Best Practices:

• Go to the local IRB and align your consent with what is possible in your local environment and be sure that the practices with regards to policy align with informed consent policies from your institution.
• Consult with the privacy officer on campus.
• Consider "right to be forgotten" policies, e.g., the GDPR, CCPA. Right to be forgotten refers to the right to have private information about a person be removed from Internet searches and other directories under some circumstances. 
• Have an explicit policy on how to deal with privacy issues.
• Understand the level of privacy you must maintain (PHI). The more dimensions you collect, the higher the chance of reidentification.
• Many believe that brain data can potentially be used to identify individuals and ought to be treated as such.
• Ensure that your data collection procedures do not unintentionally embed PHI in the files. For example, make sure that no participant name or birthdate information is used for registering participants at the scanner, as this data can become embedded in dicom files.
• Ideal if all operations are performed in the Cloud.  
• Be careful about downloading protected data onto your own systems, and if you do, ensure that they are secure and compliant with relevant privacy rules.
• Stay abreast of the changing regulatory environment.

Things to Avoid:

• Failure to ensure that the consent made with the participants meets your data analysis/sharing needs
• Assume that the policies you adhered to at the start of the project remain relevant throughout the project
• Making copies and using them external to the system

Value Set Definitions: 

• 1: Single copy + backups, no downloading
• >1 copy: Data stored in cloud but must maintain single version of record for legal, ethical, or technical reasons
• >1 copy+: Copies can be made and distribution rights can be granted

Value of Use Case Example:

>1 copy+ - Jordan is planning to share the data through NDA or another repository, but they want the data to be reusable (i.e., interoperable) by other platforms.

Discussion of Use Case:

Jordan will benefit from planning prospectively for the cost of sharing data and providing multiple copies both through the NDA and other repositories, and will need to ensure sufficient resources.