The figure below shows the main software systems, their exposed APIs, and the human actors whose actions and communication are covered by the Protocol.

Actors:

• the Citizen who shares his/her data;
• the PI of the Study who uploads the study on the Central Node for publishing;
• the Central Node Administrator who actually publishes the studies;
• the PI of each participating Research Centre.

Systems:

• the S-EHR App, through which the Citizen expresses his/her consent and shares health data;
• the Central Node, on which RDDs are published and are downloadable by the S-EHR App;
• the Research Centre Information System of each participating research centre, to which participating citizens are attached and to which they send their health data.

Interfaces:

• the RDDI (Research Definition Document Interface) through which RDDs are downloaded by the S-EHR App;
• the RDSI (Research data Sharing Interface) through which consent to data sharing is expressed and health data are securely transmitted.

Human-Computer Interfaces and Use Cases

This section describes the user interfaces that are part of the Protocol, from a high-level functional perspective of use cases. The Protocol covers the interactions of the Citizen, the PI of the Study, and the Central Node Administrator with the system, as well as the interactions of the PI of the RC, who oversees the participation of local citizens in multi-centric studies.

The Citizen / S-EHR App Interface

• OPT-IN to future participation: the Citizen sets his/her status on the smartphone as “interested” in participating in future studies. Before doing so, the Citizen is informed of what this entails (namely, the silent verification of enrollment criteria on his/her phone by accessing his/her health data). This allows the phone regularly to retrieve information about studies.
• Get informed of new studies and their conditions: the Citizen is informed about every study for which his/her health data meet the eligibility criteria, including the purpose and details of the study, the data collected, etc.
• Acceptance of ENROLMENT into study: the Citizen formally accepts to participate in a given study.
• WITHDRAWAL from study: the Citizen formally signals the decision to stop sending data for a given study.
• OPT-OUT from participation: the Citizen sets his/her status on the smartphone as “not interested” anymore in participating in future studies.

The PI of the Study / Central Node Interface

• Authenticate: the PI of the Study or the Central Node Administrator connect to the study management system of the Central Node and authenticate themselves.
• Upload RDD of new study for publishing: the PI of the Study uploads onto the Central Node the formal definition of a new study in the form of an RDD file.
• Publish and manage uploaded studies: the Central Node Administrator reviews uploaded studies, authorizing or refusing to publish them to be accessible by all citizens who have opted in to future studies.
• Audit study: the PI of the Study reviews the logs of enrollment, data retrieval, and withdrawal operations collected during the period of the study.

The PI of the Research Centre / Research Centre Interface

• Authenticate: the PI of the Research Centre logs into the administration system of the Research Centre.
• Consult study participation statistics: the PI of the RC displays aggregate statistics about the participants (enrollments, withdrawals, etc.) to a given study who are attached to his/her research centre.
• Consult logs of citizen participation to study: the PI of the RC reviews detailed per-patient operations that were logged by the RC system.

Programming Interfaces

Central Node

The Central Node provides the services exposed through the Research Dataset Definition Interface (RDDI), through a library called RDDI-Service. It also uses the RDS-Security library to secure the RDDI communication channel. RDDI is a RESTful interface.

Table 3.1: Methods of the RDDI Interface

RDDI	Caller	Input Parameters	Return value	Description
submitStudy	Research Portal	RDD rdd, int principalInvestigatorID	boolean	Allows a Principal Investigator to submit (upload) a new study onto the Central Node, in the form of a Research Definition Document. Returns true on success.
getOpenStudies	RDS-Logic through RDDI-Client	void	SignedRDDList openStudies	Allows a S-EHR App to retrieve the digitally signed list of currently open studies, to which enrollment is possible. Returns a list of RDDs, each describing a study.

Research Centre Information System

The Research Centre Information System provides the services exposed through the Research Data Sharing Interface (RDSI), through a library called RDSI-Service. It also uses the RDS-Security library to secure the RDSI communication channel. RDSI is a RESTful interface.

Table 3.2: Methods of the RDSI Interface

RDSI Endpoint	Caller	Input Parameters	Return value	Description
sendEnrollmentConsent	RDS-Logic through RDSI-Client	int studyID, Patient citizenIdentification int citizenPseudonym, String signedConsent, int sehrAppId	SignedContract	Send the Citizen’s electronically signed consent of enrolling into a specific study. The consent also includes personal identification information on the citizen (represented here as a “Patient” data object), the newly generated study-specific pseudonym, as well as the SEHR App ID. The receiving RC checks the signature validity of the signedConsent, signs and returns the contract signed by both parties
sendExitNotification	RDS-Logic through RDSI-Client	int studyID, int citizenPseudonym, ExitReason reason, String citizenSignature	boolean	Send a notification that the Citizen is exiting a study due to the exit criteria being met. ExitReason can be: enrollment criteria negative, exit criteria positive. Returns true on success.
sendWithdrawal	RDS-Logic through RDSI-Client	int studyID, int citizenPseudonym, String citizenSignature	boolean	Send a notification that the Citizen is withdrawing from an ongoing research study. Returns true on success.
sendHealthData	RDS-Logic through RDSI-Client	int studyID, int citizenPseudonym, Encrypted fhirBundle	boolean	Allows a S-EHR App to send citizen health data to the RRC. The receiving RC decrypts the Encrypted bundle and retrieves the FHIR bundle. Returns true on success.