Protecting privacy
All data linkage units use privacy preserving methods to minimise the risk of people being unidentified in linked data. This means identifying information like names, dates of birth or addresses are removed from a dataset before it is provided to a researcher.
The effective protection of data is integral to the activities of the TDLU. The TDLU will ensure that:
- Privacy is integral to the design of its processes and procedures;
- Its activities comply with all applicable guidelines, codes of conduct and law relating to privacy and confidentiality; and
- That all physical computing infrastructures used in support of data linkage activities is maintained on a standalone basis supported by tight access restrictions.
Linked data research projects help provide new insights into the health of our population. However, patient confidentiality is crucial, which is why data linkage units take it so seriously. Your data linkage unit will advise you of any privacy concerns with your data request.
Using linked data, researchers can confidently and ethically analyse a variety of datasets, gleaning important information from them, but they do not need to know the identity of each individual in the dataset. This is particularly important for projects where a waiver of consent has been granted by an independent human research ethics committee.
The TDLU operates within a legal framework which may impose various restrictions and obligations on those who deliver and access data linkage services. Users of this service should note the duty of confidentiality at common law and equity and should refer to relevant legislation in Tasmania including:
- Personal Information Protection Act 2004;
- Relevant State health information privacy legislation and principles (where information is health information);
- Relevant State information privacy specific to providers of non-health data;
- Commonwealth Privacy Act 1988, as applicable, and the Information Privacy Principles; and
- The National Privacy Principles (when dealing with information held by a private organisation).
Further, the TDLU recognises the following policy statements, principles and guidelines specific to the use of linked data in support of research activities;
- National Statement on Ethical Conduct in Human Research developed jointly by the National Health and Medical Research Council, the Australian Research Council and Australian Vice-Chancellors' Committee;
- Australian Code for the Responsible Conduct of Research jointly issued by the National Health and Medical Research Council, the Australian Research Council and Universities Australia;
- Guidelines under s95 of the Privacy Act 1988 (Commonwealth); and
- Guidelines under s95A of the Privacy Act 1988 (Commonwealth).
The separation principle
The key feature of the data-linkage model used by the TDLU is one of ensuring the separation of personal identifying information from service or clinical data. This approach is in accordance with the National Health Medical Research Committee protocols that define linked datasets as non-identifiable.
The separation principle is used to create separate and secure environments for data to be linked, stored, and analysed.
- Data linkage units receive identifying data taken from a variety of datasets and linked records for the same person, using fields such as name, date of birth and address. These links, known as 'linkage keys', are stored separately to the identifying and health data attached to that record.
- When a linked data project is approved, data linkage units extract the linkage keys from the datasets. Only linkage keys are required for this step, not identifying data.
- The data required for analysis is attached to the linkage key; no personal information needs to be reattached.
- Researchers receive the data they need for their project and use the linkage keys to merge the datasets and conduct their analysis.
Using this separation principle the TDLU operates under strict protocols which include:
- Identifying data is provided to the TDLU for linkage only;
- Such data is kept on a standalone computing server with no Internet or Intranet connectivity;
- Access to the room housing the computer is via security card, that is strictly controlled;
- Data stored on the server is encrypted;
- The TDLU holds no clinical data whatsoever; and
- Researchers have no way of accessing the personal identifying data held by TDLU.
| Data Custodian | TDLU | Researcher | |
|---|---|---|---|
| Source identifier | ✓ | ✓ | |
| Demographic data | ✓ | ✓ | |
| Selected demographic data | ✓ | ✓ | ✓ |
| Clinical / activity data | ✓ | ✓ | |
| Project Person ID (PPID) | ✓ | ✓ | ✓ |
| Master Linkage Key (MLK) | ✓ |
Security
The TDLU protects the privacy of personal information by establishing and maintaining strict security of all data that is provided by custodians. Information security measures employed by the TDLU are divided into four key categories:
The TDLU has in place strict security measures and physical entry controls for the location where data is stored.
The TDLU has established a standalone network within an entry controlled location with strict, multi-level password protection, anti-virus software and encryption for data transfer.
Access to physical infrastructure and data is strictly limited to those TDLU staff whose work responsibilities specifically require such access.
Extensive work has been undertaken to complete a range of policies, procedures, standards, guidelines, security training and risk assessments in support of ongoing security arrangements for the TDLU.
There are a number of security measures also undertaken to ensure the data remains safe once provided to the approved researchers. These include:
- approval of security plans from Human Research Ethics Committees and data custodians;
- legally binding contracts and confidentiality agreements with data custodians and researchers;
- data supplied to and from the TDLU and to researchers and data custodians is in an encrypted format.