For importing data, data processing in the iFIND project, etc., users currently do not use their own account but instead use the hnadmin profile because it seems that is the only account that can access super-user privileges, i.e. is included in the sudoers file.

This means that if users need to run certain commands as the root user, we are less able to accurately monitor and audit user actions, resource usage, etc.

I suggest we:

• Update the sudoers file so that certain users who require super-user privileges can do so via their own user profile rather than the hnadmin user profile
• Identify which commands can/should be run by certain users, rather than only the root user, such as the data processing commands in the iFIND project

We should add an SOP for importing data from/into XNAT.

https://bitbucket.org/icrimaginginformatics/roiuploadassistant/src/master/

We should create separate user accounts and add these to the sudoers file so that we can better track:

• Who needs access to root privileges
• Which user is accessing root privileges, i.e. versus multiple users using the hnadmin account

This can be similar to GSTT's support accounts, e.g. GSTT\Suprt_<username>, which are used for sysadmin purposes.

This will help us do data quality checks en masse

Since we host multiple applications on the headnode it would be easier to access non-XNAT applications if we could direct HTTP traffic on the headnode to multiple apps. We can do this by placing a reverse proxy such as nginx on the default HTTP ports 80/443 and redirecting based on the given URL.

We have requested a number of different URLs to be added to the GSTT DNS to facilitate accessing certain applications, such as the radiation safety URLs. We have also requested a generic csc.gstt.nhs.uk DNS entry so we can redirect to different applications using subdomains, this means we won't need to update the GSTT DNS every time we add/remove an application.

The diagram below shows this schematically:

We will still have the sp-pr-flipml01 URL which can redirect through nginx to XNAT, so no process changes should be needed.

@dangerdika, @hshuaib90, @heyhaleema, can you see any issues with this approach? Ideally we would set up a test proxy first before modifying XNAT. I think we could do this on the dgx which has equivalent networking (but no DNS entry currently) or we could do it on a different head node port.

This is to keep track of issues and solutions we find that may recur and which can be shared with other users

Current method of querying rest API which retrieves the JSON of corresponding PACS matches allows an upload of approximately 100 queries at a time, else it times out. We need to be able to run queries of 1000 or more.

An interactive calculator should be added to a widely-accessible space, e.g. the CSC website, to enable XNAT data requestors to input details about their request and receive a rough estimate of the timelines and costs applicable.

Examples:

• AWS Pricing Calculator
• Microsoft Azure Pricing Calculator

We should add an easily-accessible calendar, e.g. to the CSC website, to display what days and time slots are reserved for certain pieces of XNAT work, as well as a guide on how to do so.

So they can be shown to trainees during training for illustrative purposes

We should install the XNAT ML Plugin, particularly for the data labelling functionality in the XNAT OHIF Viewer.

We should create a develop branch and release/ branches to keep track of what processes, scripts, etc. were used when.

If you try to open the anonymisation scripts from the links in the README, you get a 404.

https://github.com/GSTT-CSC/XNAT#de-identification-via-qr

Think they should be relinked to here:

https://github.com/GSTT-CSC/XNAT/tree/main/xnat-csc/helpers

Similar to the QMS, we should automate how we track and report on XNAT projects, data processed and transferred.

This will allow us to make modality-specific scripts, cleaning up dicom tags and making the anonymisation process faster and more transparent

We should add an FAQ section to the repo and ideally, the CSC website as well.

I think this should include questions related to gaining access to XNAT and the Secure Enclave, setup, XNAT-related governance and data processing.

We should add an SOP for face masking.

We should add scripts to query CogStack as an alternative to using the GUI.

There are quite a few scripts now so clear instructions should be added for each. Some are already covered in other SOPs and can be references from the script SOP

we need to write an SOP for incident reporting, set up a channel for incident reporting, and set up a way to audit incidents - particularly if unanonymised data is found in data we sent elsewhere.

Currently, we have several manually-created anonymisation scripts in this repo here (based on XNAT official guidance here). Since different projects may require different combinations of tags to be anonymised, and potentially specific anonymisation requirements per tag, it would be helpful to have a script that can produce this based on an input file e.g., required deanonymised tags.

We should use direct REST API calls to XNAT instead of using the JSON response files in report.py.

To have better name & handle ' in patient names

is there a good reason why this is private? this could be great resource for others in NHS looking to replicate our environment.

Currently this throws an error which leads to the scan not being ingested

This may be a good time to re-name the script to something sensible too

We should add an SOP for checking the data post-XNAT import.

We should add scripts to query PIMS for demographic details (mainly NHS numbers for National Data Opt Out compliance).

We need an SOP for this!

We should add an SOP for XNAT access requests to the repo and ideally, the CSC website as well. This could also be included in/based on the QMS repo and as a template on this repo.

I think this should include details required in the initial access request, any required training and information governance, and the applicable role-based access control (RBAC).

For example:

• Which project(s) does the request cover?
• What are the contact details of the user?
• How long is access required?
• What type of data is required?
• What is the volume of data required?
• What is the expected access frequency/schedule?

It keeps throwing errors relating to repeated SOP instance in the 2 images which are overlayed

See release notes here.