Anonymity, pseudonymisation and encryption

While the huge task of medical record abstraction on our Urgent Care Centre trial drags on, we are sharing the frustration of all researchers, that widespread access to pseudonymised patient records does not exist.

 

Protecting the anonymity of the patients who have kindly consented to participate in our studies is essential.

 

Anonymised medical records are ones where patient-identifiable fields are absent or obliterated. However these records are only useful to researchers who are doing general research like epidemiological studies.

 

Pseudonymisation is a different process where fields like the patient’s name, are substituted by a pseudonym, such as a unique number. The key principle is separation. The database which holds the association between the name and the pseudonym must be physically separate from the data set which holds the remaining data. The encryption and password protection applied to both sets is different so that researchers have access to useful data but not identity.

 

We do not collect patient names, but do record the number needed to identify the patients’ records (hence to link hospital and SortED data). In the UCC, these 5-digit numbers are not patient-specific but recycled, so that the date seen is also essential. In the ED, the hospital record number is a unique letter/number combination.  However typing errors meant we lost 58 (of 962) records to follow up in the UCC trial and 59/529 in the ED trial, because we simply could not find the equivalent ED/UCC notes. An improvement scheme is on the drawing board.

 

Gillie Francis – Mar 2018