonymisation to minimise identifiable information

• Misuse or exploitation of data for unauthorised purposes

• Implement strict access controls to limit management of data to authorised personnel only. Such authority will be regularly reviewed and subject to scrutiny by the Trustees of the charity
• Ensure that there are robust audit trails and logging mechanisms to track and monitor access to data
• Develop and adhere to ethical guidelines for data management

• Misinterpretation or misrepresentation of information gathered
• Bias and discrimination in machine learning algorithms
• Overreach of analysis for purposes outside those stated or otherwise authorised

• Data governance policies to deal with analysis activities and appoint officers with clear areas of responsibility
• Clearly stated and transparent agreements with the data subject and any end-user to ensure that analysis is confined to purposes disclosed.
• Quality assurance procedures to ensure, accuracy, completion, and reliability of data used for analysis
• Measures to detect and mitigate biases, including algorithmic biases and selection biases
• Robust data anonymisation and minimise the risk of re-identification
• Pseudonymisation, aggregation and differential privacy techniques ensure individual-level anonymity whilst preserving data utility for analysis

• Increased risk of privacy concerns
• Lack of adequate third party security measures
• Further loss of control over information provided
• Increased risk of re-identification of individuals when data is analysed from multiple sources

• Provide individuals with clear information about who will have access to their data and how they might use it and to their rights regarding data access, rectification, and deletion.
• Implement robust data anonymisation and minimise the risk of re-identification
• Employ pseudonymisation, aggregation and differential privacy techniques ensure individual-level anonymity whilst preserving data utility for analysis
• Develop clear policies and guidelines for data sharing with external researchers or other external bodies, including data access agreements, data use restrictions, and protocols for data transfer and dissemination

• Privacy concerns regarding unauthorised access, disclosure or misuse
• Fear of data leaks or other security breaches
• Risk of re-identification and loss of anonymity

• Establish robust data governance policies and procedures to detect and prevent unauthorised or non/not stated uses or purposes
• Implement robust data anonymisation and minimise the risk of re-identification
• Employ pseudonymisation, aggregation and differential privacy techniques ensure individual-level anonymity