Date post: | 01-Dec-2014 |
Category: |
Technology |
Upload: | acarusi |
View: | 1,957 times |
Download: | 3 times |
Anonymisation & pseudonymisation in large data sets for medical research
Law and Ethics in
e-Social Science Workshop,
24 June 2009
NCeSS Conference, Cologne, June 2009
David Trower
Chief Privacy Officer EMEA & Chair of Global Privacy Council
IMS Health
NCeSS Conference, Cologne, June 2009
Who are IMS?
• US owned multi-national in 100+ markets globally
• EMEA region, headquartered in London, includes 30 countries with data protection laws
• Lead supplier of market intelligence and consulting services to the pharmaceutical and healthcare industries
• Additional information is available at http://www.imshealth.com.
NCeSS Conference, Cologne, June 2009
Why is privacy so important to IMS?
• Matter of legal compliance and sanctions
• Critical as IMS an information based company
• Secure and gain access to data
• Gain competitive advantage
• We are good citizens
NCeSS Conference, Cologne, June 2009
Our privacy gold standard
• Global Privacy Council, network of privacy officers
• IMS assessed as compliant, by independent legal opinion, in 17 European countries
• IMS use the latest privacy enhancing technologies and methodologies to anonymise physician and patient data
• IMS works with Data Privacy Commissioners and lobbies to create a legal framework supportive to medical research
NCeSS Conference, Cologne, June 2009
Legal and regulatory considerations
• Data protection
• Patient confidentiality and medical secrecy
• Laws regulating clinical research
• Ethical committee requirements
• Physician association rules
NCeSS Conference, Cologne, June 2009
Data protection law requirements
• Notification of processing to DP Authority
• Legal basis, often consent
• Transparency, notice to the individual
• No unauthorised secondary use
• Data must be relevant and not excessive
• Data quality obligations
• Individual rights, for example access to own data
• Information security
• Obligations in appointing outsourcers
• Strict rules on data transfers to outside the EU
NCeSS Conference, Cologne, June 2009
The alternative is to anonymise
• So it is no longer ‘personal data’
• Legal rules then don’t apply
• Where is the dividing line?
• The data must no longer be identifiable
• Not an absolute test
• No longer a reasonably likely chance of re-identification (Recital 26 of DP Directive)
• No firm guidelines on meaning
NCeSS Conference, Cologne, June 2009
Is pseudonymised data ‘personal’?
• Individual de-identified patient often coded
• Key held by physician
• Sometimes need to ‘go backwards’
• For validation and data quality purposes
• WP29 Paper on ‘Definition of Personal Data’
• Coded data not personal in hands of recipient when reverse process has no impact on individual
• But this position not universally adopted across EU
NCeSS Conference, Cologne, June 2009
Secondary use of patient data at IMS
• Sensitive privacy issue for company
• Occasional nominative data in direct research
• Mostly anonymous or coded
• As part of syndicated services based on panels
• Ad hoc primary market research for specific clients
• ‘Anonymous line data’ can be provided to clients
NCeSS Conference, Cologne, June 2009
Purposes
• Pharmacovigilance,
• Pharmacoepidemiology,
• Epidemiology,
• Health economics and outcomes research,
• Pharmaceutical market research
NCeSS Conference, Cologne, June 2009
Types of survey
1. Direct to patient
2. Interventional
3. Physician observational studies (e.g. diary)
4. Physician retrospective studies
5. External researcher retrospective studies
6. EHR system data extraction
NCeSS Conference, Cologne, June 2009
IMS anonymisation standard on full medical record
1. No direct identifiers
2. Patient geography minimum limit
3. Physician identity known only to panel management
4. Extreme values top coded
5. Rare Conditions filtered
6. Date of birth masked
7. Specific socio-economic information eliminated
8. Size of sample not to exceed set % of target population
9. Free text eliminated or filtered
10. Information security limits access
11. One way hashing of key where possible… no reverse process
12. Contractual guarantees on no re-identification sometimes used
NCeSS Conference, Cologne, June 2009
Is physician linked prescription data personal?
• Pharmaceutical industry very interested in doctor prescribing behaviour and IMS seeks to provide insights
• Information on named doctors prescribing is personal data though
• European Convention of Human Rights, Article 8, provides that everyone has “the right to respect for his private and family life, his home and his correspondence”.
• Case law of European Court of Human Rights confirms clearly that rights to a private life extend into the work environment
• Data protection law seeks to protect work product data about named individuals, seen as personal data in most cases
NCeSS Conference, Cologne, June 2009
Is physician linked prescription data personal?
Article 29 Working Party, committee of all EU DP commissioners,
produced guidance on definition of personal data in 2007. Example 1:
Professional habits and practices
Drug prescription information (e.g. drug identification number, drug name, drug
strength, manufacturer, selling price, new or refill, reasons for use, reasons for no
substitution order, prescriber's first and last name, phone number, etc.), whether in the
form of an individual prescription or in the form of patterns discerned from a number
of prescriptions, can be considered as personal data about the physician who prescribes
this drug, even if the patient is anonymous. Thus, providing information about
prescriptions written by identified or identifiable doctors to producers of prescription
drugs constitutes a communication of personal data to third party recipients in the
meaning of the Directive.
NCeSS Conference, Cologne, June 2009
IMS EMEA response
• Variety of strategies to anonymise prescription data (“Rx”)
• Often use Trusted Third Parties (“TTP”)
• Rx minus patient details sent to IMS
• Doctor name linked to each Rx sent to TTP
• TTP links doctor to specific group or area (“brick”)
• Acceptable brick size varies
• France 5, UK 50, Belgium 12, Germany?
• Governments and/or DP authorities determine
• Not just privacy driving size, but payer concerns
NCeSS Conference, Cologne, June 2009
Any Questions?