SD Desktop Service Description - Services for Research

Public Detailed service description

Sensitive Data (SD) Desktop is a service for analyzing sensitive research data. Built on top of ePouta, it provides an isolated, secure private cloud computing environment accessible via a web user interface. All data processing takes place in Finland.

SD Desktop may be added to user’s CSC project at MyCSC portal. All the members of that CSC project share the same computing environment, allowing collaboration for the project members. Should a user be a member of two or more CSC projects, they can work on all their projects but are not able to share any data, tools, or anything else between the projects.

SD Desktop provides several flavors of virtual machines to choose from with Linux operating system. A user may disconnect the session from the virtual machine at any time, and reconnect at their wish; the virtual machine keeps running and doing whatever it was left to do. Various basic tools, such as LibreOffice, Python, or R, are provided. A user may bring in any other tools they need packaged in Singularity containers.

All data to be processed must be stored in SD Connect. Only data that has been properly stored and encrypted on SD Connect is available on SD Desktop. SD Desktop’s Data Gateway tool validates access control and decrypts data on the fly, streaming it in read-only mode as needed. Similarly, you can export data from SD Desktop with Airlock, which writes data out to SD Connect in encrypted format. Only a project manager can export data.

SD Desktop for the secondary use of healthcare data

SD Desktop, as is, is neither suited nor accredited for the secondary use of health and social data. A restricted version of SD Desktop is provided for this purpose with the following limitations to the standard SD Desktop:

You have to create a separate CSC project in My.csc.fi portal for processing the health and social data and share the data permit via servicedesk@csc.fi (subject: SD Desktop)
No other CSC services, including other SD Services, are available for this CSC project.
No customization of the SD Desktop is possible (i.e. no custom or additional software is possible).
No user files and/or data can be transferred into SD Desktop (i.e. only data permit authority (Findata) authorised data is allowed).
Data export must be requested separately from servicedesk@csc.fi (subject: SD Desktop). The data permit authority (Findata) will scrutinize this request before data release.

These limitations are based on the regulation given by the data permit authority (Findata).

Certifications

SD Desktop is a certified environment for processing health and social data under the Finnish Act on the Secondary Use of Health and Social Data. Compliance with the regulations of the Finnish Social and Health Data Permit Authority (Findata) is ensured only when the service is used through a CSC Findata-type project, with a valid Findata or public register permit. No other CSC project type is permitted for this purpose.

More information available in the Astori register maintained by Valvira.

User content including personal data in the Service

SD Desktop is suitable for academic and research use according to CSC General Terms of Use and Policies.

This service is designed to process special categories of personal data. Users must assess whether the service is suitable for their intended purpose. If needed, they may consult their home organization’s data protection officer, legal advisor, or IT security specialist, using the documentation provided below to support their evaluation. Data controllers and their representatives are responsible for ensuring full compliance with European and national data protection regulations. If personal or sensitive data is transferred outside the European Economic Area (EEA), users must ensure a valid legal basis and full compliance with applicable data protection laws.

When users create a CSC project in the MyCSC portal and indicate that personal or sensitive personal data will be processed, they are required to:

review and accept CSC’s Personal Data Processing Agreement (DPA)
accept CSC’s Terms of Use

Additionally, users must complete the Description of processing activity form which captures essential details, including types of data processed, purpose and method of processing, security measures in place, identity of the data controller. This documentation is linked to the CSC project and guides CSC in fulfilling its role as a data processor. Users can update the form later if needed. See here for more information on Technical and Organizational Measures (TOMs) for protection of sensitive data in CSC SD Services.

The Service does not assert ownership or any intellectual property rights to users or customers organizations’ content in the services.

Client’s responsibilities

Users must comply with all applicable CSC’s Terms of Use when using the Service.

The client is responsible for:

Verifying data integrity during data transfer when uploading to the SD Desktop and ongoing data management.
Managing dataset imports and results exports from the secure environment, including applying additional protections such as pseudonymization of sensitive personal data or result’s anonymization.
Customizing and installing software on the virtual desktop, as well as managing computing tasks.
Efficiently managing virtual desktops (pausing, deleting, pausing) and volumes (attaching, detaching) when resources are no longer needed.
Requesting appropriate storage capacity for SD Desktop volumes and using appropriate computing option.
Handling backups independently, as the SD Desktop service does not include backup functionality.
Ensuring information security, including managing and reviewing CSC project members and controlling their access to the secure environment.
Ensuring compliance with all applicable laws and regulations for content processed in SD Desktop service.
Providing accurate and up to date information in the MyCSC portal.

Service producer’s responsibilities

The service producer ensures that the service is available to customers as described in the service description.

The service producer is responsible for producing and developing the Service.

Service producer

CSC – IT Center for Science Ltd.

Service provider