ERDRI makes participating rare disease registries' data searchable at EU level and standardizes data collection and data exchange. Therefore, adding your registry to ERDRI will increase its value and ease its registration.
Go to the following link https://eu-rd-platform.jrc.ec.europa.eu to access the homepage of the EU RD Platform and click on the first image labeled “European Rare Disease Registry Infrastructure (ERDRI)”.
No. Upon clicking the yellow button “Access ERDRI tools”, you will be presented with two options: “Browse anonymously” or “Proceed to log in”. Use the “Browse anonymously” option if you do not have an account. However, this is a “read-only” option with limited access to information.
You can create an ERDRI account if you have a valid email address. Upon clicking the yellow button “Access ERDRI tools”, proceed by clicking the “Proceed to log in” button and follow the instructions. You can also view the “Logging into ERDRI” tutorial for more information.
To become a verified user, you need to have an EU Login account and to compile the verification form request. Once “verified” by the ERDRI team, you will be informed that you can enter data about your registry in ERDRI.dor and ERDRI.mdr.
On the start page of ERDRI.dor, click on the “Add registry” tab and complete the required information. This will take about 15 minutes. Note that you can only add registries if you already have a login account that has been verified. A verified user can add as many registries and he/she wishes in ERDRI.dor and become “owner” of those registries.
To add a registry to ERDRI.dor, you will need to provide at least some general information including the registry’s name, medical area, type, and description; rare disease(s) addressed by the registry; information on the structure of the registry including recruitment area, recruitment country, current number of cases, data source(s), number of data elements collected, and software used; some registry information including institution, department, address, and country; contact information of the responsible of the registry. Some fields are not obligatory but we encourage the registries to provide as much information as possible on their registries by filling in all the fields.
On the start page of ERDRI.dor, you have three ways to search for registries. First is by clicking a country on the map to view registries of that country. Second is by typing the registry’s name or description in the “Search” box and clicking the “Search” button. Third is by clicking the “Search” tab to start an advanced search. The “List all” button can also be used to list all registries saved in ERDRI.dor.
If you are logged in, you will be presented in the search results with the name of the registry, its description, medical area, country, and website. Clicking on a registry’s name will display further details about the registry. In case you are browsing anonymously, you will only be able to view registries’ names.
You can search for your registry in ERDRI.dor then click on the pencil symbol next to your registry’s details in the search results. However, you have to be a verified user to edit the content of your registry.
The “owner” of the registry (the person who has introduced the registry in ERDRI.dor) is the first to be granted access to the registry space of registry. Other “verified users” associated with a registry can also be granted access to the same registry space.
A new version of the dedicated excel file can be uploaded at any moment. If elements are removed, added or edited in this file, this is the version that will be published after upload. The versions are numbered increasingly every time you upload a new excel file with the registry’s updated metadata.
The registry namespace in ERDRI.mdr is indicated in ERDRI.dor in a specific field (filled in by the ERDRI administrators). The first contributor to the ERDRI.mdr namespace is automatically the registry “owner” in ERDRI.dor while additional “verified” users can be added as contributors for a given registry namespace.
SPIDER is the ERDRI pseudonymisation tool. It is available free of charge to all the rare disease registries participating in the European Platform on Rare Disease Registration that have inserted their information in the ERDRI.dor and the ERDRI.mdr.
SPIDER provides three main functionalities: pseudonym generation, allowing a registry to compute a series of unique pseudonyms for the same patient without allowing any other party to re-identify him/her; pseudonym linkage, allowing a registry to find a list of additional data sources for a specific patient, without disclosing the patient's identity; and encrypted pseudonymised data transfer, allowing registries to transfer pseudonymised data through end-to-end encrypted channels.
SPIDER is provided as a RESTful Software as a Service. To interact with the SPIDER services, the registry user must execute a SPIDER client. A web-based SPIDER client is available at the SPIDER web page for those registries that can’t develop their own one.
To access SPIDER, you must be a registry owner authorised by the ERDRI administrators or a verified user allowed by the registry owner. The registry owner can indicate the email addresses of the already verified users in a dedicated field in ERDRI.dor. Once you have reached the SPIDER web page, your browser acts as a stand-alone SPIDER client. You can log in via EU Login and insert the cryptographic archive file associated with your registry, as shown in video tutorial number 3.
A cryptographic archive file is a password-protected file that contains a private key, a public key and a public key certificate granted by the SPIDER Public Key Infrastructure (PKI). It has p12 extension and is compliant with the PKCS#12 standard.
Cryptographic archives allow to use asymmetric encryption in SPIDER. While the private keys are kept secret, the public keys are distributed to all the other participants. The information encrypted with a public key can be decrypted only with the corresponding private one and vice-versa. Currently, SPIDER adopts the RSA-4096 cryptosystem.
In SPIDER, whenever a registry user sends a message to another registry, the private key of the sender is used to digitally sign the message, while the public key of the recipient is used to encrypt it. This way, message integrity, authentication and confidentiality are guaranteed. For more information, please refer to the SPIDER presentation video.
To generate a cryptographic archive for your registry, you must be the registry owner. The procedure is composed of two steps: first, you generate locally a password-protected private key with your SPIDER client and send, at the same time, a certificate signing request containing the corresponding public key to the ERDRI administrators; then, once received the public key certificate granted by the SPIDER PKI, you can bundle it together with the private key in the cryptographic archive. This procedure is simple and must be done just once. The video tutorial number 1 shows it step-by-step.
A private key shall always be stored in an encrypted form. This way, in case an unauthorised person obtains it, s/he cannot decrypt and use it. The encryption algorithm used to protect private keys and, once generated, the cryptographic archive files is AES-256-CBC with PBKDF2 for key derivation.
P12 and passwords shall be shared between users belonging to the same registry. Typically, each organization establishes the procedures that must be followed to share sensitive information. For example, one strategy might be to share a P12 file by storing it in a corporate network folder accessible to authorized personnel only. Passwords may be communicated via secure instant messaging solutions and stored in password managers.
If your private key has been compromised or you suspect it has been compromised you shall immediately contact the ERDRI administrators, who will immediately revoke the associated public key certificate. You will then be able to generate a new cryptographic archive for your registry.
No. The private keys and the cryptographic archive files that contain them are generated locally, at client side, via the SPIDER client software that is executed by the registry user. These files are never transmitted to any other party, including the SPIDER services. As a consequence, there is no way to recover them.
When exchanging encrypted pseudonymised data among rare disease registries, the information in ERDRI.dor is used to select the recipient, while the information in ERDRI.mdr is used to describe the data that is requested or sent.
In the current version of the web-based SPIDER client that we provide, yes. A feature allowing a user to show patients to a chosen subset of other users in the same registry will be added in future releases.
The data that a user inserts in the SPIDER client is kept in the SPIDER client’s memory. Since a SPIDER client is executed at the registry side, data never leaves the registry. Therefore, when you use our web-based SPIDER client, this data is stored in the web browser memory. To avoid losing your work when you close your browser, all your client data is encrypted at the client side and saved in the SPIDER synchronization server. However, no one except those who have the P12 file and know its protecting password can decrypt this data. If you decide to build your own SPIDER client or plug-in, you can take advantage of the synchronization services that your registry software already uses.
When you enter patient data in the SPIDER client, it remains in the SPIDER client until you delete it. Once you insert a new patient in the SPIDER client, you might be interested in finding additional data sources for that patient leveraging on the pseudonym linkage functionality of SPIDER. To this goal, the SPIDER client allows you to trigger data lookups and receive, as an answer, the list of registries that have additional data on that patient. The lookup functionality depends on a token, called “authorisation token”, which expires after a predefined amount of time. When this happens, you can click the “refresh authorisation token” button and go on taking advantage of the pseudonym linkage functionality. You can find more information on SPIDER video tutorial 10 – find additional data sources for a patient.
When you insert data in the web-based SPIDER client via a CSV file, this file shall be shaped in such a way that each row refers to a patient and each column refers to a metadata variable that you entered in the metadata repository of ERDRI. More precisely, a column header shall have the same name of a variable name in the ERDRI.mdr. Additionally, there are four columns called first_name, last_name, date_of_birth and pseudonym that allow you to refer to a patient either using the patient’s identity (first_name, last_name, date_of_birth) or one of the pseudonyms you computed for that patient (pseudonym). Therefore, if your registry software allows you to export all your patient’s data in a CSV file, you can add all data in the SPIDER client after checking the column header names. You can find more information on SPIDER video tutorial 7 – enter medical data of a patient list.
The web-based SPIDER client allows you to download a backup of all the data that is stored in the client (Centre database) in a strongly encrypted form. This file cannot be used outside the SPIDER client and cannot be decrypted without the cryptographic archive and its protecting password. The main purpose of this file is to recover data after a disaster, such as the SPIDER synchronisation service losing all the stored data. However, you could use it also to revert your data to a previous state.