Guidelines and policies to protect data privacy and security
The development and publication of policies or guidelines either at the national level or at the data custodian level greatly increases public transparency regarding the steps that are taken to protect health information privacy and security and provides a means to improve consistency within and among dataset custodians and a basis from which training courses and materials can be developed. International efforts, such as the standards and guidelines set by the International Standards Organisation regarding privacy and security requirements of EHR systems (ISO/TS 14441:2013); security of electronic health records communications (ISO/TS 13606-4:2009); and data protection to facilitate transborder flows of personal health data (ISO 22857:2011); support harmonisation of national data security and privacy protection practices. Country experts provided examples of the guidelines and policies that have been developed to protect data privacy and security.
In New Zealand, the legislative framework and the requirement for research ethics approval for identifiable data release are national in scope. Other policies are at the organisation level, with the Health Ministry having established its own internal policies. Consistency in policies among ministries is necessary to promote consistency among teams processing data. There was a project undertaken within the past year to develop guidelines and business rules for data handling. The need to develop formal guidelines arose as a result of a high profile agency that experienced a data breach. This raised the need to bring governmental agencies to a similar level of maturity of their internal systems. There is now a consistent data breach notification process across government. In the next 2-3 years there will be further development of information management guidelines. This work will support consistency among the different agencies in custody of health information. Further developments could include the appointment of a chief privacy officer for government who would take responsibility for data privacy, PIAs, data security and ICT systems. Other areas of work include the provision of access for citizens to their own data held by government.
The UK Information Commissioner's Office (ICO) has published a code of practice for data sharing (ICO, 2011). In England, for all of the NHS, there is a document that describes the NHS Anonymisation Standard. The HSCIC has written documentation regarding controlling re-identification risk when data are disclosed (HSCIC, 2013). The HSCIC statistical service also provides guidance to staff regarding disclosure control. The HSCIC conducts and documents privacy impact assessments for new data collections or projects involving personal health data.
In Denmark, the DPA provides guidelines regarding following the requirements of the national data privacy legislation. The SSI follows the DPA guidelines which provide guidance for all types of personal data. The unit providing research services has clear guidelines that they follow regarding data disclosure. For example, there are disclosure guidelines for minimum cell sizes for aggregated data tables to reduce the risk of indirect disclosure of a person's identity. There is a protocol to follow for reporting the discovery of a data breach that should be followed by all actors in the health sector.
In Korea, the Ministry of Security and Public Administration has produced guidelines for government agencies regarding the processing of personal data. HIRA also has internal guidelines specific to its own data holdings. There are guidelines regarding the review of applications, publication of approval decisions, processing timeliness, de-identification, data retention, security and data access fees. The guidelines do not apply to private sector holders of personal health data.
In Finland, each governmental institution maintains its own guidelines; however, in broad terms the guidelines would all conform to legislation. Within THL there is an effort to standardise guidelines across registries, however, there are differences among registries (such as the congenital malformations registry) that do require different rules. There are no guidelines in place regarding the reporting of a data security breach. The data protection anomaly should be reported to the chief security officer who will decide the severity of the case and may issue requests for action to both the owner of the data and the communications department.
In Canada, CIHI provides public access to its policies related to the protection of data subject’s privacy and data confidentiality on its website (CIHI, 2014). Included in these, CIHI has a policy on the collection, use, disclosure and retention of personal health information and de-identified data, a policy on privacy impact assessments, a policy on staff privacy and security training, and security incident management protocol. Canada also has best practices guidelines that were developed as part of a health systems use project endorsed by the Conference of Deputy Ministers of Health (Health System Use Technical Advisory Committee, 2010). A joint report of Canada Health Infoway and the Information Commissioner’s Office for the province of Ontario identifies essential data governance mechanisms, including de-identification and data security, to enable the secondary use of data from electronic clinical records (Cavoukian and Alvarez, 2012).
In Switzerland, as the interpretation of the law has recently been made clearer, a working group was established to develop guidelines for the FSO to ensure consistency in data protection practices throughout the organisation. The guidelines will cover procedures including data anonymisation, data linkage, management of re-identification risk, data disclosure etc. The working group is meeting regularly to develop the guidelines which will be submitted to the Data Protection Authority for approval. The intention is to make the guidelines available to the public. At this point the guidelines are general for the FSO but, it may also be decided to write specific guidelines for health data. The focus of the FSO has been on practices that reduce the risk of a data breach. There have not been any data breaches and the procedures to follow in the event have not been developed. Any illegal activity would be reported to the police.
In Norway, the National Patient Register (NPR) publishes guidelines, rules and regulations governing data security.
In Sweden, there is one guideline concerning disclosure of registry data. At the National Board of Health and Welfare (NBHW), the processing of requests is centralised in one unit and the employees of the unit meet together once per week to discuss the requests that have come it; to discuss complex requests; and to make consistent decisions. The legal expert takes part in the weekly meeting.
Spain reports guidelines within the Ministry of Health for the review of applications for access to data, the publication of approval decisions, data de-identification and data security. There is also an internal guideline on reporting a data security breach.