identity protection and pseudonymisation white paper proposal for 2008/09 presented to the it...

Identity Protection and PseudonymisationIdentity Protection and Pseudonymisation

White Paper Proposal for 2008/09White Paper Proposal for 2008/09presented to thepresented to the

IT Infrastructure Technical CommitteeIT Infrastructure Technical Committee

A. Estelrich (GIP-DMP)A. Estelrich (GIP-DMP)S. Bittins (Fraunhofer ISST) S. Bittins (Fraunhofer ISST)

18th of November, 200818th of November, 2008


Editors

• Ana Estelrich (GIP-DMP)Ana Estelrich (GIP-DMP)• Prof. Klaus Pommerening (University of Mainz)Prof. Klaus Pommerening (University of Mainz)• Sebastian Semler (TMF e.V.)Sebastian Semler (TMF e.V.)• Sören Bittins, Jörg Caumanns (Fraunhofer ISST)Sören Bittins, Jörg Caumanns (Fraunhofer ISST)


Motivation

• Pseudonymisation is often only considered as interesting for Pseudonymisation is often only considered as interesting for second use scenarios but primary cases are also interestingsecond use scenarios but primary cases are also interesting

• Primary use scenarios:Primary use scenarios:– Pseudonymisation as a potential security mechanismPseudonymisation as a potential security mechanism– Reducing the actual protection requirement by decoupling the concrete Reducing the actual protection requirement by decoupling the concrete

patient’s identity from the health information patient’s identity from the health information

• Secondary use scenarios (clinical research, public health):Secondary use scenarios (clinical research, public health):– Data leaves the context of the physician where they are protected by Data leaves the context of the physician where they are protected by

professional discretionprofessional discretion– The utilisation of anonymisation/pseudonymisation means is mandatory The utilisation of anonymisation/pseudonymisation means is mandatory

for secondary use scenariosfor secondary use scenarios– The concrete identity of the patient is often of no interestThe concrete identity of the patient is often of no interest


Motivation (II)

• In order to derive solution patterns for a flexible implementation, In order to derive solution patterns for a flexible implementation, several models needs to be created and consideredseveral models needs to be created and considered

• Six models are suggested covering a selection of primary and Six models are suggested covering a selection of primary and secondary use casessecondary use cases


Pseudonymisation Models

• Model 0:Model 0: Identity Protection for Primary Use Identity Protection for Primary Use– Incorporates encryption & pseudonymisation for identity protectionIncorporates encryption & pseudonymisation for identity protection

• Model 1: Model 1: Identity RemovalIdentity Removal– For one-time secondary useFor one-time secondary use– Identity is completely anonymised (e. g. for research purposes)Identity is completely anonymised (e. g. for research purposes)

• Model 2: Model 2: Multiple data sources, one-time Multiple data sources, one-time secondarysecondary use use– Aims at linking multiple sources (e. g. XDS registries, repositories)Aims at linking multiple sources (e. g. XDS registries, repositories)– Incorporates one-way pseudonyms and encryptionIncorporates one-way pseudonyms and encryption– = the secondary user cannot tell the identity but can read the data= the secondary user cannot tell the identity but can read the data– Purpose: cancer registryPurpose: cancer registry


Pseudonymisation Models

• Model 3:Model 3: One-Time secondary use with re-identification One-Time secondary use with re-identification– Incorporates two TTP, one for substituting the concrete identity, one for Incorporates two TTP, one for substituting the concrete identity, one for

the actual pseudonymisationthe actual pseudonymisation– The PID service knows the identity of the patient but contains no dataThe PID service knows the identity of the patient but contains no data– The PSEUD service can recover the PID by decrypt the PSN but does The PSEUD service can recover the PID by decrypt the PSN but does

not know the concrete identitynot know the concrete identity

• Model 4:Model 4: Pseudonymous Research Data PoolPseudonymous Research Data Pool– Is based on Model 3 but incorporates a data pool for researchIs based on Model 3 but incorporates a data pool for research– Pseudonym and medical data are permanently stored in the data poolPseudonym and medical data are permanently stored in the data pool

• Model 5:Model 5: Central DB with many secondary uses Central DB with many secondary uses– Potential for research involving a central (clinical) database Potential for research involving a central (clinical) database – The clinical database contains medical data but no identitiesThe clinical database contains medical data but no identities– Concrete reference to the pseudonymised medical data is established Concrete reference to the pseudonymised medical data is established

over a TTP being able to assign a PID that is connected to the dataover a TTP being able to assign a PID that is connected to the data


Flow-of-Data (Model 2)


Outline

• Identity Protection, Pseudonymisation, Anonymisation (2-3 Identity Protection, Pseudonymisation, Anonymisation (2-3 pages)pages)

• Pseudonymisation Models (Use Cases) (5-10)Pseudonymisation Models (Use Cases) (5-10)• Building Blocks (10-20)Building Blocks (10-20)• Implementation and Deployment (10-15)Implementation and Deployment (10-15)• Security Considerations (2-4)Security Considerations (2-4)• Outline of a privacy Framework (2-4)Outline of a privacy Framework (2-4)• Application of Pseudonymisation onto content profiles from Application of Pseudonymisation onto content profiles from

PCC and QRPH (4-8)PCC and QRPH (4-8)


Standards and Systems

• ISO TC 215 Pseudonymisation for health InformaticsISO TC 215 Pseudonymisation for health Informatics• TMF Pseudonymisation FrameworkTMF Pseudonymisation Framework• OASIS WSFEDOASIS WSFED


IHE Profile Grouping

• XUA:XUA: for user authentication for user authentication• XPP:XPP: for authorising access to pseudonym generation for authorising access to pseudonym generation• XDS:XDS: for secondary use databases for secondary use databases• XDS:XDS: as a prominent example of health resources that can as a prominent example of health resources that can

be safeguarded by pseudonyms (primary use)be safeguarded by pseudonyms (primary use)• ATNA:ATNA: for mutual node authentication and audit trails for mutual node authentication and audit trails• PIX/PDQ:PIX/PDQ: for providing patient identifiers and attributes for providing patient identifiers and attributes


Expected Acceptance

• Data protection and extended liability issues are gradually Data protection and extended liability issues are gradually moving into the focusmoving into the focus

• Cooperative health care networks have a extremely strong Cooperative health care networks have a extremely strong demand for compliant solutionsdemand for compliant solutions

• This profile provides essential building-blocks for designing This profile provides essential building-blocks for designing those solutionsthose solutions

• The eCR Initiative is currently providing and using various of The eCR Initiative is currently providing and using various of the components presented here for full compliancethe components presented here for full compliance

• Significant potential for cross-border usabilitySignificant potential for cross-border usability• May serve as a foundation for a pan-European identity May serve as a foundation for a pan-European identity

protection frameworkprotection framework

identity protection and pseudonymisation white paper proposal for 2008/09 presented to the it...

Documents