120 likes | 207 Views
Pilot HRSS Pseudonymisation and Person Matching An Outline of the Approach Alan Barcroft. Pilot HRSS Background. Programme within the DH Research and Development Directorate and the NIHR Health Research Support Service (HRSS) Pilot HRSS operational since January 2011
E N D
Pilot HRSS Pseudonymisationand Person MatchingAn Outline of the ApproachAlan Barcroft
Pilot HRSS Background • Programme within the DH Research and Development Directorate and the NIHR • Health Research Support Service (HRSS) • Pilot HRSS operational since January 2011 • RCP and the Pilot Programme have worked closely with key stakeholders to promote acceptance/governance: • NIGB/ECC • NRES and the South East REC • ICO through Privacy Impact Assessment (PIA) • BMA
Key Pseudonymisation Principles • “Honest Broker” that processes identifiable data • Both a Pseudonymisation Service • and a Person Identification Service • Separation of Identity and Clinical data • Both Inbound and Outbound • “Identifying Data” and “Payload” (DD ISO 25237:2008) • Internal allocation of “HRSS ID” pseudonym unique to the Service • HRSS ID is encrypted on the Clinical side • Processing is automated • No direct access to the data by recipients - by bespoke delivery only • Secondary Study Anonymisation / Pseudonymisation of HRSS ID by encryption • Different study outputs not intended for linkage cannot be unilaterally linked outside the Service
Pilot HRSS Infrastructure Data Source I N B O U N D Outside World H R S S SFTP PI SFTP SFTP CI SFTP Landing Landing Landing Landing Person Information Clinical Information
Pilot Data Sources • Hospital Episode Statistics • UK Renal Registry • ONS Death Registrations • SLaM • Thames Cancer Registry • CTSU ASCEND • NICOR: MINAP • NICOR: BCIS • MRIS • NHS CSP (Bowel) • PDS
Global HRSS ID Internal to HRSS Meaningless without access to Index Decryption Keys All other ID attributes Matching characteristics Other ID attributes Stored against HRSS ID Master Patient Index Interim Study Patient Index Matching Processing Global HRSS Pseudonym Encrypted Global HRSS ID No route to IDs without key and access to Index Interim Solution Study Pseudonym Delays with PDS Matching confidence Large volume persistent data Uses existing IDs (e.g. HES ID, Epikey) IDs are Encrypted Obfuscated ID data (e.g. YoB) Clinical data Internal Pseudonymisation Patient Identifiers Server Clinical Information Server ISO 25237: “Identifying Data” ISO 25237: “Payload”
Matching Characteristics • Automated Matching Characteristics • NHS Number • Date of Birth • Name • Postcode • Gender / Sex • Local Patient ID • Variety of matching criteria sets • Notional decreasing confidence • Assumes DBS is master (used operationally in the NHS for clinical records)
Matching Criteria Sets • Exact Traced NHS Number • Exact NHS Number and Date of Birth • Exact NHS Number and Partial Date of Birth, with Partial Name and Gender Check • Local Patient Identifier and Partial Date of Birth, with Partial Name and Gender Check • Exact Name, Date of Birth and Postcode, with Initial and Gender Check • Exact Date of Birth and Postcode, with Gender Check
Pilot HRSS Infrastructure Study Owner O U T B O U N D Outside World H R S S SFTP PI SFTP SFTP CI SFTP Landing Landing Landing Landing Person Information Clinical Information
Pilot Study Owners • Phases I & II Pilot Study Owners • Kings College London • UK Renal Registry • CTSU ASCEND • NCIN / NHS CSP
Group Pseudo- nym HRSS ID A Study’s Outputs:External Pseudonymisation Optional: Dependent on approvals ECC (S251), Patient Consent Group Pseudo- nym HRSS ID