Medical data: privacy, anonymity, and security

What can we learn from the furore around the NHS data sharing plans (“care.data”)?

Dr Eerke BoitenDirector, Interdisciplinary Centre for Cyber Security, University of

Kent

(ISC)2 10 Dec 2014

This talk will consider whether such databases can be created in a way that gives high levels of security as well as respecting privacy of the sensitive medical information contained in them.

Integrated medical data process

GP data, existing databases (e.g. HES)

National medical database of everything

Pseudonymised database of everything

Shared extracts

Section 251 sharesAggregated

anonymous open data published

Integrated medical data process … with safeguards?

GP data, existing databases (e.g. HES)

National medical database of everything

Pseudonymised database of everything

Shared extracts

Section 251 sharesAggregated

anonymous open data published

opt outs; sensitive excl

AGHSCIC

Audits

ResharingNone!Inquiries (Partridge)

“health purposes”

Health Data Guardian

Concerns

• Transparency• Security: honeypot, severity: lasting effect• Diligence: HSCIC sharing, procedures• Pseudonymisation doesn’t work (next slide)• Honesty: privacy, HSCIC record, sharing

• Mixing the uncontroversial and highly controversial purposes!

Anonymity, or not• Read Codes rich info.• David Davis MP: 5 broken noses. Governor Weld in

Massachusetts. All those: low probability scenarios.• Reversible pseudonym generation. (HES: table held safely by

HSCIC.) Pseudo at source would be better?• Gender: contraceptives, prostate, HPV vacc.• Age: birth, vaccinations, “fall after 75”.• Family members: sharing/changing GP.• Mum: family member, birth matches pregnancy• Conclusion: may need very little other info to re-identify even fully

pseudonymised data.• Mixed messages (and lobbying?) at European level.

Sharing does not work!

• Auditing now very slowly introduced• Deletion: refused; certificates!?• On-sharing: not regulated (anyone heard of

software license? Transitivity of purpose?); within multiple-purpose organisations?

• Re-identification “illegal” but [big data profiling: no privacy, no traceability]; penalties?

On the horizon

• Fume cupboard (e.g. model used for census; also EasternARC Big Data)– Controlled access– Controlled output– Sanitised output

• “Accredited safe haven” – security?!• More oversight, more consent, more

transparency

More? Better?

• Software engineering, research ethics and data protection legislation provide narratives for regulation: “purpose” before “resource”. (Deliberate confusion with “open data” narrative.)

• Sampling techniques?• How can strong big data fit in with this?• More liberal form of fume cupboards possible

if we can identify “attacks” better.

Thank you

• Feedback welcome. • See

https://blogs.kent.ac.uk/eerke/2014/05/29/notjustadatabase

for “narrative”