Health data security and management practices
This chapter reviews the internal data security and management practices among health data custodians and how they assure data security is maintained when data is transferred to and accessed by external approved researchers and custodians.
Highlights
Sound data security practices are essential to meet legal requirements and public expectations for the protection of their health information. They ensure that the data held by national custodians are safe, that they are safe during any transfers and that they remain safe when they are shared with others.
Basic features of good governance within data processors include physical security, IT security, and secure channels for data transmission. Other basic features include a separation of duties, where only employees that need to see identifiable data to process it do so; signed obligations binding employees to protect data confidentiality; and regular staff training about their responsibilities for data security and confidentiality protection.
Several countries have made their data security processes transparent to the public by publishing policy statements or guidelines at either the national level or the level of national data custodians. Examples of published guidelines were provided by Canada, Denmark, Finland, Korea, New Zealand, Norway and the United Kingdom. A few countries also engage external experts to test their security with examples provided from Switzerland, United States and the United Kingdom.
Experts in 14 countries indicated that a signed obligation, such as a data sharing agreement, was used to legally bind data recipients to the rules to be followed to protect the data. Many such agreements place a time limit on how long data can be held by the third party before they are destroyed. Mechanisms to assure compliance with data sharing agreements include evaluations of data security environments before data access is approved and follow-up audits.
Countries universally observe that researchers have a strong incentive to comply with the terms of data sharing agreements because any misuse of data could damage their careers. Some countries have additional penalties. A fine or criminal conviction can be imposed for deliberate misuse of data in Korea, Norway and the United Kingdom, and among statistical authorities in Canada and the United States.
Secure research data centres and secure remote data access systems are viable alternatives to transferring person-level data to data requestors. The common feature of these mechanisms is that researchers are not provided a dataset to analyse within their own organisation. Instead, approved researchers must either physically enter a secure research data centre or digitally enter a secure remote data access system in order to analyse data. Secure research data centres are in use in Canada, Singapore, the Netherlands and the United States. Remote data access systems offering researchers with real-time service and the ability to conduct sophisticated data modelling with appropriate software are available in Canada (Ontario), the United Kingdom (Scotland and Wales), the Netherlands and the United States. Such an environment is undergoing pilot testing in Korea and is in development in Denmark.
Data governance practices begin with the requirements of and internal policies of dataset custodians. The participants in this study described the data security protections that are in place within their organisations to ensure their internal data security and to protect the confidentiality of the data they are in custody of. Most commonly noted is a separation of duties, where only a small staff with specific job requirements access identifiable microdata; followed by initiatives for staff training on data security and confidentiality protection; and physical security, such as secure networks, firewalls and threat assessments.
Data governance practices include data security practices that enable third parties to access data from custodians while minimising risks to data subject’s privacy. These practices include binding data sharing agreements or contracts; follow-up processes for conformance to agreements; supervised research data centres and secure remote data access systems; and civil and criminal penalties for data misuse.
In general there are two complementary approaches to protecting the privacy of data subjects when their data will be used for statistics and research projects. In the first approach, there is careful attention paid to the data itself and treatments are applied to the data to render it as anonymous as possible while still enabling high-quality research and statistics to be produced from it. This is technically challenging as was discussed in Chapter 7. In the other complementary approach, data de-identification is only one of the mechanisms and practices put into place to create a governance framework around the development of statistics and research with the data to ensure that the data are not misused and that the privacy of the data subjects remains protected throughout the process.
Countries were asked to identify the controls used to manage dataset re-identification risks (Table 8.1). Fifteen countries were able to identify one or more controls that are used to manage re-identification risks for all or the majority of the key national health care datasets. Examples of potential practices included in the questionnaire were supervised data access facilities, data security audits and penalties for misuse of data. Among the countries reporting controls are used, examples of controls provided by countries included limiting staff access to identifiable data; policies and guidelines including data de-identification standards; data sharing agreements and contracts to bind data recipients to follow data protection requirements; secure data access centres and remote systems; rules for minimum cell sizes in tabulations to avoid indirect disclosure of patient’s confidential information; criminal penalties and/or fines for data misuse; and support and systems for patients to register complaints.
Table 8.1. Percentage of key national datasets where data security practices to protect data
from re-identification were identified
|
Data security practices to protect data from re-identification identified |
|
|
Czech Republic |
100% |
|
Ireland |
100% |
|
Italy |
100% |
|
Korea |
100% |
|
New Zealand |
100% |
|
Singapore |
100% |
|
UK Scotland |
100% |
|
UK Wales |
100% |
|
United States |
100% |
|
Canada |
88% |
|
Japan |
86% |
|
Spain |
75% |
|
Netherlands |
71% |
|
Norway |
70% |
|
UK England |
60% |
|
Denmark |
22% |
|
Switzerland |
20% |
|
Finland |
0% |
|
Israel |
0% |
|
Iceland |
0% |
|
Turkey |
0% |
|
Sweden |
ns |
Source: Author’s own calculations based on the results of this study.
There were also data security practices identified that place heavy restrictions on the use of and access to de-identified data for statistics or research in the public interest. These included practices that limit data access to aggregated data only (Italy), and policies that remove identifiers at the processing step rendering data linkage impossible (Japan).
