Julia Hippisley-Cox University of Nottingham June 2013 Open Pseudonymisation

My roles 1.Professor clinical epidemiology 2.NHS GP 3.Co-Director QResearch database with Shaun O’Hanlon from EMIS 4.Director ClinRisk Ltd (sowftare company) 5.Previously member of ECC 6.Current member Confidentiality Advisory Group, HRA

Key objectives for safe data sharing Patient and their data Minimise risk Privacy Maximise public benefit Maintain public trust

Three main options for data access Patient and their data Minimise risk Privacy Maximise public benefit Maintain public trust consent Pseudo nymisation S251statute

Policy context Transparency AgendaTransparency Agenda Open DataOpen Data Caldicott2Caldicott2 Benefits of linkage for (in order from document)Benefits of linkage for (in order from document) IndustryIndustry ResearchResearch commissionerscommissioners PatientsPatients service usersservice users publicpublic

Objectives Open common technical approach for pseudonymisationOpen common technical approach for pseudonymisation allows individual record linkage BETWEEN organisationsallows individual record linkage BETWEEN organisations WITHOUT disclosure strong identifiersWITHOUT disclosure strong identifiers Inter-operabilityInter-operability Voluntary ‘industry’ specificationVoluntary ‘industry’ specification One of many approachesOne of many approaches

Attendances at 3 workshops East London CSUsEast London CSUs GP suppliers – TPP, EMIS, INPS, microtestGP suppliers – TPP, EMIS, INPS, microtest NHSE, HSCIC, ISB, ONS, screening committeeNHSE, HSCIC, ISB, ONS, screening committee CPRD, THIN, ResearchOne, IMSCPRD, THIN, ResearchOne, IMS PHCSG, BMA, RCGP, GP system user groups, Various universitiesPHCSG, BMA, RCGP, GP system user groups, Various universities Cerner & other pseud companies (Oka Bi, Sapior etc)Cerner & other pseud companies (Oka Bi, Sapior etc)

Ground rules: all outputs from workshop PublishedPublished OpenOpen Freely availableFreely available Can be adapted & developedCan be adapted & developed Complement existing approachesComplement existing approaches

Big Data or Big Headache Need to protect patient confidentialityNeed to protect patient confidentiality Maintain public trustMaintain public trust Data protectionData protection Freedom of InformationFreedom of Information Information GovernanceInformation Governance ‘safe de-identified format’‘safe de-identified format’

Assumptions Pseudonymisation is desired “end state” for data sharing for purposes other than direct carePseudonymisation is desired “end state” for data sharing for purposes other than direct care Legitimate use of dataLegitimate use of data legitimate purpose legitimate purpose legitimate applicant or organisation legitimate applicant or organisation Ethics and governance approval in placeEthics and governance approval in place Appropriate data sharing agreementsAppropriate data sharing agreements

Working definition of pseudonymisation Technical process applied to identifiers which replaces them with pseudonymsTechnical process applied to identifiers which replaces them with pseudonyms Enables us to distinguish between individual without enabling that individual identifiedEnables us to distinguish between individual without enabling that individual identified Either reversible or irreversibleEither reversible or irreversible Part of de-identificationPart of de-identification

Identifiable information person identifier that will ordinarily identify a person. Examples include:person identifier that will ordinarily identify a person. Examples include: NameName AddressAddress DobDob PostcodePostcode NHS numberNHS number telephone notelephone no (local GP practice or trust number)(local GP practice or trust number)

Benefits pseudonymisation Better for patient confidentialityBetter for patient confidentiality Better for practice and public confidenceBetter for practice and public confidence Better to enforcing in data that simply reply on contracts/trustBetter to enforcing in data that simply reply on contracts/trust Don’t need s251Don’t need s251 Don’t need to handle SARSDon’t need to handle SARS Can retain data longer & hold more data.Can retain data longer & hold more data. Don’t need to handle opt outs and delete data from live systems backupsDon’t need to handle opt outs and delete data from live systems backups

Open pseudonymiser approach Need approach which doesn’t extract identifiable data but still allows linkageNeed approach which doesn’t extract identifiable data but still allows linkage Legal ethical and NIGB approvalsLegal ethical and NIGB approvals Secure, ScalableSecure, Scalable Reliable, AffordableReliable, Affordable Generates ID which are Unique to projectGenerates ID which are Unique to project Can be used by any set of organisations wishing to share dataCan be used by any set of organisations wishing to share data Pseudonymisation applied as close as possible to identifiable data ie within clinical systemsPseudonymisation applied as close as possible to identifiable data ie within clinical systems

Pseudonymisation: method Scrambles NHS number BEFORE extraction from clinical systemScrambles NHS number BEFORE extraction from clinical system Takes NHS number + project specific encrypted ‘salt code’ One way hashing algorithm (SHA2-256) – no collisions and US standard from 2010 Applied twice - before leaving clinical system & on receipt by next organisation Apply identical software to second datasetApply identical software to second dataset Allows two pseudonymised datasets to be linkedAllows two pseudonymised datasets to be linked Cant be reversed engineeredCant be reversed engineered

Web tool to create encrypted salt: proof of concept Web site private key used to encrypt user defined project specific saltWeb site private key used to encrypt user defined project specific salt Encrypted salt distributed to relevant data supplier with identifiable dataEncrypted salt distributed to relevant data supplier with identifiable data Public key in supplier’s software to decrypt salt at run time and concatenate to NHS number (or equivalent)Public key in supplier’s software to decrypt salt at run time and concatenate to NHS number (or equivalent) Hash then appliedHash then applied Resulting ID then unique to patient within projectResulting ID then unique to patient within project

Openpseudonymiser.org Website for evaluation and testing withWebsite for evaluation and testing with Desktop applicationDesktop application DLL for integrationDLL for integration Test dataTest data DocumentationDocumentation Utility to generate encrypted salt codesUtility to generate encrypted salt codes Source code GNU LGPLSource code GNU LGPL

Current implementations EMIS – 56% of GP practicesEMIS – 56% of GP practices TPP – 20% GP practicesTPP – 20% GP practices Office National StatisticsOffice National Statistics HSCICHSCIC Bromley LATBromley LAT United Health (in progress)United Health (in progress) Two CSU’s (in progress)Two CSU’s (in progress)

Key points Pseudonymisation at sourcePseudonymisation at source Instead of extracting identifiers and storing lookup tables/keys centrally, then technology to generate key is stored within the clinical systemsInstead of extracting identifiers and storing lookup tables/keys centrally, then technology to generate key is stored within the clinical systems Use of project specific encrypted salted hash ensures secure sets of ID unique to projectUse of project specific encrypted salted hash ensures secure sets of ID unique to project Full control of data controllerFull control of data controller Can work in addition to existing approachesCan work in addition to existing approaches Open source technology so transparent & freeOpen source technology so transparent & free

Qresearch data linkage projects Link HES, Cancer, deaths to QResearchLink HES, Cancer, deaths to QResearch NHS number complete and valid in > 99.7%NHS number complete and valid in > 99.7% Successfully applied OpenPSuccessfully applied OpenP - Information Centre - Information Centre - ONS cancer data - ONS cancer data - ONS mortality data - ONS mortality data - GP data (EMIS systems) - GP data (EMIS systems)

QAdmissions New risk stratification tool to identify risk emergency admissionNew risk stratification tool to identify risk emergency admission Modelled using GP-HES-ONS linked dataModelled using GP-HES-ONS linked data Can apply to linked data or GP data onlyCan apply to linked data or GP data only NHS number complete & valid 99.8%NHS number complete & valid 99.8% 97% of dead patient have matching ONS deaths record97% of dead patient have matching ONS deaths record High concordance of year of birth, deprivation scoresHigh concordance of year of birth, deprivation scores