Pilot HRSS Pseudonymisationand Person Matching

An Outline of the Approach

Alan Barcroft

Pilot HRSS Background

• Programme within the DH Research and Development Directorate and the NIHR

• Health Research Support Service (HRSS)• Pilot HRSS operational since January 2011• RCP and the Pilot Programme have worked

closely with key stakeholders to promote acceptance/governance:– NIGB/ECC– NRES and the South East REC– ICO through Privacy Impact Assessment (PIA)– BMA

Key Pseudonymisation Principles

• “Honest Broker” that processes identifiable data– Both a Pseudonymisation Service – and a Person Identification Service

• Separation of Identity and Clinical data– Both Inbound and Outbound– “Identifying Data” and “Payload” (DD ISO 25237:2008)

• Internal allocation of “HRSS ID” pseudonym unique to the Service• HRSS ID is encrypted on the Clinical side• Processing is automated• No direct access to the data by recipients - by bespoke delivery only• Secondary Study Anonymisation / Pseudonymisation of HRSS ID by

encryption– Different study outputs not intended for linkage cannot be unilaterally linked

outside the Service

HRSS

Pilot HRSS Infrastructure

Outside World

Outside World

SFTP

Landing

Person Information

ClinicalInformation

INBOUND

CISFTP

PISFTP

LandingLandingLanding

SFTP

DataSource

Pilot Data Sources• Hospital Episode Statistics• UK Renal Registry• ONS Death Registrations• SLaM• Thames Cancer Registry• CTSU ASCEND• NICOR: MINAP• NICOR: BCIS• MRIS• NHS CSP (Bowel)• PDS

Internal Pseudonymisation

• Global HRSS ID– Internal to HRSS – Meaningless without access to

Index• Decryption Keys • All other ID attributes

– Matching characteristics– Other ID attributes– Stored against HRSS ID

• Master Patient Index• Interim Study Patient Index• Matching Processing

• Global HRSS Pseudonym– Encrypted Global HRSS ID– No route to IDs without key and

access to Index• Interim Solution Study Pseudonym

– Delays with PDS– Matching confidence– Large volume persistent data– Uses existing IDs (e.g. HES ID,

Epikey) – IDs are Encrypted

• Obfuscated ID data (e.g. YoB)• Clinical data

Patient Identifiers Server Clinical Information Server

ISO 25237: “Identifying Data” ISO 25237: “Payload”

Matching Characteristics

• Automated Matching Characteristics– NHS Number– Date of Birth– Name– Postcode– Gender / Sex– Local Patient ID

• Variety of matching criteria sets– Notional decreasing confidence– Assumes DBS is master (used operationally in the

NHS for clinical records)

Matching Criteria Sets

1. Exact Traced NHS Number2. Exact NHS Number and Date of Birth3. Exact NHS Number and Partial Date of Birth,

with Partial Name and Gender Check4. Local Patient Identifier and Partial Date of Birth,

with Partial Name and Gender Check5. Exact Name, Date of Birth and Postcode, with

Initial and Gender Check6. Exact Date of Birth and Postcode, with Gender

Check

HRSS

Outside World

Outside World

SFTP

Landing

Person Information

ClinicalInformation

CISFTP

PISFTP

LandingLandingLanding

SFTP

OUTBOUND

StudyOwner

Pilot HRSS Infrastructure

Pilot Study Owners

• Phases I & II Pilot Study Owners– Kings College London– UK Renal Registry– CTSU ASCEND– NCIN / NHS CSP

A Study’s Outputs:External Pseudonymisation

GroupPseudo-

nymHRSS ID

GroupPseudo-

nymHRSS ID

Optional: Dependenton approvalsECC (S251), Patient Consent

Any Questions?