inCytes™ is a software as a service technology, built upon Amazon Web Services “AWS”, which process large amounts of data, including health data and personally identifiable information. Such data, depending upon country, institution, and other policies, are often regarded as sensitive data, data concerning health, protected health information or PHI, personal data, or other similar terms. For purposes of this document, we will use terms and defined roles from the Global Data Protection Regulation, or GDPR.
In all instances, inCytes™ and Amazon Web Services shall serve as Data Processors, processing Personal Data according to the instructions by Data Controllers. This document helps inform Data Controllers of the existing infrastructure upon which inCytes™ is built, and of the available options for data processing. It is the Data Controller’s obligation to select processing which complies with their local regulations and data governance policies.
Data Controllers are defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”
Personal Data is defined by the GDPR as “any information relating to an identified or identifiable natural person “data subject…”’. For the purposes of this document, Data Subjects shall be Patients.
All identifying information which alone or in aggregate identifies a natural person. Examples include names, contact information, addresses, etc.
Pseudonymization is defined as “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” The GDPR further elaborates in Recital 26 “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”