Anonymisation & pseudonymisation in large data sets for medical research Law and Ethics in e-Social Science Workshop, 24 June 2009

David Trower Chief Privacy Officer EMEA & Chair of Global Privacy Council IMS Health

Who are IMS? US owned multi-national in 100+ markets globally EMEA region, headquartered in London, includes 30 countries with data protection laws Lead supplier of market intelligence and consulting services to the pharmaceutical and healthcare industries Additional information is available at http://www.imshealth.com .

US owned multi-national in 100+ markets globally

EMEA region, headquartered in London, includes 30 countries with data protection laws

Lead supplier of market intelligence and consulting services to the pharmaceutical and healthcare industries

Additional information is available at http://www.imshealth.com .

Why is privacy so important to IMS? Matter of legal compliance and sanctions Critical as IMS an information based company Secure and gain access to data Gain competitive advantage We are good citizens

Matter of legal compliance and sanctions

Critical as IMS an information based company

Secure and gain access to data

Gain competitive advantage

We are good citizens

Our privacy gold standard Global Privacy Council, network of privacy officers IMS assessed as compliant, by independent legal opinion, in 17 European countries IMS use the latest privacy enhancing technologies and methodologies to anonymise physician and patient data IMS works with Data Privacy Commissioners and lobbies to create a legal framework supportive to medical research

Global Privacy Council, network of privacy officers

IMS assessed as compliant, by independent legal opinion, in 17 European countries

IMS use the latest privacy enhancing technologies and methodologies to anonymise physician and patient data

IMS works with Data Privacy Commissioners and lobbies to create a legal framework supportive to medical research

Legal and regulatory considerations Data protection Patient confidentiality and medical secrecy Laws regulating clinical research Ethical committee requirements Physician association rules

Data protection

Patient confidentiality and medical secrecy

Laws regulating clinical research

Ethical committee requirements

Physician association rules

Data protection law requirements Notification of processing to DP Authority Legal basis, often consent Transparency, notice to the individual No unauthorised secondary use Data must be relevant and not excessive Data quality obligations Individual rights, for example access to own data Information security Obligations in appointing outsourcers Strict rules on data transfers to outside the EU

Notification of processing to DP Authority

Legal basis, often consent

Transparency, notice to the individual

No unauthorised secondary use

Data must be relevant and not excessive

Data quality obligations

Individual rights, for example access to own data

Information security

Obligations in appointing outsourcers

Strict rules on data transfers to outside the EU

The alternative is to anonymise So it is no longer ‘personal data’ Legal rules then don’t apply Where is the dividing line? The data must no longer be identifiable Not an absolute test No longer a reasonably likely chance of re-identification (Recital 26 of DP Directive) No firm guidelines on meaning

So it is no longer ‘personal data’

Legal rules then don’t apply

Where is the dividing line?

The data must no longer be identifiable

Not an absolute test

No longer a reasonably likely chance of re-identification (Recital 26 of DP Directive)

No firm guidelines on meaning

Is pseudonymised data ‘personal’? Individual de-identified patient often coded Key held by physician Sometimes need to ‘go backwards’ For validation and data quality purposes WP29 Paper on ‘Definition of Personal Data’ Coded data not personal in hands of recipient when reverse process has no impact on individual But this position not universally adopted across EU

Individual de-identified patient often coded

Key held by physician

Sometimes need to ‘go backwards’

For validation and data quality purposes

WP29 Paper on ‘Definition of Personal Data’

Coded data not personal in hands of recipient when reverse process has no impact on individual

But this position not universally adopted across EU

Secondary use of patient data at IMS Sensitive privacy issue for company Occasional nominative data in direct research Mostly anonymous or coded As part of syndicated services based on panels Ad hoc primary market research for specific clients ‘ Anonymous line data’ can be provided to clients

Sensitive privacy issue for company

Occasional nominative data in direct research

Mostly anonymous or coded

As part of syndicated services based on panels

Ad hoc primary market research for specific clients

‘ Anonymous line data’ can be provided to clients

Purposes Pharmacovigilance, Pharmacoepidemiology, Epidemiology, Health economics and outcomes research, Pharmaceutical market research

Pharmacovigilance,

Pharmacoepidemiology,

Epidemiology,

Health economics and outcomes research,

Pharmaceutical market research

Types of survey Direct to patient Interventional Physician observational studies (e.g. diary) Physician retrospective studies External researcher retrospective studies EHR system data extraction

Direct to patient

Interventional

Physician observational studies (e.g. diary)

Physician retrospective studies

External researcher retrospective studies

EHR system data extraction

IMS anonymisation standard on full medical record No direct identifiers Patient geography minimum limit Physician identity known only to panel management Extreme values top coded Rare Conditions filtered Date of birth masked Specific socio-economic information eliminated Size of sample not to exceed set % of target population Free text eliminated or filtered Information security limits access One way hashing of key where possible… no reverse process Contractual guarantees on no re-identification sometimes used

No direct identifiers

Patient geography minimum limit

Physician identity known only to panel management

Extreme values top coded

Rare Conditions filtered

Date of birth masked

Specific socio-economic information eliminated

Size of sample not to exceed set % of target population

Free text eliminated or filtered

Information security limits access

One way hashing of key where possible… no reverse process

Contractual guarantees on no re-identification sometimes used

Is physician linked prescription data personal? Pharmaceutical industry very interested in doctor prescribing behaviour and IMS seeks to provide insights Information on named doctors prescribing is personal data though European Convention of Human Rights, Article 8, provides that everyone has “the right to respect for his private and family life, his home and his correspondence”. Case law of European Court of Human Rights confirms clearly that rights to a private life extend into the work environment Data protection law seeks to protect work product data about named individuals, seen as personal data in most cases

Pharmaceutical industry very interested in doctor prescribing behaviour and IMS seeks to provide insights

Information on named doctors prescribing is personal data though

European Convention of Human Rights, Article 8, provides that everyone has “the right to respect for his private and family life, his home and his correspondence”.

Case law of European Court of Human Rights confirms clearly that rights to a private life extend into the work environment

Data protection law seeks to protect work product data about named individuals, seen as personal data in most cases

Is physician linked prescription data personal? Article 29 Working Party, committee of all EU DP commissioners, produced guidance on definition of personal data in 2007. Example 1: Professional habits and practices Drug prescription information (e.g. drug identification number, drug name, drug strength, manufacturer, selling price, new or refill, reasons for use, reasons for no substitution order, prescriber's first and last name, phone number, etc.), whether in the form of an individual prescription or in the form of patterns discerned from a number of prescriptions, can be considered as personal data about the physician who prescribes this drug, even if the patient is anonymous. Thus, providing information about prescriptions written by identified or identifiable doctors to producers of prescription drugs constitutes a communication of personal data to third party recipients in the meaning of the Directive.

IMS EMEA response Variety of strategies to anonymise prescription data (“Rx”) Often use Trusted Third Parties (“TTP”) Rx minus patient details sent to IMS Doctor name linked to each Rx sent to TTP TTP links doctor to specific group or area (“brick”) Acceptable brick size varies France 5, UK 50, Belgium 12, Germany? Governments and/or DP authorities determine Not just privacy driving size, but payer concerns

Variety of strategies to anonymise prescription data (“Rx”)

Often use Trusted Third Parties (“TTP”)

Rx minus patient details sent to IMS

Doctor name linked to each Rx sent to TTP

TTP links doctor to specific group or area (“brick”)

Acceptable brick size varies

France 5, UK 50, Belgium 12, Germany?

Governments and/or DP authorities determine

Not just privacy driving size, but payer concerns

Any Questions?