Pseudonymisation Project Plan Pseudonymisation Project Plan v1 Version Control Document Reference Author Issue Number Date Pseudonymisation Project Plan David Chapman 1.0 20/10/2010 Project Board / Stakeholders Name Position Stephen Dobson Karen Foster David Chapman Michelle Cooper Project Executive/Sponsor Approver Approver Approver Circulation List Name Job Title Paul Hampson Pam Green Michelle Cooper Lisa Beck Karen Foster Stephen Dobson David Chapman Head of Business Analysis Data Quality Manager Business Intelligence Manager Information Governance Officer Head of Business Intelligence Head of IM&T Business Analyst Revision History Version Number Revision Date 1.0 Nature of Change Draft Supporting Documentation Type Details Business Case For Information Asset Register Summary of Pseudonymisation Implementation Guidance pipguidev1_2.pdf Acronyms / Abbreviations Acronym Definition WWL IAO IG PIA IAR Wrightington, Wigan and Leigh NHS Foundation Trust Information Asset Owner Information Governance Privacy Impact Assessment Information Asset Register Page 2 Pseudonymisation Project Plan v1 1. Introduction The Trust has an obligation to put a plan together for the implementation of pseudonymisation in order to meet level 1 of the Information Governance Toolkit. The plan must include the processes and functions used for the pseudonymisation and anonymisation of data for secondary purpose e.g. commissioning. The plan must be ratified by the board and assigned to an appropriate individual or committee. The project can be closely tied with the current work stream, completion of Information Asset Register. This project includes the documentation of information flows and completion of risk and privacy assessments for all information systems in use at WWL. This work is due to start in November 2010. 2. Background The Requirement It is NHS policy and a legal requirement that, when patient data is used for purposes not involving the direct care of the patient, i.e. Secondary Use, the patient should not be identified unless other legal means hold, such as the patient’s consent or Section 251 approval. This is set out clearly in the NHS policy document, ‘NHS Confidentiality Code of Practice’, which states the need to ‘effectively anonymise’ patient data prior to the non-direct care usage being made of the data. The Issue Many NHS organisations, both provider and commissioner, are probably operating outside this guidance and of course all organisations have an obligation to work within the law. Data itself cannot be labelled as primary or secondary use data, it is the purpose of the disclosure and the usage of the data that is either primary or secondary. This means that it is legitimate to hold data in identifiable form, but it becomes essential to ensure that only authorised users are able to have identifiable data disclosed to them. This in turn implies that user behaviour and business processes will have to be modified and be supported by suitably robust systems. The Solution It is not a simple task although it can be resolved via a thorough review of current practice with changes being made where applicable. WWL will benefit as a result since patient confidentiality is improved as the risk of inadvertent, inappropriate use or disclosure of patient details is minimised. Additionally the de-identification of secondary use data is a component in enabling the Care Record Guarantee to be delivered as well as demonstrating to the Information Commissioner progress in conforming to legal and policy requirements. A significant amount of work has already been undertaken by the Pseudonymisation Implementation Project with input from a range of representatives of all NHS organisation types and as a result comprehensive guidance is available. As noted in Informatics Planning 2010/11 that was recently published alongside the Operating Framework 2010/11 “all NHS Commissioners and providers of NHS commissioned care should… complete implementation of pseudonymisation by March 2011….”. Page 3 Pseudonymisation Project Plan v1 3. Current Service Profile The current service profile within WWL consists of Patient Identifiable data being passed between WWL and ALW PCT for commissioning purposes. It is the intention of WWL and ALW to use SUS for the exchange of commissioning datasets for the 3 biggest datasets, which are APC (Admitted Patient Care), OPA (Outpatient Attendance) and AAE (A&E) next financial year, 2011/12. As SUS doesn’t accept all datasets required by the commissioners other data flows must exist. WWL is aware that there are unknown data flows within the organisation. The primary reason for these being set up is to meet commissioning requirements. 4. Future Service Profile The implementation guidance, as outlined in the Pseudonymisation Implementation Project (PIP), has identified that a locally implemented solution will be the most effective approach. The guidance clearly outlines the flow of information both within provider organisations and between providers and their commissioners. Each diagram depicts a safe haven. The safe haven is an area which has restricted and controlled access. For example, the NHS has used safe havens for over 20 years. In the past a specified locked room with a fax machine would be used to send PID between NHS organisations. The same principles need to be adhered to now. Figure 1: Data Flows: Providers to Commissioners Provider System SUS (authorised only, primary use) Commissioner System Provider System (other staff for secondary use) SH Provider System Encrypted Identifiable CDS (NSH authorised staff only) Encrypted Identifiable Direct Flow Identifiable Patient data De-identified Patient Data SH Safe Haven Page 4 Pseudonymisation Project Plan v1 Figure 2: Data Flows within Providers ‘Departmental’ Systems Provider Corporate Systems SUS SH Provider Users Admin (authorised only, primary use) (other staff for secondary use) Clinical SH (other staff for secondary use) External Data Source (authorised only, primary use) (NSH authorised staff only) Encrypted Identifiable CDS (Encrypted) Identifiable (direct) flow Identifiable Patient data De-identified Patient Data SH Safe Haven The following data flow diagrams have been taken from pip guidance v1.2 (see supporting documentation for more information). 5. Project Plan The key stages of the project plan are identified below; Identification of current external information flows This will include the identification of all flows of information that leave the trust. This will include both those that include and don’t include PID, for completeness. There will be two work streams for this stage of the project; 1. Identify known data flows within Business Intelligence and Finance departments 2. Identify unknown data flows that exist in the business. These have generally been set up within department to comply with Trust and commissioning objectives without the inclusion of the Business Intelligence Team. The second work stream will be completed as part of the implementation of the Trust Information Asset Register. As part of this project each information system that the Trust has in analysed by the IAO and the IAA, who are experts in their areas. This will enable us to have the best possible understanding of the data and raise the awareness of the obligation the Trust has to keep our confidential data confidential. ETL component for all identified systems into Datawarehouse With all Trust Information Systems identified an ETL component will need to be created in order to pull the information into the Datawarehouse. The Trusts Datawarehouse will act as a central repository for all information systems to ensure the necessary controls are in place. All information/data that is then used for secondary services will be taken from the Datawarehouse, where it can go through the pseudonymisation process. Page 5 Pseudonymisation Project Plan v1 Pseudonymisation Process The Trust is going to adapt the use of Internal Patient Numbers as a pseudonymised key. The premise for this is that each information system we currently have has a unique internal number for each patient that cannot be used to identify the patient, by using any of our current User Interfaces. The solution will try to match each patient to the Master Patient Index (MPI) on PAS so that the internal patient number within PAS can be used. If it is not matched then the internal number from the source system will be used. Governance As part of this process policies and procedures will be created to govern the flow of data both internally and externally. The Datawarehouse will act as the Trusts Safehaven as all primary systems will feed their data in and any required outputs will be generated from this source. There will be controls and procedures in place so that anybody who requests access to patient identifiable data will need to comply with the necessary requirements, to be outlined. Page 6 Pseudonymisation Project Plan v1 6. Sign Off / Approval Requirements Approval I agree that all the requirements listed in all sections of this document are correct and are a true reflection of the requirements for this project. These delivered requirements will provide improved business process functionality when compared to the existing processes, without any adverse effects in the day-to-day running of the business. I understand that any changes to these requirements, at any stage of the development process, will require that a new version of the Business Requirements Specification be created and subsequently approved according to the formal change control procedures for the project. Name Position Stephen Dobson Head of IM&T Karen Foster Head of Business Intelligence Business Analyst David Chapman Michelle Cooper Lisa Beck Signature Date Business Intelligence Manager Information Governance Coordinator Signed of at Board/Committee Board/Committee Name Date Responsible Manager/Committee for Implementation Name Position Stephen Dobson Head of IM&T Signature Date Page 7