Pseudonymisation Plan Data

advertisement
Pseudonymisation
Project Plan
Pseudonymisation Project Plan v1
Version Control
Document Reference
Author
Issue Number
Date
Pseudonymisation Project Plan
David Chapman
1.0
20/10/2010
Project Board / Stakeholders
Name
Position
Stephen Dobson
Karen Foster
David Chapman
Michelle Cooper
Project Executive/Sponsor
Approver
Approver
Approver
Circulation List
Name
Job Title
Paul Hampson
Pam Green
Michelle Cooper
Lisa Beck
Karen Foster
Stephen Dobson
David Chapman
Head of Business Analysis
Data Quality Manager
Business Intelligence Manager
Information Governance Officer
Head of Business Intelligence
Head of IM&T
Business Analyst
Revision History
Version Number
Revision Date
1.0
Nature of Change
Draft
Supporting Documentation
Type
Details
Business Case For Information Asset Register
Summary of Pseudonymisation Implementation
Guidance
pipguidev1_2.pdf
Acronyms / Abbreviations
Acronym
Definition
WWL
IAO
IG
PIA
IAR
Wrightington, Wigan and Leigh NHS Foundation Trust
Information Asset Owner
Information Governance
Privacy Impact Assessment
Information Asset Register
Page 2
Pseudonymisation Project Plan v1
1. Introduction
The Trust has an obligation to put a plan together for the implementation of pseudonymisation in
order to meet level 1 of the Information Governance Toolkit.
The plan must include the processes and functions used for the pseudonymisation and anonymisation
of data for secondary purpose e.g. commissioning. The plan must be ratified by the board and
assigned to an appropriate individual or committee.
The project can be closely tied with the current work stream, completion of Information Asset
Register. This project includes the documentation of information flows and completion of risk and
privacy assessments for all information systems in use at WWL. This work is due to start in
November 2010.
2. Background
The Requirement
It is NHS policy and a legal requirement that, when patient data is used for purposes not involving the
direct care of the patient, i.e. Secondary Use, the patient should not be identified unless other legal
means hold, such as the patient’s consent or Section 251 approval.
This is set out clearly in the NHS policy document, ‘NHS Confidentiality Code of Practice’, which
states the need to ‘effectively anonymise’ patient data prior to the non-direct care usage being made
of the data.
The Issue
Many NHS organisations, both provider and commissioner, are probably operating outside this
guidance and of course all organisations have an obligation to work within the law. Data itself cannot
be labelled as primary or secondary use data, it is the purpose of the disclosure and the usage of the
data that is either primary or secondary.
This means that it is legitimate to hold data in identifiable form, but it becomes essential to ensure that
only authorised users are able to have identifiable data disclosed to them. This in turn implies that
user behaviour and business processes will have to be modified and be supported by suitably robust
systems.
The Solution
It is not a simple task although it can be resolved via a thorough review of current practice with
changes being made where applicable.
WWL will benefit as a result since patient confidentiality is improved as the risk of inadvertent,
inappropriate use or disclosure of patient details is minimised. Additionally the de-identification of
secondary use data is a component in enabling the Care Record Guarantee to be delivered as well as
demonstrating to the Information Commissioner progress in conforming to legal and policy
requirements.
A significant amount of work has already been undertaken by the Pseudonymisation Implementation
Project with input from a range of representatives of all NHS organisation types and as a result
comprehensive guidance is available.
As noted in Informatics Planning 2010/11 that was recently published alongside the Operating
Framework 2010/11 “all NHS Commissioners and providers of NHS commissioned care should…
complete implementation of pseudonymisation by March 2011….”.
Page 3
Pseudonymisation Project Plan v1
3. Current Service Profile
The current service profile within WWL consists of Patient Identifiable data being passed between
WWL and ALW PCT for commissioning purposes. It is the intention of WWL and ALW to use SUS for
the exchange of commissioning datasets for the 3 biggest datasets, which are APC (Admitted Patient
Care), OPA (Outpatient Attendance) and AAE (A&E) next financial year, 2011/12.
As SUS doesn’t accept all datasets required by the commissioners other data flows must exist. WWL
is aware that there are unknown data flows within the organisation. The primary reason for these
being set up is to meet commissioning requirements.
4. Future Service Profile
The implementation guidance, as outlined in the Pseudonymisation Implementation Project (PIP), has
identified that a locally implemented solution will be the most effective approach.
The guidance clearly outlines the flow of information both within provider organisations and between
providers and their commissioners.
Each diagram depicts a safe haven. The safe haven is an area which has restricted and controlled
access. For example, the NHS has used safe havens for over 20 years. In the past a specified
locked room with a fax machine would be used to send PID between NHS organisations. The same
principles need to be adhered to now.
Figure 1: Data Flows: Providers to Commissioners
Provider System
SUS
(authorised only,
primary use)
Commissioner
System
Provider System
(other staff for
secondary use)
SH
Provider System
Encrypted
Identifiable CDS
(NSH authorised staff only)
Encrypted Identifiable
Direct Flow
Identifiable
Patient data
De-identified
Patient Data
SH
Safe
Haven
Page 4
Pseudonymisation Project Plan v1
Figure 2: Data Flows within Providers
‘Departmental’
Systems
Provider
Corporate
Systems
SUS
SH
Provider
Users
Admin
(authorised only,
primary use)
(other staff for
secondary use)
Clinical
SH
(other staff for
secondary use)
External
Data Source
(authorised only,
primary use)
(NSH authorised staff only)
Encrypted
Identifiable CDS
(Encrypted) Identifiable
(direct) flow
Identifiable
Patient data
De-identified
Patient Data
SH
Safe
Haven
The following data flow diagrams have been taken from pip guidance v1.2 (see supporting
documentation for more information).
5. Project Plan
The key stages of the project plan are identified below;
Identification of current external information flows
This will include the identification of all flows of information that leave the trust. This will include both
those that include and don’t include PID, for completeness.
There will be two work streams for this stage of the project;
1. Identify known data flows within Business Intelligence and Finance departments
2. Identify unknown data flows that exist in the business. These have generally been set up
within department to comply with Trust and commissioning objectives without the inclusion of
the Business Intelligence Team.
The second work stream will be completed as part of the implementation of the Trust Information
Asset Register. As part of this project each information system that the Trust has in analysed by the
IAO and the IAA, who are experts in their areas. This will enable us to have the best possible
understanding of the data and raise the awareness of the obligation the Trust has to keep our
confidential data confidential.
ETL component for all identified systems into Datawarehouse
With all Trust Information Systems identified an ETL component will need to be created in order to
pull the information into the Datawarehouse.
The Trusts Datawarehouse will act as a central repository for all information systems to ensure the
necessary controls are in place. All information/data that is then used for secondary services will be
taken from the Datawarehouse, where it can go through the pseudonymisation process.
Page 5
Pseudonymisation Project Plan v1
Pseudonymisation Process
The Trust is going to adapt the use of Internal Patient Numbers as a pseudonymised key.
The premise for this is that each information system we currently have has a unique internal number
for each patient that cannot be used to identify the patient, by using any of our current User
Interfaces.
The solution will try to match each patient to the Master Patient Index (MPI) on PAS so that the
internal patient number within PAS can be used. If it is not matched then the internal number from the
source system will be used.
Governance
As part of this process policies and procedures will be created to govern the flow of data both
internally and externally. The Datawarehouse will act as the Trusts Safehaven as all primary systems
will feed their data in and any required outputs will be generated from this source.
There will be controls and procedures in place so that anybody who requests access to patient
identifiable data will need to comply with the necessary requirements, to be outlined.
Page 6
Pseudonymisation Project Plan v1
6. Sign Off / Approval
Requirements Approval
I agree that all the requirements listed in all sections of this document are correct and are a true
reflection of the requirements for this project.
These delivered requirements will provide improved business process functionality when compared to
the existing processes, without any adverse effects in the day-to-day running of the business.
I understand that any changes to these requirements, at any stage of the development process, will
require that a new version of the Business Requirements Specification be created and subsequently
approved according to the formal change control procedures for the project.
Name
Position
Stephen Dobson
Head of IM&T
Karen Foster
Head of Business
Intelligence
Business Analyst
David Chapman
Michelle Cooper
Lisa Beck
Signature
Date
Business Intelligence
Manager
Information Governance Coordinator
Signed of at Board/Committee
Board/Committee Name
Date
Responsible Manager/Committee for Implementation
Name
Position
Stephen Dobson
Head of IM&T
Signature
Date
Page 7
Download