Pseudonymisation and RBAC

1
Pseudonymisation and RBAC

• Dr Jonathan Fistein
• 21st February 2006

2
Overview

• Where are we?
• How did we get here?
• Where do we need to be?
• How do we get there?

3
Where are we?
4
Peter Paul Rubens. Daniel in the Lions' Den.
1615. Oil on canvas. The National Gallery of
Art, Washington, DC, USA.
5
Reactions

• Recognition of the positive
• You are building the biggest epidemiological
  database the world has ever seen
• SUS represents a quantum leap for public health
• However, many concerns
• If we are provided with pseudonymised data we
  wont be able to carry out our analyses
• We need clear data in order to be able to link
  between data sets

6
Reactions

• However many concerns
• The tools in SUS will never be sophisticated
  enough for us so well need clear data
• We have developed tools and techniques over many
  years and we dont want to lose these
• How can we link to datasets not on SUS?
• Will people consent to having their data on SUS
  and what is the consent model anyway?
• And many more

7
How did we get here?
8
Pseudonymisation ImpactAssessment Study

• Purpose
• commissioned by the SUS Project Board
• to examine the potential impact of
  Pseudonymisation on the business processes
  carried out by Secondary Data Users in the NHS

9
Pseudonymisation ImpactAssessment Study (PIAS)

• Context
• SUS was to replace the current NHS Wide Clearing
  Service (NWCS) by April 2006
• SUS will take place in the policy context of the
  Care Record Guarantee (CRG) and the NHS Code of
  Practice for Confidentiality.

10
PIAS ContextThe Care Record Guarantee

• Reflects the legislative framework and guidance
  to the NHS through which patient data is
  collected, stored and managed.
• It incorporates statutory and common-law
  principles of confidentiality.

11
PIAS ContextThe Care Record Guarantee -
Principles

• The use of patient identifiable data for purposes
  other than direct care is allowed only in certain
  circumstances i.e.
• Where there is a statutory requirement or court
  order allowing access to the data
• For healthcare purposes where there is a clinical
  need to share data between different sites
• For other medical purposes (including research
  and commissioning) if the data use is essential
  and appropriate according to the Caldicott
  guidelines, and if the patient has given explicit
  consent, or where access is approved under s60
  HSCA 2001 and the patient does not object, or
  when it is in the Public Interest.
• For non-medical purposes where the need is
  essential and appropriate and the patient has
  given explicit consent, or it is in the public
  interest and a condition of Sch.3 DPA 1998 is
  satisfied.
• In all other cases, patient data must only be
  used in a non-identifiable form.

12
PIAS ContextConfidentiality, the NHS Code of
Practice

• Published by the Department of Health following a
  major public consultation with patients, carers
  and citizens the NHS other health care
  providers professional bodies and regulators.
• Drafted and delivered by a working group made up
  of key representatives from these areas.
• Endorsements from the Information Commissioner,
  GMC, BMA, MRC

13
Confidentiality NHS Code of Practice

• Introduces the concept of confidentiality
• Describes what a confidential service should look
  like
• Provides a high level description of the main
  legal requirements
• Presents a generic decision support tool for
  sharing/disclosing information
• Lists examples of particular information
  disclosure scenarios.

14
PIAS Context Models of data usage in CRG and
Confidentiality theory
Non Patient Identifiable
Patient Identifiable
Data/Records
Data/Records

• Commissioning

• Direct Care of Individuals

Medical

• Service Planning

• Screening and Surveillance

Purposes

• Performance Management

• Caseload Management

• Some Clinical Audit

• Clinical Governance

Secondary

• Research

Use

• Public Health

• Central Government Research

• Local Government Research

• Central Returns

• HES

• Public Enquiries

15
PIAS Context Real life observations

• Extensive use of patient identifiable data
• Reasons
• Poor data quality
• Changing business practices
• Lack of trust between NHS bodies
• Lack of other facilities
• Lack of awareness of Confidentiality
• Legitimate use

16
PIAS Context Existing use of clear data

• Examples of use of patient identifiable data
• Small area mortality analysis - data linkage
• Prevalence of serious conditions
• Activity validation data checking
• Locality reporting
• Frequent fliers and other clinical
  interventions
• Optimum service location

17
PIAS Context Legitimate access to clear data

• Need for patient identification
• e.g. predictive risk modelling, frequent fliers
• Supporting primary use/direct care
• Section 60 approved research
• Patient consented research
• Clinical audit
• Data quality - NCASP

18
PIAS ContextModels of data usage reality?
Non Patient Identifiable
Patient Identifiable
Data/Records
Data/Records
Healthcare
Commissioning
Direct Care of Individuals
Screening
Service Planning
Purposes
Caseload Management
Performance Management
Medical
Clinical Governance
Clinical Audit
Purposes
Other
of individual clinician)
Public Health
Surveillance
Research
Medical
HES
Purposes
Clinical Governance
(of pattern of work
Central Government Research
Other
Local Government Research
purposes
Central Returns
Public Enquiries
19
Pseudonymisation Impact Assessment Study Initial
brief

• Many existing clear data flows will stop to be
  replaced by pseudonymised data
• What are the impacts for legitimate business
  processes?

20
Pseudonymisation Impact Assessment Study reframed

• Identify what actions are necessary to ensure
  that
• legitimate NHS business activities can be
  supported
• maximise the security and confidentiality of
  identifiable data

21
PIAS Process

• Discussed with
• NHS organisations
• SUS Extended Project Team
• Public Health doctors
• CfH IG Policy Team
• NASP/BT
• Reviewed earlier scenarios work
• Drafting report taking soundings

22
PIAS ConclusionThe Need for Transition

• Use of clear data relates to patient care service
  delivery, its planning, performance management
• To reduce need for clear data requires
• data quality improvements
• alternative facilities - through NPfIT
• awareness of Confidentiality CRG
• Significant dependencies
• Managed transition over time

23
Some Steps in the Move to Routine use of
Pseudonymised Data

• Control the release of clear data through RBAC
  potential protocol
• Enable data linkage full range of analysis
  facilities within SUS
• Separate patient identification role from
  analysis function
• Reduce access to clear data as new SUS LSP
  facilities come on-line

24
Access to clear data
Transition
Confidentiality awareness campaign
Guidance on working practices
Improving data quality
Clear data
Clear data
Clear data
(legitimate access only)
Clear data
Clear data
Clear data
Restrictions increase (through RBAC)
Now
2006A
2006B
2007A
2007B
2008 ..
SUS Pseudo- nymisation
Ad-hoc Pseud User defined data marts
GIS tools
NB the blocks are illustrative and not to scale
25
What do we mean by pseudonymisation?

• Many choices
• Which fields are pseudonymised?
• How are pseudonyms generated?
• Reversibility?
• Where in the data lifecycle?
• Internal vs. external linkage?

26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
What do we mean by pseudonymisation?

• Must be fit for purpose
• Yet constrained by IG rules
• Pseudonymisation Pilot Study in progress to
  examine the issues

33
Where do we need to be?
34
Profile of usage - now
Types/volumes of usage
Clear
Anonymised
Partially Clear
Unlinked Pseudo
Linked Pseudo
Degree of anonymisation
35
Risk of identification - generic
Risk of identifying individuals
Clear
Anonymised
Degree of anonymisation
36
Utility of data analysis
Anonymised data is suitable sufficient for
some purposes
37
Profile of usage - future SUS
Types/volumes of potential usage
Clear
Anonymised
Partially Clear
Unlinked Pseudo
Linked Pseudo
Degree of anonymisation
38
SUS Utility
SUS Utility
SUS Facilities
SUS Developments
Data in SUS
05-2
06-A
06-B
07-A
07-B
05-5
SUS Release
39
Role-based access control (RBAC)

• Different users require access to different types
  of data for different purposes (as in
  Confidentiality)
• Access to each type of data determined by the
  role they select when they use their smartcard to
  log on to the Spine
• Different (pre-allocated roles) provide access to
  different data and functionality

40
Role-based access control (RBAC)

• Overall governance of Roles will be handled by
  Governance Body will set rules for allocation
  of users into categories
• Part of the wider governance framework for NPfIT
• Informed by results of Pseudonymisation Pilot
  Study

41
How do we get there?
42
Your involvement is welcome!

• Helping to define the parameters for use of clear
  data helping us to understand the detailed and
  subtle impacts of the switch to using
  pseudonymised data as part of the new IG
  environment, e.g. uses
• Helping to define roles for RBAC that are
  meaningful and useful
• Helping to specify functionality for SUS tools
  that will maximise the utility of its data.

43
Benozzo Gozzoli. St. Jerome Pulling a Thorn from
a Lion's Paw. 1452. Fresco. Capella di San
Gerolamo. Montefalco, Italy.