Pseudonymization for research data collection: is the juice worth the squeeze?

BACKGROUND: The collection of data and biospecimens which characterize patients and probands in-depth is a core element of modern biomedical research. Relevant data must be considered highly sensitive and it needs to be protected from unauthorized use and re-identification. In this context, laws, regulations, guidelines and best-practices often recommend or mandate pseudonymization, which means that directly identifying data of subjects (e.g. names and addresses) is stored separately from data which is primarily needed for scientific analyses. DISCUSSION: When (authorized) re-identification of subjects is not an exceptional but a common procedure, e.g. due to longitudinal data collection, implementing pseudonymization can significantly increase the complexity of software solutions. For example, data stored in distributed databases, need to be dynamically combined with each other, which requires additional interfaces for communicating between the various subsystems. This increased complexity may lead to new attack vectors for intruders. Obviously, this is in contrast to the objective of improving data protection. What is lacking is a standardized process of evaluating and reporting risks, threats and countermeasures, which can be used to test whether integrating pseudonymization methods into data collection systems actually improves upon the degree of protection provided by system designs that simply follow common IT security best practices and implement fine-grained role-based access control models. To demonstrate that the methods used to describe systems employing pseudonymized data management are currently heterogeneous and ad-hoc, we examined the extent to which twelve recent studies address each of the six basic security properties defined by the International Organization for Standardization (ISO) standard 27,000. We show inconsistencies across the studies, with most of them failing to mention one or more security properties. CONCLUSION: We discuss the degree of privacy protection provided by implementing pseudonymization into research data collection processes. We conclude that (1) more research is needed on the interplay of pseudonymity, information security and data protection, (2) problem-specific guidelines for evaluating and reporting risks, threats and countermeasures should be developed and that (3) future work on pseudonymized research data collection should include the results of such structured and integrated analyses.

Expanded phenotypic spectrum of the m.8344A>G "MERRF" mutation: data from the German mitoNET registry.

The m.8344A>G mutation in the MTTK gene, which encodes the mitochondrial transfer RNA for lysine, is traditionally associated with myoclonic epilepsy and ragged-red fibres (MERRF), a multisystemic mitochondrial disease that is characterised by myoclonus, seizures, cerebellar ataxia, and mitochondrial myopathy with ragged-red fibres. We studied the clinical and paraclinical phenotype of 34 patients with the m.8344A>G mutation, mainly derived from the nationwide mitoREGISTER, the multicentric registry of the German network for mitochondrial disorders (mitoNET). Mean age at symptom onset was 24.5 years ±10.9 (6-48 years) with adult onset in 75 % of the patients. In our cohort, the canonical features seizures, myoclonus, cerebellar ataxia and ragged-red fibres that are traditionally associated with MERRF, occurred in only 61, 59, 70, and 63 % of the patients, respectively. In contrast, other features such as hearing impairment were even more frequently present (72 %). Other common features in our cohort were migraine (52 %), psychiatric disorders (54 %), respiratory dysfunction (45 %), gastrointestinal symptoms (38 %), dysarthria (36 %), and dysphagia (35 %). Brain MRI revealed cerebral and/or cerebellar atrophy in 43 % of our patients. There was no correlation between the heteroplasmy level in blood and age at onset or clinical phenotype. Our findings further broaden the clinical spectrum of the m.8344A>G mutation, document the large clinical variability between carriers of the same mutation, even within families and indicate an overlap of the phenotype with other mitochondrial DNA-associated syndromes.

A generic solution for web-based management of pseudonymized data.

BACKGROUND: Collaborative collection and sharing of data have become a core element of biomedical research. Typical applications are multi-site registries which collect sensitive person-related data prospectively, often together with biospecimens. To secure these sensitive data, national and international data protection laws and regulations demand the separation of identifying data from biomedical data and to introduce pseudonyms. Neither the formulation in laws and regulations nor existing pseudonymization concepts, however, are precise enough to directly provide an implementation guideline. We therefore describe core requirements as well as implementation options for registries and study databases with sensitive biomedical data. METHODS: We first analyze existing concepts and compile a set of fundamental requirements for pseudonymized data management. Then we derive a system architecture that fulfills these requirements. Next, we provide a comprehensive overview and a comparison of different technical options for an implementation. Finally, we develop a generic software solution for managing pseudonymized data and show its feasibility by describing how we have used it to realize two research networks. RESULTS: We have found that pseudonymization models are highly heterogeneous, already on a conceptual level. We have compiled a set of requirements from different pseudonymization schemes. We propose an architecture and present an overview of technical options. Based on a selection of technical elements, we suggest a generic solution. It supports the multi-site collection and management of biomedical data. Security measures are multi-tier pseudonymity and physical separation of data over independent backend servers. Integrated views are provided by a web-based user interface. Our approach has been successfully used to implement a national and an international rare disease network. CONCLUSIONS: We were able to identify a set of core requirements out of several pseudonymization models. Considering various implementation options, we realized a generic solution which was implemented and deployed in research networks. Still, further conceptual work on pseudonymity is needed. Specifically, it remains unclear how exactly data is to be separated into distributed subsets. Moreover, a thorough risk and threat analysis is needed.

ARX--A Comprehensive Tool for Anonymizing Biomedical Data.

Collaboration and data sharing have become core elements of biomedical research. Especially when sensitive data from distributed sources are linked, privacy threats have to be considered. Statistical disclosure control allows the protection of sensitive data by introducing fuzziness. Reduction of data quality, however, needs to be balanced against gains in protection. Therefore, tools are needed which provide a good overview of the anonymization process to those responsible for data sharing. These tools require graphical interfaces and the use of intuitive and replicable methods. In addition, extensive testing, documentation and openness to reviews by the community are important. Existing publicly available software is limited in functionality, and often active support is lacking. We present ARX, an anonymization tool that i) implements a wide variety of privacy methods in a highly efficient manner, ii) provides an intuitive cross-platform graphical interface, iii) offers a programming interface for integration into other software systems, and iv) is well documented and actively supported.