Upload
burke-ashley
View
31
Download
1
Embed Size (px)
DESCRIPTION
Pilot HRSS Pseudonymisation and Person Matching An Outline of the Approach Alan Barcroft. Pilot HRSS Background. Programme within the DH Research and Development Directorate and the NIHR Health Research Support Service (HRSS) Pilot HRSS operational since January 2011 - PowerPoint PPT Presentation
Citation preview
Pilot HRSS Pseudonymisationand Person Matching
An Outline of the Approach
Alan Barcroft
Pilot HRSS Background
• Programme within the DH Research and Development Directorate and the NIHR
• Health Research Support Service (HRSS)• Pilot HRSS operational since January 2011• RCP and the Pilot Programme have worked
closely with key stakeholders to promote acceptance/governance:– NIGB/ECC– NRES and the South East REC– ICO through Privacy Impact Assessment (PIA)– BMA
Key Pseudonymisation Principles
• “Honest Broker” that processes identifiable data– Both a Pseudonymisation Service – and a Person Identification Service
• Separation of Identity and Clinical data– Both Inbound and Outbound– “Identifying Data” and “Payload” (DD ISO 25237:2008)
• Internal allocation of “HRSS ID” pseudonym unique to the Service• HRSS ID is encrypted on the Clinical side• Processing is automated• No direct access to the data by recipients - by bespoke delivery only• Secondary Study Anonymisation / Pseudonymisation of HRSS ID by
encryption– Different study outputs not intended for linkage cannot be unilaterally linked
outside the Service
HRSS
Pilot HRSS Infrastructure
Outside World
Outside World
SFTP
Landing
Person Information
ClinicalInformation
INBOUND
CISFTP
PISFTP
LandingLandingLanding
SFTP
DataSource
Pilot Data Sources• Hospital Episode Statistics• UK Renal Registry• ONS Death Registrations• SLaM• Thames Cancer Registry• CTSU ASCEND• NICOR: MINAP• NICOR: BCIS• MRIS• NHS CSP (Bowel)• PDS
Internal Pseudonymisation
• Global HRSS ID– Internal to HRSS – Meaningless without access to
Index• Decryption Keys • All other ID attributes
– Matching characteristics– Other ID attributes– Stored against HRSS ID
• Master Patient Index• Interim Study Patient Index• Matching Processing
• Global HRSS Pseudonym– Encrypted Global HRSS ID– No route to IDs without key and
access to Index• Interim Solution Study Pseudonym
– Delays with PDS– Matching confidence– Large volume persistent data– Uses existing IDs (e.g. HES ID,
Epikey) – IDs are Encrypted
• Obfuscated ID data (e.g. YoB)• Clinical data
Patient Identifiers Server Clinical Information Server
ISO 25237: “Identifying Data” ISO 25237: “Payload”
Matching Characteristics
• Automated Matching Characteristics– NHS Number– Date of Birth– Name– Postcode– Gender / Sex– Local Patient ID
• Variety of matching criteria sets– Notional decreasing confidence– Assumes DBS is master (used operationally in the
NHS for clinical records)
Matching Criteria Sets
1. Exact Traced NHS Number2. Exact NHS Number and Date of Birth3. Exact NHS Number and Partial Date of Birth,
with Partial Name and Gender Check4. Local Patient Identifier and Partial Date of Birth,
with Partial Name and Gender Check5. Exact Name, Date of Birth and Postcode, with
Initial and Gender Check6. Exact Date of Birth and Postcode, with Gender
Check
HRSS
Outside World
Outside World
SFTP
Landing
Person Information
ClinicalInformation
CISFTP
PISFTP
LandingLandingLanding
SFTP
OUTBOUND
StudyOwner
Pilot HRSS Infrastructure
Pilot Study Owners
• Phases I & II Pilot Study Owners– Kings College London– UK Renal Registry– CTSU ASCEND– NCIN / NHS CSP
A Study’s Outputs:External Pseudonymisation
GroupPseudo-
nymHRSS ID
GroupPseudo-
nymHRSS ID
Optional: Dependenton approvalsECC (S251), Patient Consent
Any Questions?