Wireless access Nottingham, 23 rd April 2013 Pseudonymisation workshop.

Slides:

Advertisements

Similar presentations

Public Key Infrastructure and Applications

Advertisements

NIGB International Data Sharing Conference Oxford Tuesday 21 st September 2010 National Information Governance Board Alan Doyle - Director Karen Thomson.

NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.

NIGB Information Governance and Confidentiality Clinical Audit and Improvement Conference February 2011 Karen Thomson Information Governance Manager.

NATIONAL INFORMATION GOVERNANCE BOARD

NIGB NATIONAL INFORMATION GOVERNANCE BOARD Harry Cayton, Chair, National Information Governance Board.

Agenda Problem Existing Approaches The e-Lab Is DRM the solution?

Rev.DescriptionAuthorDate 0.0First draftDavid Stone14/07/10 0.1ReviewPhil Walker Magi Nwoli Tony Heap Vanessa Kaliapermall 15/07/10 1.0FinalDavid Stone18/07/10.

The Data Linkage Service 1. New service launched in September 2012 Brought together two established data linkage services with over 50 years’ experience.

Health Information Supplier Forum ‘Open data, a platform for change’ Garry Coleman, Health & Social Care Information Centre.

Clare Sanderson Executive Director of Information Governance The NHS Information Centre for health and social care.

Introducing the Administrative Data Research Network Tanvi Desai.

Open Pseudonymiser Project Julia Hippisley-Cox,

Methods repositories use to protect subjects Roger Aamodt, Ph.D. Resources Development Branch, National Cancer Institute.

Pseudonymisation at source “preserving patient confidentiality & public trust in doctors” Julia Hippisley-Cox 11 th July 2013 BMA House JGPIT.

Confidentiality, Ethics, Privacy, and Access REPORT FROM CONFIDENTIALITY, ETHICS, PRIVACY AND ACCESS Group B.

Western Australian Emergency Medicine Research Online WAEMRO Dis-integrating healthcare information systems Professor Peter Sprivulis MBBS PhD FACEM FACHI.

Data Linkage Service Garry Coleman, Health and Social Care Information Centre.

Open Pseudonymisation Project Julia Hippisley-Cox,

Project Update : Claims/Clinical Linkage Project MHDO Board of Directors June 6, 2013.

Information Sharing Options Phil Walker. Outline I have been asked to present a range of options for lawful data sharing. There is unlikely to be one.

RESEARCHERS‘ ACCESS TO HEALTH DATA – FACTS AND CHALLENGES Metka Zaletel National Institute of Public Health 24 March 2015.

EUropean Best Information through Regional Outcomes in Diabetes Privacy and Disease Registries Technical Aspects Peter Beck JOANNEUM RESEARCH, Austria.

ISB Notice and preparing for the implementation of the new IAPT Data Standard Shaun Crowe Mental Health, Employment and IAPT Mental Health Collaborative.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

The Nuffield Council on Bioethics Report : The collection, linking and use of data in biomedical research and health care: ethical issues. Martin Richards.

Research Databases for NRES London 29 th Feb 2012.

What’s new in Q new tools for commissioning & early diagnosis Professor Julia Hippisley-Cox EMIS NUG, Warwick 2011.

1 1 General preconditions Training workshop on ¨censuses using administrative registers in Geneva 21 May 2012 Harald Utne, Statistics Norway

Warren County Middle School Business And Information Technology Program “ A Different Approach”

Open Pseudonymisation workshop Nottingham 22 nd Sept 2011.

Open Data Platform Supplier Forum 13 January 2012.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Care.data: listening to you Robin Burgess Regional Head of Intelligence

Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.

EXCiPACT TM EXCiPACT TM International Pharmaceutical Excipients Certification Minimize risks – maximize benefits.

Discussion of the main data management or database building issues that may be involved in the early stages of designing a new multicentre, clinical trial.

Calculating Quality Reporting Service – an introduction Chris Brown CQRS Design, Build and Test Project Manager 05 September 2012.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Julia Hippisley-Cox University of Nottingham June 2013 Open Pseudonymisation.

Introduction to the Summary Care Record (SCR)

Professor Julia Hippisley-Cox GP Clinical Epidemiologist Director QResearch Director ClinRisk Ltd Member ECC NIGB London July 2011.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

LINKING THIN to HES – POISONED CHALICE OR HOLY GRAIL? April 2013.

Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Protecting Privacy “Most people have figured out by now you can’t do anything on the Web without leaving a record” - Holman W. Jenkins, Jr

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Professor John Bacon-Shone Director, Social Sciences Research Centre & Chair, Human Research Ethics Committee The University of Hong Kong Re-identification.

1 Open Data Platform. Context 2 Accounts for £29bn worth of commissioned care services National Government Statistics Parliamentary Questions Benchmarking.

Twelve Guiding Principles for the Regulation of Surveillance Camera Systems Presented by: Alastair Thomas Date: 23 rd October 2013.

Access to data for local authority public health AGW Public Health Network Training Event: Public Health Data, Information and Intelligence 11 th November.

Hasib Aftab Head of IT & Systems, Camden CCG Risk Stratification.

Creating Open Data whilst maintaining confidentiality Philip Lowthian, Caroline Tudor Office for National Statistics 1.

FORUM GUIDE TO SUPPORTING DATA ACCESS FOR RESEARCHERS A STATE EDUCATION AGENCY PERSPECTIVE Kathy Gosa, Kansas State Department of Education.

National Programme for Information Technology The Secondary Uses Service Jeremy Thorp Director of Business Requirements Technology Office.

Medical data: privacy, anonymity, and security What can we learn from the furore around the NHS data sharing plans (“care.data”)? Dr Eerke Boiten Director,

NILS Security Access to the NILS for approved researchers working on approved projects only. NILS micro-data can only be accessed in the Safe Setting -

Pseudonymisation at source “preserving patient confidentiality & public trust in doctors” Julia Hippisley-Cox & Hasib Ur Rub Richmond House 29 th Nov 2013.

PROMs Martin Orton – NHS Information Centre. Overview PROMs Overview IC’s central role in implementation –Matching & linking to HES & NJR –Applying the.

NHS Health Check. NHS Information Centre for Health and social care  Mark McDaid – Project Manager  Martin Hepplestone – Business Analyst ( starts August.

CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

Administrative Data Centre (ADC) ……. a GDPR ready data hub?

NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.

HIPAA Security Standards Final Rule

Pseudonymised Matching: Robustly Linking Molecular and Prescription Data to Cancer Registry Data in England Brian Shand, Fiona McRonald, Katherine Henson,

Presentation transcript:

wireless access Nottingham, 23 rd April 2013 Pseudonymisation workshop

My roles 1.Academic 2.NHS GP 3.Co-Director QResearch database with Shaun O’Hanlon from EMIS 4.Director ClinRisk Ltd 5.Member of Confidentiality Advisory Group, HRA

Introductions Introduce ourselvesIntroduce ourselves 1.Our organisation 2.What do we want to get from the meeting

Key objectives for safe data sharing Patient and their data Minimise risk Privacy Maximise public benefit Maintain public trust

Three main options for data access Patient and their data Minimise risk Privacy Maximise public benefit Maintain public trust consent Pseudo nymisation S251statute

Policy context Transparency AgendaTransparency Agenda Open DataOpen Data Caldicott2Caldicott2 Benefits of linkage for (in order from document)Benefits of linkage for (in order from document) IndustryIndustry ResearchResearch commissionerscommissioners PatientsPatients service usersservice users publicpublic

Objectives Open common technical approach for pseudonymisationOpen common technical approach for pseudonymisation allows individual record linkage BETWEEN organisationsallows individual record linkage BETWEEN organisations WITHOUT disclosure strong identifiersWITHOUT disclosure strong identifiers Inter-operabilityInter-operability Voluntary ‘industry’ specificationVoluntary ‘industry’ specification One of many approachesOne of many approaches

Ground rules: all outputs from workshop PublishedPublished OpenOpen Freely availableFreely available Can be adapted & developedCan be adapted & developed Complement existing approachesComplement existing approaches

Big Data or Big Headache Need to protect patient confidentialityNeed to protect patient confidentiality Maintain public trustMaintain public trust Data protectionData protection Freedom of InformationFreedom of Information Information GovernanceInformation Governance ‘safe de-identified format’‘safe de-identified format’

Assumptions for today Pseudonymisation is desired “end state” for data sharing for purposes other than direct carePseudonymisation is desired “end state” for data sharing for purposes other than direct care Legitimate use of dataLegitimate use of data legitimate purpose legitimate purpose legitimate applicant or organisation legitimate applicant or organisation Ethics and governance approval in placeEthics and governance approval in place Appropriate data sharing agreementsAppropriate data sharing agreements

Working definition of pseudonymisation for today Technical process applied to identifiers which replaces them with pseudonymsTechnical process applied to identifiers which replaces them with pseudonyms Enables us to distinguish between individual without enabling that individual identifiedEnables us to distinguish between individual without enabling that individual identified Either reversible or reversibleEither reversible or reversible Part of de-identificationPart of de-identification

Identifiable information person identifier that will ordinarily identify a person:person identifier that will ordinarily identify a person: NameName AddressAddress DobDob PostcodePostcode NHS numberNHS number telephone notelephone no (local GP practice or trust number)(local GP practice or trust number)

Open pseudonymiser approach Need approach which doesn’t extract identifiable data but still allows linkageNeed approach which doesn’t extract identifiable data but still allows linkage Legal ethical and NIGB approvalsLegal ethical and NIGB approvals Secure, ScalableSecure, Scalable Reliable, AffordableReliable, Affordable Generates ID which are Unique to projectGenerates ID which are Unique to project Can be used by any set of organisations wishing to share dataCan be used by any set of organisations wishing to share data Pseudonymisation applied as close as possible to identifiable data ie within clinical systemsPseudonymisation applied as close as possible to identifiable data ie within clinical systems

Pseudonymisation: method Scrambles NHS number BEFORE extraction from clinical systemScrambles NHS number BEFORE extraction from clinical system Takes NHS number + project specific encrypted ‘salt code’ One way hashing algorithm (SHA2-256) – no collisions and US standard from 2010 Applied twice - before leaving clinical system & on receipt by next organisation Apply identical software to second datasetApply identical software to second dataset Allows two pseudonymised datasets to be linkedAllows two pseudonymised datasets to be linked Cant be reversed engineeredCant be reversed engineered

Web tool to create encrypted salt: proof of concept Web site private key used to encrypt user defined project specific saltWeb site private key used to encrypt user defined project specific salt Encrypted salt distributed to relevant data supplier with identifiable dataEncrypted salt distributed to relevant data supplier with identifiable data Public key in supplier’s software to decrypt salt at run time and concatenate to NHS number (or equivalent)Public key in supplier’s software to decrypt salt at run time and concatenate to NHS number (or equivalent) Hash then appliedHash then applied Resulting ID then unique to patient within projectResulting ID then unique to patient within project

Openpseudonymiser.org Website for evaluation and testing withWebsite for evaluation and testing with Desktop applicationDesktop application DLL for integrationDLL for integration Test dataTest data DocumentationDocumentation Utility to generate encrypted salt codesUtility to generate encrypted salt codes Source code GNU LGPLSource code GNU LGPL

Key points Pseudonymisation at sourcePseudonymisation at source Instead of extracting identifiers and storing lookup tables/keys centrally, then technology to generate key is stored within the clinical systemsInstead of extracting identifiers and storing lookup tables/keys centrally, then technology to generate key is stored within the clinical systems Use of project specific encrypted salted hash ensures secure sets of ID unique to projectUse of project specific encrypted salted hash ensures secure sets of ID unique to project Full control of data controllerFull control of data controller Can work in addition to existing approachesCan work in addition to existing approaches Open source technology so transparent & freeOpen source technology so transparent & free

Qresearch data linkage projects Link HES, Cancer, deaths to QResearchLink HES, Cancer, deaths to QResearch NHS number complete and valid in > 99.7%NHS number complete and valid in > 99.7% Successfully applied OpenPSuccessfully applied OpenP - Information Centre - Information Centre - ONS cancer data - ONS cancer data - ONS mortality data - ONS mortality data - GP data (EMIS systems) - GP data (EMIS systems)

QAdmissions New risk stratification tool to identify risk emergency admissionNew risk stratification tool to identify risk emergency admission Modelled using GP-HES-ONS linked dataModelled using GP-HES-ONS linked data Can apply to linked data or GP data onlyCan apply to linked data or GP data only NHS number complete & valid 99.8%NHS number complete & valid 99.8% 97% of dead patient have matching ONS deaths record97% of dead patient have matching ONS deaths record High concordance of year of birth, deprivation scoresHigh concordance of year of birth, deprivation scores