A proposed architecture and method of operation for improving the protection of privacy and confidentiality in disease registers

BackgroundDisease registers aim to collect information about all instances of a disease or condition in a defined population of individuals. Traditionally methods of operating disease registers have required that notifications of cases be identified by unique identifiers such as social security number or national identification number, or by ensembles of non-unique identifying data items, such as name, sex and date of birth. However, growing concern over the privacy and confidentiality aspects of disease registers may hinder their future operation. Technical solutions to these legitimate concerns are needed.DiscussionAn alternative method of operation is proposed which involves splitting the personal identifiers from the medical details at the source of notification, and separately encrypting each part using asymmetrical (public key) cryptographic methods. The identifying information is sent to a single Population Register, and the medical details to the relevant disease register. The Population Register uses probabilistic record linkage to assign a unique personal identification (UPI) number to each person notified to it, although not necessarily everyone in the entire population. This UPI is shared only with a single trusted third party whose sole function is to translate between this UPI and separate series of personal identification numbers which are specific to each disease register.SummaryThe system proposed would significantly improve the protection of privacy and confidentiality, while still allowing the efficient linkage of records between disease registers, under the control and supervision of the trusted third party and independent ethics committees. The proposed architecture could accommodate genetic databases and tissue banks as well as a wide range of other health and social data collections. It is important that proposals such as this are subject to widespread scrutiny by information security experts, researchers and interested members of the general public, alike.

[1]  Robert F. Boruch,et al.  Assuring the Confidentiality of Social Research Data , 1979 .

[2]  R. Boruch,et al.  Assuring the Confidentiality of Social Research Data , 1979 .

[3]  P Szolovits,et al.  Against simple universal health-care identifiers. , 1994, Journal of the American Medical Informatics Association : JAMIA.

[4]  K Pommerening,et al.  Pseudonyms for Cancer Registries , 1996, Methods of Information in Medicine.

[5]  The Otto-von-Guericke Clinical Record Systems in Oncology . Experiences and Developments on Cancer Registers in Eastern Germany , 1997 .

[6]  Ross Anderson,et al.  Personal Medical Information , 1997, Springer Berlin Heidelberg.

[7]  Bernd Blobel Clinical Record Systems in Oncology. Experiences and Developments on Cancer Registers in Eastern Germany , 1997, Personal Medical Information.

[8]  L. Sweeney Computational Disclosure Control for Medical Microdata , 1997 .

[9]  Ross Anderson The DeCODE Proposal for an Icelandic Health Database , 1998 .

[10]  N. Briffa Patient data, confidentiality, and electronics. , 1998, BMJ.

[11]  Peter Szolovits,et al.  Health information identification and de-identification toolkit , 1998, AMIA.

[12]  Catherine Quantin,et al.  Security Aspects of Medical File Regrouping for the Epidemiological Follow-up , 1998, MedInfo.

[13]  J. Vandenbroucke Maintaining privacy and the health of the public , 1998, BMJ.

[14]  Yannis Papakonstantinou,et al.  Fusion Queries over Internet Databases , 1998, EDBT.

[15]  Patient data, confidentiality, and electronics , 1998 .

[16]  Ross J. Anderson,et al.  Information technology in medical practice: safety and privacy lessons from the United Kingdom , 1999, The Medical journal of Australia.

[17]  何伯容 Secure database management system for confidential records , 1999 .

[18]  The Icelandic health sector database. , 1999, European journal of health law.

[19]  D Carnall Medical software's free future , 2000, BMJ : British Medical Journal.

[20]  K. Stefánsson,et al.  The Icelandic Healthcare Database and informed consent. , 2000, The New England journal of medicine.

[21]  John Hale,et al.  Research Advances in Database and Information Systems Security , 2000, IFIP — The International Federation for Information Processing.

[22]  Catherine Quantin,et al.  Anonymous statistical methods versus cryptographic methods in epidemiology , 2000, Int. J. Medical Informatics.

[23]  J. Kaye,et al.  Safeguards for research using large scale DNA collections , 2000, BMJ : British Medical Journal.

[24]  C Warlow,et al.  Using patient-identifiable data for observational research and audit , 2000, BMJ : British Medical Journal.

[25]  Catherine Quantin,et al.  The Swiss Solution for Anonymously Chaining Patient Files , 2001, MedInfo.

[26]  Registries will have to apply for right to collect patients' data without consent , 2001, BMJ : British Medical Journal.

[27]  Cancer registries fear collapse. BUPA wants to ensure systematic transfer of data. , 2001, BMJ.

[28]  R Doll,et al.  Rights involve responsibilities for patients , 2001, BMJ : British Medical Journal.

[29]  T. Helliwell Cancer registries fear collapse , 2001, BMJ : British Medical Journal.

[30]  Y Etheridge PKI (public key infrastructure)--how and why it works. , 2001, Health management technology.

[31]  Peter Christen,et al.  Febrl - Freely extensible biomedical record linkage , 2002 .

[32]  Jon Snaedal The ethics of health sector databases , 2002, Ehealth international.

[33]  Improving the use of clinical databases , 2002, BMJ : British Medical Journal.

[34]  A. J. Bass,et al.  Research use of linked health data — a best practice protocol , 2002, Australian and New Zealand journal of public health.

[35]  Angus Nicoll,et al.  Consent, confidentiality, and the threat to public health surveillance. , 2002, BMJ : British Medical Journal.

[36]  Timothy Caulfield,et al.  DNA databanks and consent: A suggested policy option involving an authorization model , 2003, BMC medical ethics.