Zone model for data privacy and confidentiality in medical research

A flexible zone model for data
privacy and confidentiality in
medical research
Wolfgang Kuchinke1
,Christian Ohmann,1
Evert-Ben van
Veen2
, Robert Verheij3
, Adel Taweel4
, Brendan Delaney4
1
University of Duesseldorf and ECRIN, 2
MedLawConsult DenHaag, The
Netherlands, 3
NIVEL, The Netherlands, 4
King’s College London, UK
TRANSFoRm
09 Feb. 2012 - 10 Feb. 2012, Budapest
Workshops on e-Science Workflows

Translational Medicine and Patient Safety in EuropeTranslational Medicine and Patient Safety in EuropeW. Kuchinke (2014) 2
Background
• Privacy frameworks for cancer research or biobanking
already exist (e.g. ACGT, GenoMatch, caBIG)
• mostly privacy frameworks apply the most stringent
approach to their data flow and interpret
“anonymisation” in a restrictive way
• A more flexible approach is needed
• to guarantee privacy of patient data
• to enable unhindered research
• to align the framework to data flow requirements (data
chain) and research workflow

TRANSFoRm project
• Translational Medicine and Patient Safety in Europe
• Development of a ‘rapid learning health-care system’
driven by advanced computational infrastructure that
can improve both patient safety and clinical research in
Europe
• Providing interoperability between different clinical
systems, across national boundaries, and systems

TRANSFoRm project: References
• https://cordis.europa.eu/project/id/247787/results/de
• https://www.i-hd.eu/index.cfm/resources/ec-projects-results/transform/
• Delaney BC, Curcin V, Andreasson A, Arvanitis TN, Bastiaens H, Corrigan
D, Ethier JF, Kostopoulou O, Kuchinke W, McGilchrist M, van Royen P,
Wagner P. Translational Medicine and Patient Safety in Europe:
TRANSFoRm--Architecture for the Learning Health System in
Europe. Biomed Res Int. 2015;2015:961526. doi:
10.1155/2015/961526. Epub 2015 Oct 11.
• PMID: 26539547; PMCID: PMC4619923
• Kuchinke W., Ohmann C., Verheij R.A., van Veen EB., Delaney B.C.
(2016) Development Towards a Learning Health System—Experiences
with the Privacy Protection Model of the TRANSFoRm Project. In:
Gutwirth S., Leenes R., De Hert P. (eds) Data Protection on the Move.
Law, Governance and Technology Series, vol 24. Springer, Dordrecht.
• DOI http://doi-org-443.webvpn.fjmu.edu.cn/10.1007/978-94-017-
7376-8_5

The ECRIN network
• European Clinical Research Infrastructures Network
• Is based on the connection of coordinating centres for
national networks of clinical research centres and
clinical trials units
• Pan-European, distributed infrastructure providing
integrated services to multi-national clinical research in
the EU
• Clinical trials services are coordinated by the ECRIN
European correspondents and provided by national
ECRIN partners

The ECRIN Infrastructure
CRC = Clinical research centre, DM = Data centre, EC = European Correspondent
GMP = GMP facility for biotherapy, NNC = National Network Coordination

Objectives of ECRIN
• Integration of EU clinical research capacity
• support to investigators
• support to sponsors in multinational studies
• unlocking latent potential: scientific, patients , …
• Harmonisation of tools, training and practice
• improved quality, credibility, transparency
• ECRIN Data Centre Certification Program
• requirements of GCP-compliant data management in
multinational clinical trials
• Harmonisation of legislative systems (new EU Directive)

Projects with ECRIN participation
EU FP7 Project Type of data Use cases collaboration
TRANFoRm GP care data / EHR,
patient data registries,
death registries,
cancer registries
•genotype-phenotype
relationships for the
prediction of risk of
complications in type II
diabetes mellitus
• quality of care and
evidence for treatment of
gastroesophageal reflux
disease (GORD)
GPRD, NIVEL,
ePCRN, …
EHR4CR HIS data / EHR Feasibility, patient
recruitment, study conduct,
safety
CDISC, i2b2, …
p-medicine Imaging, biobank
data, VPH modelling
data (oncosimulator)
ALL, breast cancer, Wilms
tumour
VPH SHARE, …

Methods
• Exploration of national and European legal requirements,
and access policies
• Creation of data privacy profiles
• Definition of zones, filters and linkers
• Analysis of privacy requirements associated with the data
flow and workflow for research access and linking of
different data sources:
• primary care data repositories
• electronic health records (EHR)
• clinical research database, genetic and cancer
registries

Results
A data privacy framework was developed that is based
on two complementary components
Principles that give guidance for the treatment of
questions about data security and confidentiality
Formal description that allows, with the help of a zone
model, a risk gradient and data flow structures, the
creation of a structural represen-tation of complex
relations between data security and confidentiality that
can be found in health research

Health information
• Access and sharing of large amounts of heterogeneous
distributed data
• Inclusion of sensitive private data
• Privacy violation is irreversible and a social problem (trust
problem)
• Increasing role of patient empowerment (suitable form of
consent)
• Privacy Enhancing Technologies (PET) exist, necessity
for integration in workflow

Regulatory requirementsRegulatory requirements
Privacy Frameworks help organizations identify and manage
privacy risk to employ suitable products and services to
protect individuals’ data privacy
The EU GDPR (General Data Protection Regulation)
requires organisations to implement “appropriate
technical and organisational measures” to secure
personal data that these organisations process
Follow the accountability principle: being responsible for,
and able to demonstrate, compliance with the
Regulation’s data processing principles
A privacy framework is a formal structure for managing the
security of personal data and thus can help with
compliance issues

Requirements for a privacy framework
• Should satisfy the different privacy needs for research
access:
• Primary Care databases (e.g. GPRD, LINH)
• EHRs, Family Practice EHR, Hospital EHR
• Clinical research databases (e.g. clinical trials, cohort
studies)
• Personal and sensitive data (EU GDPR)
• Registries (e.g. cancer) and repositories rules
• Genetic databases rules

Requirements for a privacy framework
• Applicable across medical care and clinical research
• Consideration of:
• Different data sources (primary, secondary)
• Different fields (phenotype, genotype data)
• Different diseases (diabetes, gastro-oesophageal reflux
disease, cancer)
• Variations between countries and regions in Europe
(legal, ethical, practice related)

Privacy Enhancing Technology (PET)Privacy Enhancing Technology (PET)
Privacy-enhancing technology (PET) should be considered
in our model
PET allows users to protect the privacy of their personally
identifiable information (PII) provided to and handled by
services or applications
PET minimizes the possession of personal data without
losing the functionality of the data system
4 categories
Encryption tools
Policy tools
Filtering tools
Anonymity tools

The Zone ModelThe Zone Model

Privacy Zone ModelPrivacy Zone Model
Our model is built upon the concept of three privacy zones
(Care Zone, Non-care Zone and Research Zone)
containing databases, data transformation operators, such
as data linkers and privacy filters.
Using our model components, a risk gradient for moving
data from a zone of high risk for patient identification to a
zone of low risk can be created
The model was applied to the analysis of data flows in
several general clinical research use cases and two
research scenarios from the TRANSFoRm project
The model was validated by representing research done
with the NIVEL Primary Care Database in the Netherlands

Building blocks of the Model
ZoneZone
Sub-ZoneSub-Zone
Data privacy
filter
Data privacy
filter
Data linkerData linker
Enables connections within or between zones and sub-zones
One-way coding or two-way coding
Comparable areas; data can be used for same or similar purposes
Tools for anonymisation, pseudo-nymisation, coding and data
aggregation
PET (Privacy Enhancing Technologies)
Areas of low, middle and high risk of identification of patients
Areas of similarity in regard to purpose, policies and regulations

Privacy Zone ModelPrivacy Zone Model
An easy model to display policies and rules for data privacy
Novel concept of privacy zones for research data flow
A risk gradient runs from high risk to low risk for patient
identification
The zone model can be used for all important research scenarios
Different types of research are considered in each of the three
zones
See:
Wolfgang Kuchinke, Christian Ohmann, Robert A. Verheij, Evert-Ben van Veen, Theodoros N.
Arvanitis, Adel Taweel, Brendan C. Delaney. A standardised graphic method for describing
data privacy frameworks in primary care research using a flexible zone model. International
Journal of Medical Informatics, Volume 83, Issue 12, 2014, Pages 941-957, ISSN 1386-5056,
https://doi.org/10.1016/j.ijmedinf.2014.08.009.

Example for care data registry

Data flow example of the Extract data Use Case
Use case „Extract data“ with database search by GP and researcher

Notation
Zones and sub-zones
Zones are areas where the same rules for data
protection apply
Data repositories (research databases) reside inside the
zones
Three types of zones: care, non-care and research zone
Actors (e.g. physician, researcher,...)
Arrows represent data transfer between data repositories
Broken arrows represent research questions, data
queries
Data protection filters (pseudonymisation, anonymisation,
obfuscation, ...)
Data linkers connect data records (can be one-way and
two way)

Notation

Risk gradient
high risk
low risk
identification

Care scenario
Care example :
•Special trust relationship
between patient and
physician
•Patient data is collected in
physician’s EHR database

Patient recruitment
Use Case A: recruitment of patients
by treating physician in the care zone
Use Case B: recruitment using a
database in the non-care zone

Research scenario
Research Example 1:
•Two databases located in
the same sub-zone of the
non-care zone (e.g.
cancer registries,
administrative registers)
•Connected through data
privacy filters with other
databases

Linking of databases
Linking scenario 1:
•Linking of data-bases in the
non-care zone
•Researcher receives pseudo-
nymised (or coded
anonymised) data or
completely anonymised data
in response to his research
question and authorisation

Linking of databases
Linking scenario 2:
•Linking of a data-base in the
care zone with a database in
the non-care zone
•Researcher receives
pseudonymised (or coded
anonymised) data or
completely anonymised data
in response to his research
question and authorisation

TRANSFoRm
members

Contact
Wolfgang Kuchinke
Heinrich-Heine University Duesseldorf, Duesseldorf,
Germany
wolfgang.kuchinke@uni-duesseldorf.de
See:
www.transformproject.eu
www.ecrin.org

Zone model for data privacy and confidentiality in medical research

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Zone model for data privacy and confidentiality in medical research

Similar to Zone model for data privacy and confidentiality in medical research (20)

More from Wolfgang Kuchinke

More from Wolfgang Kuchinke (14)

Recently uploaded

Recently uploaded (20)

Zone model for data privacy and confidentiality in medical research