SLMS Pseudonymisation Plan
advertisement
LONDON’S)GLOBAL)UNIVERSITY) SLMS Pseudonymisation Plan Document Information Document Name Author Issue Date Approved by Next review SLMS-IG14 Pseudonymisation Plan Shane Murphy 02/08/2013 Chair of SLMS IGSG Three years Document History Version 0.1 0.2 0.3 0.4 1.0 Date 27/02/2013 17/06/2013 24/06/2013 09/07/13 02/08/2013 Summary of change Initial draft First draft for discussion Revision with comments from IDHS Steering Group members Revised with comments from IDHS Steering Group members Approved by Chair of SLMS IGSG ) ) ) ) ) ) SLMS$IG14)Pseudonymisation)Plan)v1.0)) Page)1)of)19) Contents 1) Background).................................................................................................................................................)3) 2) Objectives)&)Sponsorship)...........................................................................................................................)3) 3) PLAN)...........................................................................................................................................................)3) Appendix)1)–)Checklist)on)Department)of)Health)Guidance)...........................................................................)12) Appendix)2)–))SLMS)Information)Governance)Documentation)......................................................................)15) ) ) ! SLMS$IG14)Pseudonymisation)Plan)v1.0)) Page)2)of)19) 1 BACKGROUND The need for a Pseudonymisation Plan is based upon the Information Governance Toolkit requirement for IG 334. The IG Toolkit requires: “…a clear plan for protecting the confidentiality of service user information by using appropriate pseudonymisation and anonymisation methods for purposes other than direct care.” The plan must be developed in line with Department of Health Guidelines and must also be signed off by the UCL SLMS Information Governance Steering Group (IGSG). Responsibility for implementation has been assigned to a named individual or group. The Data Protection Act 1998 requires that individual research data subjects cannot be identified from data used to support purposes other than their direct care. Where this is not practicable the SLMS must put processes in place that minimise the risk to data. One way that this is being handled within the SLMS is the introduction of the IDHS ‘safe haven’ which provides secure storage and transfer facilities. In this environment it can be processed securely and will only be used in an identifiable form within the safe haven boundary. 2 OBJECTIVES & SPONSORSHIP This document details a plan for the implementation of procedures to provide pseudonymisation of identifiable data within the SLMS to ensure compliance with the requirements of the IG Toolkit and Data Protection Act 1998. The aims of the plan are to: • • • • ensure that pseudonymisation and anonymisation are used for all secondary purposes where patient consent has not been granted or permission to process confidential service user data is not provided by law establish formal safe haven, anonymisation and pseudonymisation processes which are in line DH guidelines, including multiple pseudonym generation where appropriate prevent onward disclosure of data which hasn’t been anonymised or pseudonymised except in exceptional circumstances where the necessary authorisation has been documented and risks to the confidentiality of individual research subjects mitigated detail how Pseudonymisation Rules will developed and techniques applied Although the specific pseudonymisation techniques used in a research study will be implemented by the study itself this document details steps taken at the SLMS organisational level to develop and promote good practice. This document makes reference to the Identifiable Data Handling Solution (IDHS) project which has delivered some of the initial requirements of this plan. Whilst requirements may have been initiated as part of a project the SLMS Information Governance Management Framework has now been established and provides overall sponsorship and accountability for these activities. 3 PLAN SLMS$IG14)Pseudonymisation)Plan)v1.0)) Page)3)of)19) Item no 1 2 Flows of Identifiable Data and Information Assets Identified Title Description • • • • • • • • • • • • • Action Produce a set of Pseudonymisation rules to be assessed and peer reviewed at Workshop. to Produce Standard Operating Procedures (SOPs) for the control of pseudonymised data in a safe haven environment for the IDHS. Identify all non-care data related flows using ‘SLMS-IG11 Information Risk Assessment Tool’. Confirm all known flows identified. Produce a set of Pseudonymisation rules to be assessed and peer reviewed at Workshop. Page)4)of)19) IDHS provides a logical safe haven in relation to processing of non-care related patient data for PIs. Access control is limited to specific users. User registration Patient name Patient address Patient DOB Patient postcode (in rural areas)* Patient NHS Number Patient ethnic category Patient Pathway Identifier SUS spell identifier Local Patient identifier Patient Unique booking reference number Patient Social Service Client identifier Any other unique identifier Date of Death All data flows for non-care related purposes must be identified. Suitable controls are implemented to ensure deidentified data are processed)for all secondary purposes where patient consent has not been granted or permission to process confidential service user data is not provided by law. Identify all sensitive data fields in these flows to facilitate suitable de-identification including the following: Users of Identifiable Data Registration and Authorisation Policies and SLMS$IG14)Pseudonymisation)Plan)v1.0)) Owner February 2014 Due date September 2013 IG Coordinator and IDHS project IT for SLMS Infrastructure Team Manager Research Study Principal Investigators IG Coordinator and IDHS project 3 Procedures (including Access Control Functionality) Data Management Confirm SOP robustness (See Appendix 2 for a full list of documentation) Produce suitable SOPs for IDHS IG Coordinator IG Coordinator IT for SLMS Infrastructure Team Manager IT for SLMS Infrastructure Team Manager , IG Lead and IG Coordinator IT for SLMS Infrastructure Team Manager Produce Pseudonymisation rules and guidance for the DD ISO/TS 25237:2008 Produce SOPs for internal controls. to Jointly review SOPs for internal controls and produce a brief report, for the IGSG to give the necessary data handling assurances. Page)5)of)19) and authorisation requirements are documented. Policies, procedures, rules and parameters are to be drawn up for their effective operation, e.g. a need to vet, register and authorise users in line with eGIF3 guidelines. Ability to confirm identification and residency are prerequisites; transfer of patient identifiable data where necessary between two organisations safe havens. Access control functionality to enable authorised users to access relevant subsets of identifiable and pseudonymised research data subject information. Internal controls ensure data is securely held and access is granted rather than transferring data needlessly to other staff. Data management controls ensure the separation and security of identifiable data from pseudonymised data. Research data subject information is held in identifiable and pseudonymised formats. Management requirement is that this data is kept logically separate. Conformance to the DD ISO/TS 25237:2008 requirements to be specified in the Pseudonymisation rules. These will include: • Stripping out/redacting personal identifiers • Pseudonymisation – replacing personal identifiers with other values • Aggregated data • Derivations – DOB replaced with age or age range Warning notice and Disclaimer on all data to be produced • SLMS$IG14)Pseudonymisation)Plan)v1.0)) September 2013 4 5 Commissioned Research Procedures Organisational Awareness and Training for IG produce Pseudonymisation rules and guidance on DD ISO/TS 25237:2008. Assess these for adequacy and robustness. Provide the business processes, procedures and controls currently in place. IG Coordinator IG Lead and IG Coordinator Research Study Principal Investigator Page)6)of)19) • Data quality controls on data fields that include specific rules on those data fields that have the capability of identifying individuals. Mandatory use of risk assessments to mitigate the risks of re-identification, e.g. research datasets if combined do not carry any personal data that can identify an individual and use of the national care record data standards embodied in the Logical Record Architecture (LRA). This will support data quality in both source systems and secondary use systems, structuring the records so that information can be incorporated into electronic records; and interoperability between systems, so that information can be shared with other healthcare providers and analysed with confidence. Identification of Commissioned Research Business Processes currently in place. This is with a view to ensure that the processes reflect information governance best practice and that they include as part of the terms and conditions suitable clauses for Data Protection, FOI and incident management assistance. The use of suitable clauses setting out pseudonymisation, information security and indemnity obligations should be included. Staff awareness and training materials – minimum dataset concept for all direct medical care use is carried over to SLMS$IG14)Pseudonymisation)Plan)v1.0)) Ongoing until June 2014 Ongoing until June 2014 6 7 Partnership and Peer Working Pseudonymisation functionality, safe haven and end user applications secondary use to effectively de-identify the service user. Pseudonymisation techniques identified. Staff awareness and training materials to be produced)(e.g.)SLMS-IG04 Data Handling Guidance for Principal Investigators User Group and SLMSIG 16 SLMS Induction) Documents to be submitted to IGSG for approval Check and identify those organisations from whom research is commissioned by analysing SLMSIG11 Information Risk Assessment Tool completed submissions Peer review of the UCL SLMS Information Sharing Agreements IG Coordinator UCLP SLMS IGSG IG Lead and IG Coordinator Assess BSI standard and provide guidance for SLMS staff. IT for SLMS Infrastructure Manager The UCL SLMS Information Sharing Agreements to be drafted Confirm that IDHS and related SOPs are compliant with guidance Page)7)of)19) Identify all those organisations from whom research is commissioned and who must comply with UCL pseudonymisation requirements, this data can be obtained from the data flow mapping exercise information. UCL Information Sharing Agreements – and any other necessary contractual requirement need to be in place in relation to the transfer of data. Whilst this may not be perceived as a Dept. of Health requirement it ensures a holistic approach by UCL and compliance with the Data Protection Act 1998. Obtain a copy of the DD ISO/TS 25237:2008 that has details of the minimum standards for the operation of Pseudonymisation service in healthcare to be assessed and guidance to be produced for SLMS staff. Pseudonymisation functionality: Implemented locally and the methodology should be identified. There are options on the facilities to provide pseudonyms, and these need to be catered for in local plans. The options are provision of i) a standard methodology suitable for local SLMS$IG14)Pseudonymisation)Plan)v1.0)) January 2014 March 2014 9 8 Business process – review and modify Log and audit trail for access to identifiable data implementation, ii) sample code for SQL Server and Oracle as basis for local implementation, iii) solution through existing local system supplier and iv) services by external suppliers into local systems or through ‘black box’ solutions. Safe haven and back office functions: SLMS procedures to restrict access levels to identifiable data for those who have access for data quality, derivations and record linkage purposes. End user applications – review and modify: Those applications that provide identifiable data, need to be amended to provide separate views of identifiable and pseudonymised data. The applications need to interact with the access controls specified in R10. Review existing applications and user views to assess whether modifications are required for separation of views and access controls Submit document for IGSG approval Produce Pseudonymisation rules that address the requirement. IG Coordinator SLMS IGSG IG Coordinator SLMS requires that NHS organisations provide data extracts where the relevant Produce documents for peer group review at workshop. The documents are to address the following requirements:. • Page)8)of)19) Use of Patient Identifiable Data (PID) is in accord with the NHS Care Record Guarantee to respect the rights, promotion of health and wellbeing of service users using the concept of the minimum dataset. UCL Information Sharing Agreement templates; SLMS IG-14 Pseudonymisation Rules and SLMS-IG14 Health Informatics – Pseudonymisation ISO/TS 25237:2008 Overview are based upon the Connecting for Health (CfH) Pseudonymisation Guidance materials. This ensures as far as is practicable that all relevant aspects of SLMS$IG14)Pseudonymisation)Plan)v1.0)) September 2013 September 2013 • • • • Page)9)of)19) the SLMS operational requirements and those of its partners are suitably compliant. SLMS$IG14)Pseudonymisation)Plan)v1.0)) ISO standard 25237:2008 Health Informatics Pseudonymisation is followed Patient labels where possible are not presented to the SLMS as NHS numbers, or local patient identifiers nor any other form of unique identifier. The patient label should where possible be a pseudonym or table row number. All of the data items identified in Row 001 (above) are considered to be sensitive data and should where possible be de-identified prior to transfer from the NHS organisation to the SLMS. The use of derivations for particular data fields is a practical form of deidentification and some standard uses include the following: • Using partial post code data, e.g. the first 4 digits rather than the full post code; • Use of age bands rather than DOB Pseudonymisation, if used by the SLMS, will need to be considered carefully. Ideally for data linkage and the development of a rich data source, the same pseudonym 10 NHS Operating Framework Requirements 2010-2011 • can be applied to the same patient across multiple datasets. However, with the removal of identifiers, then deidentified records may not be able to be linked with confidence. Identification of any commissioner business processes and the controls and process to be adopted. Review SLMS IG-14 Pseudonymisation Plan to have suitable assurances that the IG Toolkit v11 - 334 requirements are satisfied. Page)10)of)19) Deliverables for the Pseudonymisation Plan are linked to the 2010/11 Operating Framework requirements on Pseudonymisation and the IG Toolkit requirements 11-334 to attainment Level 2.These are in summary: • It is NHS policy and a legal requirement that patient level data should not contain identifiers when they are used for purposes other than the direct care of patients, including local flows within or between organisations as well as data extracted from the Secondary Uses Service. • ensure that relevant staff are aware of and trained to be able to use anonymised or pseudonymised data; ensure appropriate changes are made to processes, systems and • SLMS$IG14)Pseudonymisation)Plan)v1.0)) Identified by Principal Investigators and reviewed by IG Lead and IG Coordinator SLMS IGSG September 2013 • Page)11)of)19) security mechanisms in order to facilitate the use of de-identified data in place of patient identifiable data; and use the latest IG Toolkit to assist in implementation and assessment of compliance with policy and legal requirements. SLMS$IG14)Pseudonymisation)Plan)v1.0)) APPENDIX 1 – CHECKLIST ON DEPARTMENT OF HEALTH GUIDANCE The Pseudonymisation Implementation Project (PIP) Planning Template and Guidance was published and used within the IG Toolkit versions 8 through to 9 inclusive. It set out a structured approach for users of the IG Toolkit to ensure that they were in compliance with pseudonymisation requirements. SIRO overall sponsor Section 2 Objectives and Sponsorship. Maps to Pseudonymisation Plan Sponsorship Table row 2 Users of Identifiable Data Registration and Authorisation Policies and Procedures (including Access Control Functionality) SLMS Activity/Evidence R1 Information Sharing Agreement templates IDHS SOPs Linked to R5. PIP Planning Template Requirements R2 R3 Project established Policies and procedures for approving access to identifiable data Organisational awareness and training for IG Table row 7 Pseudonymisation functionality, safe haven and end user applications Table row 5 Data Mangement Table row 2 Users of Identifiable Data Registration and Authorisation Policies and Procedures (including Access Control Functionality) Table row 5 Organisational Awareness and Training for IG Table row 3 Data Management R6 Data management – review and modify IDHS SOPs defining enrolment process, authorisation process and justification for access. Establishment of Information Asset Owners documented in SLMS-IG11 Information Risk Assessment Tool SLMS-IG16 Training Needs Analysis SLMS-IG17 Training Records and Materials Documents provide a comprehensive level of training to cover IG and Pseudonymisation requirements. IDHS provides ability to separate and secure identifiable data. Research subject information is held in identifiable and pseudonymised formats. Management requirement is that this data is kept logically separate Implemented locally, methodology should be identified SLMS IG-11 Information Risk Assessment Tool completion R4 Flows of identifiable data and information assets identified Users of identifiable data R7 Pseudonymisation functionality R5 R8 ) R9 Safe haven and back office functions Table row 7 Pseudonymisation functionality, safe haven and end user applications Table row 2 Users of Identifiable Data Registration and Authorisation Policies and Procedures (including Access Control Functionality) Access control functionality The SLMS procedures restrict access levels to identifiable data for those who have access for data quality, derivations and record linkage purposes. Controlled access to relevant subsets of identifiable and pseudonymised research subject information. Linked to R5 and R11. Table row 2 Users of Identifiable Data Registration and Authorisation Policies and Procedures (including Access Control Functionality) R10 User registration and authorisation Need to vet, register and authorise users in line with e-GIF3 guidelines. Ability to confirm identification and residency are prerequisites. R11 R12 End user applications – review and modify Table row 9 Log and audit trail for access to identifiable data Table row 8 Business Process – review and modify Table row 7 Pseudonymisation functionality, safe haven and end user applications Business process – review and modify Page)13)of)19) R13 ) Log and audit trails for access to identifiable data ) R14 ) Applications providing access to identifiable and pseudonymised data should provide, and be used in a manner, that separates views of identifiable and pseudonymised data. These applications will need to be subject to the access controls specified in R10. Review existing applications used to view both identifiable and pseudonymised data. Assess whether modifications are required for separation of views and access controls Business processes should be reviewed to assess the impact of Pseudonymised data and whether affected processes require modification. Use of Information Sharing Agreement templates to formalise arrangements underpinned by utilising particular pseudonymisation techniques. Auditing of access to identifiable data by users should be enabled and logged. This is provided by the IDHS and equivalent systems and is necessary to support the NHS Care Record Guarantee. Implementation complete SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) ) ) SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) ) ) ) Page)14)of)19) SIRO) IG3Toolkit3Requirement) Approval) APPENDIX 2 – SLMS INFORMATION GOVERNANCE DOCUMENTATION Description) 10$120) IGSG) ) Terms)of)Reference)for))SLMS)IG)Steering)Group)(IGSG)) 10$120) IGSG) Document3or3set3of3 documents) SLMS$IG01) IG)Steering)Group) Terms)of)Reference) Role)description)for)SLMS)Senior)Information)Risk)Officer)(SIRO)) 10$121) Ref) SLMS$IG02) SIRO)Role)Description) IG)Policy)for)SLMS)(available)on)Intranet)) 10$335) 10$220) 10$223) 10$120) 10$123) 10$220) 10$221) 10$222) 10$331) 10$333) IGSG) IGSG) SLMS$IG03) SLMS)IG)Policy) Page)15)of)19) Guidance)to)Research)Study)Principal)Investigators)on)confidential)data) handling)and)secure)transfer(Available)on)Intranet)and)through)induction) process)) ) SLMS$IG04) Data)Handling) Guidance)for)Principal) Investigators) ) Role)description)for)SLMS)IG)Lead) ) SLMS$IG05) IG)Lead)Role) SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) Improvement)Plan)that)documents)current)level)of)IG)Toolkit)compliance) and)identifies)targets)for)the)next)level)of)compliance) Description) 10$120) 10$120) IGSG)) IGSG)) IG3Toolkit3Requirement) Approval) 10$122) IGSG)) IGSG)) Document3or3set3of3 documents) SLMS$IG06) IG)Improvement)Plan) Role)description)for)SLMS)IG)Officer) Audit)of)HR)contracts)for)staff,)contractors)and)third)parties.)Contains) recommendations)and)action)plan)for)implementation) 10$221) IGSG)) Ref) SLMS$IG07) IG)Officer)Role) SLMS$IG08) HR)Contracts)Audit) Confidentiality)audit)guidelines)including)template)monitoring)sheet) 10$222) 10$221) SLMS$IG09) Confidentiality)Audit) Guidelines) Review)with)data)protection)office,))review)of)studies)sending)outside)EEA)) SLMS$IG10) Report)on)data)flows) outside)UK) ) Page)16)of)19) 10$331) 10$223) 10$330) 10$331) 10$223) IGSG)) ) IGSG)) 10$222) Spreadsheet)used)to)capture)information)assets)and)assess)risk)associated) with)transfer)and)storage)of)identifiable)data) ) User)authorisation)process)and)acceptable)use.)Completed)information)risk) assessment)for)IDHS.)Two)factor)authentication,)Encryption,)AV)and)back)up) issues)addressed,)Completed)physical)security)risk)assessment)for)IDHS) Technical)spec)and)system)reports)detailing)users)and)equipment)allocated.) SLMS$IG11) Information)Risk) Assessment)Tool) SLMS$IG12) IDHS)Technical) Solution)IG)Toolkit) Compliance)(Policy,) Procedures)for) approval)and) SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) Ref) Document3or3set3of3 documents) authorisation) SLMS$IG13) Physical)Security)Risk) Assessment)Tool) SLMS$IG14) Pseudonymisation) Rules) Pseudonymisation)Plan) Health)Informatics)–) Pseudonymisation) Overview) IG3Toolkit3Requirement) Approval) 10$332) IGSG)) IGSG)) Description) 10$332) 10$334) 10$335) Tool)to)assess)physical)security))and)produce)action)plan) 10$334) ) Key)Pseudonymisation)guidelines) Overview)of)BSI)pseudonymisation)standard) ) Approach)to)implementing)Pseudonymisation)guidance) ) IGSG)) 10$333) 10$123) IGSG)) 10$332) Page)17)of)19) Process)describing)how)information)incidents)are)reported)incorporating)IG) Toolkit)v11))guidance) ) SLMS$IG15) Incident)reporting) procedure) ) Analysis)of)Training)Needs) ) SLMS$IG16) Training)Needs) Analysis)) SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) Ref) Document3or3set3of3 documents) Description) NHS) IG3Toolkit3Requirement) Approval) 10$120) IGSG)) 10$123) 10$122) Records)of)training)tool)completion,)materials)from)awareness)raising)and) roadshow)sessions.)Attendance)lists)from)induction) SLMS$IG20) HR)Contractual)Clauses) Contractual)clauses)covering)IG)requirements)and)confidentiality)linked)to) or)Policy)Updates) disciplinary)procedures)and)action)plan)to)ensure)new)contracts)have) requisite)compliance.)Use)of)an)NDA)for)third)parties)and)contractors) 10$330) IGSG)/) SWG) SLMS$IG17) Training)records)and) materials) Policy)for)SLMS)Mobile)and)Teleworking)authorisation)and)Acceptable)Use) Policy.)Includes)technical)specification)and)leavers)process) SLMS$IG21) Mobile)and) Teleworking) authorisation)and) Acceptable)Use)Policy) UCL) Partners) ) ) The)UCL)SLMS)is)receiving)data)from)a)Data)Controller) ) The)UCL)SLMS)is)the)Data)Controller)and)is)asking)a)third)party)to)process)the) data) ) ) Page)18)of)19) The)UCL)SLMS)is)a)data)controller)in)common) ) ) n/a) SLMS$IG22) Information))Sharing) Agreement)templates:) ISA)where)UCL)is)not) the)Data)Controller) ISA)where)UCL)is)the) data)controller) ISA)where)UCL)is)a) Data)Controller)in) common) SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) ) SLMS)IG$14))Pseudonymisation)Plan)v0.4F) ) ) ) ) ) ) ) ) ) Page)19)of)19)
