Treading the fine line between Big Brother and the legitimate use of sensitive data for research

Transcription

1 Treading the fine line between Big Brother and the legitimate use of sensitive data for research IG Cyber Security Survival Guide 3rd May 2018 Dr Emily Jefferson

2 Facebook and Cambridge Analytica

3 Care.Data

4 GDPR!

5 What about Data for Research? The NHS should use the data they collect to improve care The NHS should not have to pay so much for drugs Health Research should be cost effective and timely Researchers shouldn t have access to a big database of all of my data The NHS shouldn t sell my data Pharmaceutical companies should not have access to my health records I don t want the government know everything about my personal life Government bodies should be more linked up

6 The effect of β blockers in the management of chronic obstructive pulmonary disease (COPD) GRO Prescribing ECHO TARDIS Demography Biochemistry Haematology Microbiology Setting Tayside, Scotland ( ) Population 5977 patients aged >50 years with a diagnosis of COPD. There was a 22% overall reduction in all cause mortality with β blocker use Example of data linkage BMJ. 2011; 342: d /bmj.d2549 P.M Short, S.I.W Lipworth, D.H.J Elder, S. Schembri, B.J. Lipworth.

7 Police Fire Service NHS Social Services What is the relationship between vulnerable adults in the different services? Linking new data sets from different data custodians

8 Talk outline Experience of the (HIC) The Scottish Federated Network of Safe Havens UK Wide Safe Havens and different models

9 (HIC) The Service arm of HIC has supported 600 different research projects over the last 5 years totalling ~ 156M in grants (total grant income not just that of HIC) We have a team of ~40 experts in data governance, software development, data management and hosting, data analysis and data science. Trusted relationship with NHS Tayside and Fife built up over many years

10 My Area of Research Research using Linked Data Research using Linked Data Research using Linked Data Research using Linked Data Research using Linked Data Research using Linked Data Research using Linked Data Research using Linked Data Research using Linked Data Service to prevision linked data for research Research Data Management Platform Research in innovative methods for the provision of sensitive linked data which meets both data governance requirements and those of the research community

11 Electronic Medical Data Coverage Geographic - Tayside And Fife Population of Scotland Time Period

12 Phenotypic Data Available Data For Linkage Health Care Data Primary Care : Community Prescribing Secondary Care : Out Patient Visits, Hospital Admissions, Accident & Emergency, Cancer Register, Psychiatric Episodes. Diagnostics : Radiology Events, Cardiology & Vascular Labs, Bowel Screening Laboratory - Biochemistry, Haematology, Immunology, Microbiology, Virology Diabetes Surveillance - BP,BMI, Smoking Alcohol, Amputations, Ulcers Diabetic Retinal Images DRS Retinopathy Image Library (Go DARTS Population) SMR02 Maternity & Neonate Child Health Pre-School/School SIRS/CHSP Register Of Deaths Parents Conception Birth Early Life Childhood Adulthood Late Life Death Existing Research Studies Walker 48,00 Births ( ) Research Datasets GoDARTS Diabetes 18K - Case/Controls TASC FORCE MRA Volunteers POPADAD Diabetes with no CVD TRACE RA Rheumatoid Arthritis/UK Pre-consented Cohorts SHARE 100+K Generation Scotland 20K Disease Registers TARDIS Respiratory Disease SDCRN Scottish Dementia Network SCI Diabetes Epilepsy

13 ISO27001 Certified Trusted Research Environment Analytics Software Library: R SAS STATA SPSS MS Office Matlab Virtual Windows Clients Resilient Infrastructure: High-Availability Storage Redundant Power Daily Backups De-identified Data Extracts Secure Access Controls: Firewall HTTPS Connection Password Protection Data User Access-from-anywhere: 24x7 via Internet

14 What is a Safe Haven/Trusted Research Environment? 3 Main Functions Analytic Platform: provision of a virtual environment for researchers to securely analyse data without the data leaving the environment Data Repository: secure handling and linking of data from multiple sources for research projects Research Support: socio-technical environment that serves to bring together teams around health data science. The research coordinators provide support to researchers navigating the data requirements, permissions landscape and provide a mechanism to share the lessons from one project to the next.

15 High Level Overview Cohort Selection Process Security Permissions Audit Logs Data can t leave environment Researcher Connects via a web browser Database of Patient Data (including identifiers) Linking and Anonymisation Process Anonymised Subset of Data for Research Project Secure Transfer Anonymised Subset of Data for Research Project Virtual Desktops Researcher Data Repository Analytic Platform Researcher

16 High Level Overview Cohort Selection Process Security Permissions Audit Logs Data can t leave environment Researcher Connects via a web browser Database of Patient Data (including identifiers) Linking and Anonymisation Process Anonymised Subset of Data for Research Project Secure Transfer Anonymised Subset of Data for Research Project Virtual Desktops Researcher Data Repository Analytic Platform Researcher

17 Analytic Platform Researchers provided a remote log on to a Virtual Machine (VM) The VM generally has basic statistics packages installed Researchers can only see the data for their specific cohort to answer their specific research question Researchers can analyse the data in place and can t copy the data out of the environment Aggregate level, analysis of the data can be copied out of the environment only once it has been checked by a Safe Haven team member for discloser control. Researchers can t freely access the internet Researchers have to sign none discloser agreements and have to complete Information Governance Training Secure Access Controls: Firewall HTTPS Connection Password Protection

18 High Level Overview Cohort Selection Process Security Permissions Audit Logs Data can t leave environment Researcher Connects via a web browser Database of Patient Data (including identifiers) Linking and Anonymisation Process Anonymised Subset of Data for Research Project Secure Transfer Anonymised Subset of Data for Research Project Virtual Desktops Researcher Data Repository Analytic Platform Researcher

19 Data Repository Function Provision of linked anonymised datasets for research for a specific cohort to answer a specific research question For HIC this function is on the NHS Network on secure servers Anyone Safe Haven staff member who has access to identifiable NHS patient data is either an employee of NHS or an Honorary employee Trusted Relationship with the NHS is key!

20 GDPR! Actually we didn t need to make many changes.

21 The Scottish Federated Safe Haven Network One National Safe Haven (NSS (edris)/epcc) 4 Regional Safe Havens A collaboration between an R&D Node of NHS Scotland and a University with a Medical School from within that region.

22 Historical Context Data Protection Act 7 Caldicott Principles Now GDPR Scottish Government adoption (Nov 2012) SHIP Guiding Principles and Best Practices (Oct 2010) Guide for Data Controllers (and others) advising on best practices of linking data for research purposes across different organisations

23 Historical Context Scottish Government Safe Haven Charter 2015 Set of standards for all Safe Havens Scottish Government Safe Haven Accreditation Aligns with ISO27001 certification Adds some additional controls on top of general ISO27001 Independent audit by ehealth (Scottish Government) All Safe Havens have signed up to the Safe Haven Charter. If a Safe Haven is Scottish Government Accredited they should work to exactly the same high standards of secure data management and analytic platform provision.

24 Data Governance All Regional Safe Havens have existing Data Governance Approvals processes working with their relevant Health Board(s) and Caldicott Guardians (there are small regional variations) Regional Safe Havens generally act as Data Processors rather than Data Controllers There are existing data sharing/user agreements and service agreements in place The NHS can with draw support for a project at anytime should they wish to do so

25 Separation of Indexer and Linker functions Primarily used when linking data from different data controllers if the data is highly sensitive. Considered general good practice by Guiding Principles of Data Linkage. If there is agreement between Data Controllers to share data without this method then it reduces the coordination requirements of each project

26 Source Data: Different Data Controllers Data Governance Approval Required Before Data Flows Identifiable Data Descriptive Data Identity map Indexing Service Linking Service Data Extract

27 Source Data: Different Data Controllers Data Governance Approval Required Before Data Flows Identifiable Data: Angus McFurgus 31/7/67 Lomond Street Indexing code: NHS: Police: SS: Descriptive Data: NHS: 12345: Has great health Police: 44444: Has criminal record SS: 55555: Known to SS Identity map 44444=12345=55555 Indexing Service Linking Service Safe Haven Researcher area to view project specific data Data Extract Secure Remote Access with disclosure control on output (only aggregates can be exported)

28 Other parts of the UK Big Data Warehouse of pseudonymised linked data from multiple different organisations Securely managed by Swansea University Safe Haven environment with data only provided to answer specific research question

29 Other parts of the UK Many different Safe Havens with differing agreements with local NHS boards NHS Digital Joined up in places but not routinely

30 If Safe Havens are a requirement for governance, what if they are not fit for purpose? Big Data? Programming access? Installation of researcher tools? Cost of environment and software? Suitable hardware? Hardware reuse?

31 Scottish Medical Images (SMI) Scotland has a single National PACS Database from all 14 health boards. To date this includes 23 million different radiological examinations from a population of 5.4 million and over 800TB of data collected since It includes a range of modalities (including computed tomography, magnetic resonance imaging, ultrasound, nuclear medicine and plain film radiography). We are creating a copy of the data from the clinical system to create a research database: SMI We have been extending our Research Data Management Platform (RDMP) to manage and query SMI to provide extracts for research

32 Identifiable Zone Anonymised Zone Analytic DICOM file Platform server and anonymiser Complete Unmodified Identifiable DICOM Files Identifiable Searchable Metadata (MongoDB) Promotion of de-identifiable tags/ metadata Promotion of image types which are extractable De-identification Analysts Indexing Anonymised Metadata Cohort Creation Cohort Builders Extraction Study-specific Image Metadata and Pixel Data Researcher VM with tools to view and manipulate images System Administrators Researcher PACS Data Architecture

33 Big Brother or legitimate use? We generally have good data governance and security in place so that the public can feel safe that research data is not used for Big Brother There has been progress in gaining NHS and other organisations trust that they can share data for research if Safe Havens are used We still have a way to go to automate a lot of this so it can be efficient as well as secure We still have work to do to meet researcher requirements for handling big data and software flexibility

34 Thanks for listening!