Performing a data donation study is facilitated by data donation software, for example our software Port. In Port, you can potentially configure the complete participant flow. However, at a minimum, you will use it to perform the local extraction step. To enable an app that is live which a participant can access to participate in the data donation study, and to facilitate that once the participant clicks the ‘donate’ button, that their data is sent to a secure storage location, the software needs to be configured. Below, we conceptually describe what this all entails, but note that using a managed solution, this can all be taken care of.

First, the app should be hosted somewhere. This can be on premise or in a cloud and it depends on the researcher and its institution what solution is appropriate for their study. This is typically assessed by means of a Data Privacy Impact Assessment (DPIA). In addition, a processing agreement should be in place between the institution and the hosting party. When the app is hosted, a domain name is specified through which the participants can access the study page. Here, the weblinks that are shared with participants should be configured such that they contain a unique user ID. These can later be used to for example link the donated data to the data obtained through a questionnaire.

As soon as the participant clicks the ‘yes, donate’ button, the extracted data is sent to the app, which immediately sends it through to the storage account. During this process, the data is TLS encrypted. As soon as the data arrives at the storage location, it is no longer encrypted. Depending on the storage type used, security measures such as multi-factor authentication and role based access control can help to ensure that only designated researchers can access this location and define the rights they have here. Again, the DPIA can help reflect on the security measures taken regarding data storage and a processing agreement between the institution and the party providing the data storage is required.

There are various ways to configure both the tool hosting and data storage. They can be highly tailored and make use of tools only available at specific institutes, or they can make use of generic infrastructure. As D3I, we facilitate using Port on SURF, which is available for all researchers in the Netherlands, but requires researchers to take full responsibility for all security measures as described in this section. Alternatively, researchers can make use of Software-as-a-service solutions for Port, provided by Eyra Leap B.V. Note that regardless of the option that is chosen, a DPIA and processing agreements are always required to reflect on the level of sensitive information being collected with respect to the security measures taken.