Medical data: privacy, anonymity, and security What can we learn from the furore around the NHS data...
-
Upload
joleen-rice -
Category
Documents
-
view
213 -
download
0
Transcript of Medical data: privacy, anonymity, and security What can we learn from the furore around the NHS data...
Medical data: privacy, anonymity, and security
What can we learn from the furore around the NHS data sharing plans (“care.data”)?
Dr Eerke BoitenDirector, Interdisciplinary Centre for Cyber Security, University of
Kent
(ISC)2 10 Dec 2014
This talk will consider whether such databases can be created in a way that gives high levels of security as well as respecting privacy of the sensitive medical information contained in them.
Integrated medical data process
GP data, existing databases (e.g. HES)
National medical database of everything
Pseudonymised database of everything
Shared extracts
Section 251 sharesAggregated
anonymous open data published
Integrated medical data process … with safeguards?
GP data, existing databases (e.g. HES)
National medical database of everything
Pseudonymised database of everything
Shared extracts
Section 251 sharesAggregated
anonymous open data published
opt outs; sensitive excl
AGHSCIC
Audits
ResharingNone!Inquiries (Partridge)
“health purposes”
Health Data Guardian
Concerns
• Transparency• Security: honeypot, severity: lasting effect• Diligence: HSCIC sharing, procedures• Pseudonymisation doesn’t work (next slide)• Honesty: privacy, HSCIC record, sharing
• Mixing the uncontroversial and highly controversial purposes!
Anonymity, or not• Read Codes rich info.• David Davis MP: 5 broken noses. Governor Weld in
Massachusetts. All those: low probability scenarios.• Reversible pseudonym generation. (HES: table held safely by
HSCIC.) Pseudo at source would be better?• Gender: contraceptives, prostate, HPV vacc.• Age: birth, vaccinations, “fall after 75”.• Family members: sharing/changing GP.• Mum: family member, birth matches pregnancy• Conclusion: may need very little other info to re-identify even fully
pseudonymised data.• Mixed messages (and lobbying?) at European level.
Sharing does not work!
• Auditing now very slowly introduced• Deletion: refused; certificates!?• On-sharing: not regulated (anyone heard of
software license? Transitivity of purpose?); within multiple-purpose organisations?
• Re-identification “illegal” but [big data profiling: no privacy, no traceability]; penalties?
On the horizon
• Fume cupboard (e.g. model used for census; also EasternARC Big Data)– Controlled access– Controlled output– Sanitised output
• “Accredited safe haven” – security?!• More oversight, more consent, more
transparency
More? Better?
• Software engineering, research ethics and data protection legislation provide narratives for regulation: “purpose” before “resource”. (Deliberate confusion with “open data” narrative.)
• Sampling techniques?• How can strong big data fit in with this?• More liberal form of fume cupboards possible
if we can identify “attacks” better.
Thank you
• Feedback welcome. • See
https://blogs.kent.ac.uk/eerke/2014/05/29/notjustadatabase
for “narrative”