Standardised framework for protecting privacy when doing research with patient data

Data collected in health care are an important source for research and policy. However, rules for protecting privacy vary from country to country. A lack of a standardised framework has meant that discussions on this could quickly lead to confusion. An international consortium has now developed such a framework. It is described in an article in the International Journal of Medical Informatics. The researchers expect it will contribute to better (international) communication on privacy protection when using health care data. The Netherlands Institute for Health Services Research (NIVEL) and the Dutch company MedLawconsult are part of the consortium.

 
In their article, the researchers describe how data move through three privacy zones: from care zones (the area of patient diagnosis and treatment) to non-care zones (databases) and on to research zones (the researchers). Every zone has its own restrictions in place to protect privacy, and these can vary depending on the country and data set. Privacy filters – which keep data from being linked to individuals – can be used between the zones. NIVEL programme director Robert Verheij: “International cooperation among researchers is becoming increasingly important. This requires an clear understanding of the different privacy rules that apply when using such data in different settings and in different countries. This framework is intended to prevent misunderstandings in this area.”
 
In the first zone – the care zone – health care professionals have to be able to identify individual patients to do their work. When data for scientific research are brought together in a repository or database – the second zone – different rules will apply, dependent on for example the purpose for which the data were brought together, the granularity of the data, the level of patient consent and country specific rules. The same is true for the research zone, where in general, even stricter regulations will apply. The framework provides a language with which privacy protection measures in each of the zones can be described.
 
The method and framework were assessed for their applicability using data from the NIVEL Primary Care Database, one of the largest health data repositories in the world. It encompasses data from routine primary care electronic medical records of 1.7 million patients, approximately 10% of the Dutch population.

Cooperating partners
Heinrich Heine University, Düsseldorf, Germany
MedLawconsult, The Hague, The Netherlands
University of Warwick, Coventry, United Kingdom
NIHR Biomedical Research Centre at Guy’s and St Thomas’ NHS Foundation Trust, Londen, United Kingdom
Kings College London, United Kingdom