The development of large-scale de-identified biomedical databases in the age of genomics-principles and challenges.

Contemporary biomedical databases include a wide range of information types from various observational and instrumental sources. Among the most important features that unite biomedical databases across the field are high volume of information and high potential to cause damage through data corruption, loss of performance, and loss of patient privacy. Thus, issues of data governance and privacy protection are essential for the construction of data depositories for biomedical research and healthcare. In this paper, we discuss various challenges of data governance in the context of population genome projects. The various challenges along with best practices and current research efforts are discussed through the steps of data collection, storage, sharing, analysis, and knowledge dissemination.

A risk-based framework for biomedical data sharing.

The problem of biomedical data sharing is a form of gambling; on one hand it incurs the risk of privacy violations and on the other it stands to profit from knowledge discovery. In general, the risk of granting data access to a user depends heavily upon the data requested, the purpose for the access, the user requesting the data (user motives) and the security of the user's environment. While traditional manual biomedical data sharing processes (based on institutional review boards) are lengthy and demanding, the automated ones (known as honest broker systems) disregard the individualities of different requests and offer "one-size-fits-all" solutions to all data requestors. In this manuscript, we propose a conceptual risk-aware data sharing system; the system brings the concept of risk, from all contextual information surrounding a data request, into the data disclosure decision module. The decision module, in turn, imposes mitigation measures to counter the calculated risk.

Evaluating the risk of patient re-identification from adverse drug event reports.

BACKGROUND: Our objective was to develop a model for measuring re-identification risk that more closely mimics the behaviour of an adversary by accounting for repeated attempts at matching and verification of matches, and apply it to evaluate the risk of re-identification for Canada's post-marketing adverse drug event database (ADE).Re-identification is only demonstrably plausible for deaths in ADE. A matching experiment between ADE records and virtual obituaries constructed from Statistics Canada vital statistics was simulated. A new re-identification risk is considered, it assumes that after gathering all the potential matches for a patient record (all records in the obituaries that are potential matches for an ADE record), an adversary tries to verify these potential matches. Two adversary scenarios were considered: (a) a mildly motivated adversary who will stop after one verification attempt, and (b) a highly motivated adversary who will attempt to verify all the potential matches and is only limited by practical or financial considerations. METHODS: The mean percentage of records in ADE that had a high probability of being re-identified was computed. RESULTS: Under scenario (a), the risk of re-identification from disclosing the province, age at death, gender, and exact date of the report is quite high, but the removal of province brings down the risk significantly. By only generalizing the date of reporting to month and year and including all other variables, the risk is always low. All ADE records have a high risk of re-identification under scenario (b), but the plausibility of that scenario is limited because of the financial and practical deterrent even for highly motivated adversaries. CONCLUSIONS: It is possible to disclose Canada's adverse drug event database while ensuring that plausible re-identification risks are acceptably low. Our new re-identification risk model is suitable for such risk assessments.

Dynamic-informed consent: A potential solution for ethical dilemmas in population sequencing initiatives.

While the majority of population-level genome sequencing initiatives claim to follow the principles of informed consent, the requirements for informed consent have not been-well defined in this context. In fact, the implementation of informed consent differs greatly across these initiatives - spanning broad consent, blanket consent, and tiered consent among others. As such, this calls for an investigation into the requirements for consent to be "informed" in the context of population genomics. One particular strategy that claims to be fully informed and to continuously engage participants is called "dynamic consent". Dynamic consent is based on a personalised communication platform that aims to facilitate the consent process. It is oriented to support continuous two-way communication between researchers and participants. In this paper, we analyze the requirements of informed consent in the context of population genomics, review various current implementations of dynamic consent, assess whether they fulfill the requirement of informed consent, and, in turn, enable participants to make autonomous and informed choices on whether or not to participate in research projects.

Evaluating the Risk of Re-identification of Patients from Hospital Prescription Records.

BACKGROUND: Pharmacies often provide prescription records to private research firms, on the assumption that these records are de-identified (i.e., identifying information has been removed). However, concerns have been expressed about the potential that patients can be re-identified from such records. Recently, a large private research firm requested prescription records from the Children's Hospital of Eastern Ontario (CHEO), as part of a larger effort to develop a database of hospital prescription records across Canada. OBJECTIVE: To evaluate the ability to re-identify patients from CHEO'S prescription records and to determine ways to appropriately de-identify the data if the risk was too high. METHODS: The risk of re-identification was assessed for 18 months' worth of prescription data. De-identification algorithms were developed to reduce the risk to an acceptable level while maintaining the quality of the data. RESULTS: The probability of patients being re-identified from the original variables and data set requested by the private research firm was deemed quite high. A new de-identified record layout was developed, which had an acceptable level of re-identification risk. The new approach involved replacing the admission and discharge dates with the quarter and year of admission and the length of stay in days, reporting the patient's age in weeks, and including only the first character of the patient's postal code. Additional requirements were included in the data-sharing agreement with the private research firm (e.g., audit requirements and a protocol for notification of a breach of privacy). CONCLUSIONS: Without a formal analysis of the risk of re-identification, assurances of data anonymity may not be accurate. A formal risk analysis at one hospital produced a clinically relevant data set that also protects patient privacy and allows the hospital pharmacy to explicitly manage the risks of breach of patient privacy.

Privacy-Preserving Analysis of Distributed Biomedical Data: Designing Efficient and Secure Multiparty Computations Using Distributed Statistical Learning Theory.

BACKGROUND: Biomedical research often requires large cohorts and necessitates the sharing of biomedical data with researchers around the world, which raises many privacy, ethical, and legal concerns. In the face of these concerns, privacy experts are trying to explore approaches to analyzing the distributed data while protecting its privacy. Many of these approaches are based on secure multiparty computations (SMCs). SMC is an attractive approach allowing multiple parties to collectively carry out calculations on their datasets without having to reveal their own raw data; however, it incurs heavy computation time and requires extensive communication between the involved parties. OBJECTIVE: This study aimed to develop usable and efficient SMC applications that meet the needs of the potential end-users and to raise general awareness about SMC as a tool that supports data sharing. METHODS: We have introduced distributed statistical computing (DSC) into the design of secure multiparty protocols, which allows us to conduct computations on each of the parties' sites independently and then combine these computations to form 1 estimator for the collective dataset, thus limiting communication to the final step and reducing complexity. The effectiveness of our privacy-preserving model is demonstrated through a linear regression application. RESULTS: Our secure linear regression algorithm was tested for accuracy and performance using real and synthetic datasets. The results showed no loss of accuracy (over nonsecure regression) and very good performance (20 min for 100 million records). CONCLUSIONS: We used DSC to securely calculate a linear regression model over multiple datasets. Our experiments showed very good performance (in terms of the number of records it can handle). We plan to extend our method to other estimators such as logistic regression.

Informed Consent in Biomedical Research.

Informed consent is the result of tumultuous events in both the clinical and research arenas over the last 100 years. Throughout this time, the notion of informed consent has shifted tremendously, both due to advances in medicine, as well as the type of data being gathered. As such, informed consent has misaligned with the goals of medical research. It is becoming more and more vital to address this chasm, and begin building new frameworks to link this disconnect. Thus, we address three goals in this paper. First, we discuss the history of informed consent and unify the varying definitions of the term. Second, we evaluate the current research on the topic, classify them into themes, and attend to the problems therein. Lastly, we employ these themes of informed consent research mentioned previously to provide guidance and insight for future research in the arena.