Agenda

• Problem• Existing Approaches• The e-Lab• Is DRM the solution?

Climate Change

Problem

• Potentially identifiable data required for effective research• Individuals have a right to confidentiality and privacy• Potentially identifiable data should not be:

– Redistributed• Release under defined conditions

– Linked to other data • Risk of deductive disclosure

• Potentially identifiable data should be:– Stored securely– Destroyed after use

Potentially Identifiable Information

• Individual records even if they do not include variables, such as names, full postcodes, and dates of birth which would make them obviously identifiable;

• Tabular data, based on small geographic areas, with cell counts of fewer than five cases/events (or where counts of less than five can be inferred by simple arithmetic) – hereafter referred to as “sparse cells”

• Tabular data containing cells that have underlying population denominators of less than approximately 1,000

– Source UKACR

Existing approaches

• Locked rooms, locked down machines– Used by many national statistical services

• Does not scale

Existing approaches

• Policy– User bound by terms and conditions or

contract of employment or professional governance bodies

UKACR Policy• the intended use(s) of the data should be stated clearly• the use(s) of the data should be justified and the data should not be

used for any other purpose(s)• the data should not be passed on to other third parties or released

into the public domain• the data should be kept securely for the period of time that can be

justified by the stated purpose, and then destroyed• no attempt should be made to identify information pertaining to

particular individuals or to contact individuals• no attempt should be made to link the data to other data sets, unless

agreed with the data providers

Existing approaches

• Policy– User bound by terms and conditions or

contract of employment or professional governance bodies

• Policing– Doesn’t scale

North West e-Health

• Joint Project: SRFT, SPCT, UoMFounded on UoM/ Salford NHS experience and expertise

• Based on the establishment of an e-Lab federation: “that will allow the partners to pool and develop their expertise and resources, acting together for mutual benefit and for the benefit of other stakeholders and clients”

• NWDA core-funding• Potential for self-sustaining entity

What is an e-Lab

...an information system bringing together data, analytical methods and people for timely, high-quality decision-making

Information Governance

• Designed for minimal disclosure• Only release items that user “Needs to

know”• Only release items that user “Has the right

to know”• Determined by the “e-Lab Governance

Board”

Information Governance

• Technical safeguards– Audit trails & monitoring– Anonymisation and Inference control

• Operational procedures– Users sign up to terms and conditions of use; bound by

employment contracts– Spot checks

• Governance Board + NREC Research Database Approval

NHS Trust

E-Lab

DataStore

Gov

erna

nce

Users

EHR

ClinicalData

Non-clinicalData

ClinicalData

IntegratedEHR

E-LabRepository

Non-clinicalData

2. Pseudonymisation, classification and

integration

1. Integration of primary and secondary care

records

Trust Systems Trust e-Lab

User DataStore

4. Anonymisation and inference

control

8. Storage

9. Data analysis and visualization

Access Control

e-Lab Tools

1 .User logs on and submits query

2. Access control module authorizes

request

3. Perform Data Query

E-LabRepository

Trust e-Lab

NHS

NHS Trust

E-Lab

DataStore

Governance Users

EHRNHS Trust

E-Lab

DataStore

Gov

erna

nce

Users

EHR

NHS Trust

E-Lab

DataStore

Gov

erna

nce

Users

EHR

NWeHBroker

NWeHUsers

Federated E-Lab

Governance

Broker

User DataStore

5. Per request keyed pseudonymisation

6. Data integration

7. Anonymisation and inference

control

8. Storage

9. Data analysis and visualization

NHS Trust e-Lab

NWeH – e-LabFederation

NHS Trust e-Lab

E-LabRepository

E-LabRepository

Access Control

e-Lab Tools

1 .User logs on and submits query

2. Access control module authorizes

request

3. Broker performs distributed query;

generate pseudonym keys

5. Per request keyed pseudonymisation

Data Users

e-LabBroker

e-Labs

Secondary Pseudonymised Data Flows

Pseudonymised Data Flows

DRM Solution?

• DRM used to prevent re-distribution• DRM used to prevent modification• DRM used to prevent linking to other data

DRM problems

• Not fail safe?• Better than just stopping the “casual

attacker”?• Perception is easy to crack or by-pass