Agenda
description
Transcript of Agenda
Agenda
• Problem• Existing Approaches• The e-Lab• Is DRM the solution?
Climate Change
Problem
• Potentially identifiable data required for effective research• Individuals have a right to confidentiality and privacy• Potentially identifiable data should not be:
– Redistributed• Release under defined conditions
– Linked to other data • Risk of deductive disclosure
• Potentially identifiable data should be:– Stored securely– Destroyed after use
Potentially Identifiable Information
• Individual records even if they do not include variables, such as names, full postcodes, and dates of birth which would make them obviously identifiable;
• Tabular data, based on small geographic areas, with cell counts of fewer than five cases/events (or where counts of less than five can be inferred by simple arithmetic) – hereafter referred to as “sparse cells”
• Tabular data containing cells that have underlying population denominators of less than approximately 1,000
– Source UKACR
Existing approaches
• Locked rooms, locked down machines– Used by many national statistical services
• Does not scale
Existing approaches
• Policy– User bound by terms and conditions or
contract of employment or professional governance bodies
UKACR Policy• the intended use(s) of the data should be stated clearly• the use(s) of the data should be justified and the data should not be
used for any other purpose(s)• the data should not be passed on to other third parties or released
into the public domain• the data should be kept securely for the period of time that can be
justified by the stated purpose, and then destroyed• no attempt should be made to identify information pertaining to
particular individuals or to contact individuals• no attempt should be made to link the data to other data sets, unless
agreed with the data providers
Existing approaches
• Policy– User bound by terms and conditions or
contract of employment or professional governance bodies
• Policing– Doesn’t scale
North West e-Health
• Joint Project: SRFT, SPCT, UoMFounded on UoM/ Salford NHS experience and expertise
• Based on the establishment of an e-Lab federation: “that will allow the partners to pool and develop their expertise and resources, acting together for mutual benefit and for the benefit of other stakeholders and clients”
• NWDA core-funding• Potential for self-sustaining entity
What is an e-Lab
...an information system bringing together data, analytical methods and people for timely, high-quality decision-making
Information Governance
• Designed for minimal disclosure• Only release items that user “Needs to
know”• Only release items that user “Has the right
to know”• Determined by the “e-Lab Governance
Board”
Information Governance
• Technical safeguards– Audit trails & monitoring– Anonymisation and Inference control
• Operational procedures– Users sign up to terms and conditions of use; bound by
employment contracts– Spot checks
• Governance Board + NREC Research Database Approval
NHS Trust
E-Lab
DataStore
Gov
erna
nce
Users
EHR
ClinicalData
Non-clinicalData
ClinicalData
IntegratedEHR
E-LabRepository
Non-clinicalData
2. Pseudonymisation, classification and
integration
1. Integration of primary and secondary care
records
Trust Systems Trust e-Lab
User DataStore
4. Anonymisation and inference
control
8. Storage
9. Data analysis and visualization
Access Control
e-Lab Tools
1 .User logs on and submits query
2. Access control module authorizes
request
3. Perform Data Query
E-LabRepository
Trust e-Lab
NHS
NHS Trust
E-Lab
DataStore
Governance Users
EHRNHS Trust
E-Lab
DataStore
Gov
erna
nce
Users
EHR
NHS Trust
E-Lab
DataStore
Gov
erna
nce
Users
EHR
NWeHBroker
NWeHUsers
Federated E-Lab
Governance
Broker
User DataStore
5. Per request keyed pseudonymisation
6. Data integration
7. Anonymisation and inference
control
8. Storage
9. Data analysis and visualization
NHS Trust e-Lab
NWeH – e-LabFederation
NHS Trust e-Lab
E-LabRepository
E-LabRepository
Access Control
e-Lab Tools
1 .User logs on and submits query
2. Access control module authorizes
request
3. Broker performs distributed query;
generate pseudonym keys
5. Per request keyed pseudonymisation
Data Users
e-LabBroker
e-Labs
Secondary Pseudonymised Data Flows
Pseudonymised Data Flows
DRM Solution?
• DRM used to prevent re-distribution• DRM used to prevent modification• DRM used to prevent linking to other data
DRM problems
• Not fail safe?• Better than just stopping the “casual
attacker”?• Perception is easy to crack or by-pass