Churches Tim
Centre for Epidemiology and Research, New South Wales Department of Health, Locked Mail Bag 961, North Sydney NSW 2059, Australia.
BMC Med Res Methodol. 2003 Jan 6;3:1. doi: 10.1186/1471-2288-3-1.
Disease registers aim to collect information about all instances of a disease or condition in a defined population of individuals. Traditionally methods of operating disease registers have required that notifications of cases be identified by unique identifiers such as social security number or national identification number, or by ensembles of non-unique identifying data items, such as name, sex and date of birth. However, growing concern over the privacy and confidentiality aspects of disease registers may hinder their future operation. Technical solutions to these legitimate concerns are needed.
An alternative method of operation is proposed which involves splitting the personal identifiers from the medical details at the source of notification, and separately encrypting each part using asymmetrical (public key) cryptographic methods. The identifying information is sent to a single Population Register, and the medical details to the relevant disease register. The Population Register uses probabilistic record linkage to assign a unique personal identification (UPI) number to each person notified to it, although not necessarily everyone in the entire population. This UPI is shared only with a single trusted third party whose sole function is to translate between this UPI and separate series of personal identification numbers which are specific to each disease register.
The system proposed would significantly improve the protection of privacy and confidentiality, while still allowing the efficient linkage of records between disease registers, under the control and supervision of the trusted third party and independent ethics committees. The proposed architecture could accommodate genetic databases and tissue banks as well as a wide range of other health and social data collections. It is important that proposals such as this are subject to widespread scrutiny by information security experts, researchers and interested members of the general public, alike.
疾病登记旨在收集特定人群中某种疾病或病症的所有病例信息。传统的疾病登记操作方法要求通过唯一标识符(如社会保障号码或国民身份证号码)或由非唯一识别数据项组合(如姓名、性别和出生日期)来识别病例通知。然而,对疾病登记隐私和保密性的日益关注可能会阻碍其未来的运作。需要针对这些合理担忧的技术解决方案。
提出了一种替代操作方法,即在通知源处将个人标识符与医疗细节分开,并使用非对称(公钥)加密方法分别对每个部分进行加密。识别信息被发送到单个人口登记处,医疗细节被发送到相关的疾病登记处。人口登记处使用概率记录链接为每个向其通报的人分配一个唯一的个人识别(UPI)号码,尽管不一定是整个人口中的每个人。这个UPI仅与一个单一的可信第三方共享,该第三方的唯一功能是在这个UPI与每个疾病登记处特定的单独一系列个人识别号码之间进行转换。
所提议的系统将显著提高隐私和保密性的保护,同时在可信第三方和独立伦理委员会的控制和监督下,仍允许疾病登记处之间高效地链接记录。提议的架构可以容纳基因数据库和组织库以及广泛的其他健康和社会数据收集。重要的是,这样的提议要受到信息安全专家、研究人员和广大公众中感兴趣成员的广泛审查。
