A proposed architecture and method of operation for improving the protection of privacy and confidentiality in disease registers

doi:10.1186/1471-2288-3-1

BMC Medical Research Methodology

Volume 3

Viewing options:

Abstract
Full text
PDF (310KB)

Associated material:

Related literature:

Articles citing this article
on BioMed Central
on Google Scholar
on PubMed Central
Other articles by authors
on Google Scholar

Churches T

on PubMed

Churches T
Related articles/pages
on Google

on Google Scholar

on PubMed

Tools:

Post to:

Debate

A proposed architecture and method of operation for improving the protection of privacy and confidentiality in disease registers

Tim Churches

Centre for Epidemiology and Research, New South Wales Department of Health, Locked Mail Bag 961, North Sydney NSW 2059, Australia

author email corresponding author email

BMC Medical Research Methodology 2003, 3:1doi:10.1186/1471-2288-3-1


Published:	6 January 2003

Abstract

Background

Disease registers aim to collect information about all instances of a disease or condition in a defined population of individuals. Traditionally methods of operating disease registers have required that notifications of cases be identified by unique identifiers such as social security number or national identification number, or by ensembles of non-unique identifying data items, such as name, sex and date of birth. However, growing concern over the privacy and confidentiality aspects of disease registers may hinder their future operation. Technical solutions to these legitimate concerns are needed.

Discussion

An alternative method of operation is proposed which involves splitting the personal identifiers from the medical details at the source of notification, and separately encrypting each part using asymmetrical (public key) cryptographic methods. The identifying information is sent to a single Population Register, and the medical details to the relevant disease register. The Population Register uses probabilistic record linkage to assign a unique personal identification (UPI) number to each person notified to it, although not necessarily everyone in the entire population. This UPI is shared only with a single trusted third party whose sole function is to translate between this UPI and separate series of personal identification numbers which are specific to each disease register.

Summary

The system proposed would significantly improve the protection of privacy and confidentiality, while still allowing the efficient linkage of records between disease registers, under the control and supervision of the trusted third party and independent ethics committees. The proposed architecture could accommodate genetic databases and tissue banks as well as a wide range of other health and social data collections. It is important that proposals such as this are subject to widespread scrutiny by information security experts, researchers and interested members of the general public, alike.