1. Pilot HRSS Pseudonymisation and Person Matching An Outline of the Approach Alan Barcroft

2. Pilot HRSS Background Programme within the DH Research and Development Directorate and the NIHR Health Research Support Service (HRSS) Pilot HRSS operational since January 2011 RCP and the Pilot Programme have worked closely with key stakeholders to promote acceptance/governance: – NIGB/ECC – NRES and the South East REC – ICO through Privacy Impact Assessment (PIA) – BMA

3. Key Pseudonymisation Principles “Honest Broker” that processes identifiable data – Both a Pseudonymisation Service – and a Person Identification Service Separation of Identity and Clinical data – Both Inbound and Outbound – “Identifying Data” and “Payload” (DD ISO 25237:2008) Internal allocation of “HRSS ID” pseudonym unique to the Service HRSS ID is encrypted on the Clinical side Processing is automated No direct access to the data by recipients - by bespoke delivery only Secondary Study Anonymisation / Pseudonymisation of HRSS ID by encryption – Different study outputs not intended for linkage cannot be unilaterally linked outside the Service

4. HRSSHRSS Pilot HRSS Infrastructure Outside World Outside World SFTP Landing Person Information Clinical Information INBOUNDINBOUND CI SFTP PI SFTP Landing SFTP Data Source

5. Pilot Data Sources Hospital Episode Statistics UK Renal Registry ONS Death Registrations SLaM Thames Cancer Registry CTSU ASCEND NICOR: MINAP NICOR: BCIS MRIS NHS CSP (Bowel) PDS

6. Internal Pseudonymisation Global HRSS ID – Internal to HRSS – Meaningless without access to Index Decryption Keys All other ID attributes – Matching characteristics – Other ID attributes – Stored against HRSS ID Master Patient Index Interim Study Patient Index Matching Processing Global HRSS Pseudonym – Encrypted Global HRSS ID – No route to IDs without key and access to Index Interim Solution Study Pseudonym – Delays with PDS – Matching confidence – Large volume persistent data – Uses existing IDs (e.g. HES ID, Epikey) – IDs are Encrypted Obfuscated ID data (e.g. YoB) Clinical data Patient Identifiers ServerClinical Information Server ISO 25237: “Identifying Data”ISO 25237: “Payload”

7. Matching Characteristics Automated Matching Characteristics – NHS Number – Date of Birth – Name – Postcode – Gender / Sex – Local Patient ID Variety of matching criteria sets – Notional decreasing confidence – Assumes DBS is master (used operationally in the NHS for clinical records)

8. Matching Criteria Sets 1.Exact Traced NHS Number 2.Exact NHS Number and Date of Birth 3.Exact NHS Number and Partial Date of Birth, with Partial Name and Gender Check 4.Local Patient Identifier and Partial Date of Birth, with Partial Name and Gender Check 5.Exact Name, Date of Birth and Postcode, with Initial and Gender Check 6.Exact Date of Birth and Postcode, with Gender Check

9. HRSSHRSS Outside World Outside World SFTP Landing Person Information Clinical Information CI SFTP PI SFTP Landing SFTP OUTBOUNDOUTBOUND Study Owner Pilot HRSS Infrastructure

10. Pilot Study Owners Phases I & II Pilot Study Owners – Kings College London – UK Renal Registry – CTSU ASCEND – NCIN / NHS CSP

11. A Study’s Outputs: External Pseudonymisation Group Pseudo- nym HRSS ID Group Pseudo- nym HRSS ID Optional: Dependent on approvals ECC (S251), Patient Consent

12. Any Questions?