New NEN standard for pseudonymisation

New NEN standard for pseudonymisation - Viacryp

The NEN recently published the ‘NEN 7524’, the new standard for pseudonymisation service provision. This health care standard is expected to lead to improved patient safety and better cooperation between providers and users of pseudonymisation services, such as in mental health care services.

How the new NEN standard will ensure improved patient safety

To deal with patients’ personal data confidentially, medical research data is pseudonymised. This means that a trusted third party—an independent third party—deletes the original, traceable data, having created a cryptocode of it. In this way, data can be used without compromising privacy.

NEN healthcare standardisation consultant Marlou Bijlsma illustrates how this works: ‘Imagine some patients have participated in medical research into cardiovascular disease, and some have been involved in diabetes research as well. Patients have given permission for the research and researchers are working with those pseudonymised datasets. Then a question arises in the research: Which patients have both diseases? When one has pseudonymised data, the datasets can be linked without compromising patient privacy. This would not be possible with merely anonymised data.’

Anonymisation

The new NEN standard is a reaction to the ISO 25237 international standard. This is a definition document which itemises the different forms of anonymisation and pseudonymisation. A Dutch variant on this did not exist prior to the NEN standard. Bijlsma states, ‘There was only one company in the Netherlands that offered this service, and the government was completely dependent on them. You have to wonder what would happen to our personal data if this company were to go under. If something like that happens, it has to be easy to switch to another service provider.’

Gap in the AVG

The safeguarding of privacy in medical research is becoming increasingly relevant, partly as a result of the new GDPR. The GDPR states in general terms that pseudonymisation is useful, and that ‘technical and organisational measures’ must be taken to this end. The law does not explicitly state how this should be done, however. The essential role of the independent third party deserves more attention in this respect, according to Viacryp’s General Director, Adam Knoop, who was involved in drafting the new standard. ‘Because the law is fairly general, you see many organisations regulating it in their own way. They hire an IT specialist or use a tool to encrypt data themselves. Although this is obviously better than nothing, we’re convinced that prudent pseudonymisation is best done through a trusted third party. For users such as municipalities and hospitals, it is important to know how this kind of cooperation works.’

Insight into responsibilities

‘The standard clearly describes the differences between the two parties, as well as their corresponding responsibilities,’ explains Thomas Waslijah. Thomas is an advisor at Stichting ZorgTTP, a consultancy and pseudonomisation firm which was also involved in drafting the standard. ‘It’s about the supplier and the customer. It makes clear what the customer needs to pay attention to when choosing a service provider and tells the provider what useful information he could supply concerning his service.’
‘In this way, the new standard creates clarity, making it easier to explain the service to customers,’ explains Knoop. ‘Sometimes we spend weeks or months explaining to the client how our services work. The new standard ensures better communication, and as a result, also saves time.’

Switching—a complicated process

Another central aim of the standard is to provide valuable insight into what options are available when working with a pseudonymisation service provider. Switching to another provider can be quite complicated. According to Bijlsma, ‘The pseudonymisation service provider will not easily reveal much about their encryption method to a competitor, as this is company-sensitive information. And although it’s possible to recover the original data, the process is extraordinarily time-consuming.’

‘Checks still a long way off’

While the new standard for pseudonymisation services tightens up the GDPR in this particular area, checks are still a long way off, says Bijlsma. ‘With the GDPR and other regulations, the primary focus now is on self-regulation and getting the message out that personal data needs to be pseudonymised—we are now focusing on what exactly this is and how to best approach it. Agreements have, of course, already been made regarding quality management and information security, and the standard refers to these.’

Although checks are not yet the order of the day, if you work according to the norm, you can assume that you are operating in compliance with the GDPR, according to Knoop. He, too, has not yet noticed much enforcement of the regulation. ‘Whilst the French authorities have taken action against Google, and in our country we had the incident at the Haga hospital, I haven’t heard of any other instances of this, not even specifically around the issue of pseudonymisation. The Dutch Data Protection Authority will be responsible for enforcement, and I can imagine that the Health and Youth Care Inspectorate will also have a role to play.

Traceability remains inevitable

Both the GDPR and the new standard will undoubtedly contribute to the more careful handling of data, and to the better safeguarding of patient safety. An oft-heard criticism, however, is that non-reducible data can be indirectly traced back to an individual through the linking of data files. Both Knoop and Waslijah acknowledge that this is unavoidable. Knoop adds, ‘That remains the big challenge in this field. Despite the most careful pseudonymisation, we cannot guarantee that data cannot ultimately be connected. Of course, we do everything we can to mitigate this risk.’

NEN, the drafter of the standard that regulates pseudonymisation, is supporting the standardisation process in the Netherlands and researching whether standardisation within certain sectors is even possible at all. The Commission on ‘Informatie Voorziening Zorg’ (Information Provision in Healthcare) drafted the new standard together with users and suppliers of pseudonymisation services. Service providers Viacryp and Stichting ZorgTTP took part in this. The standard is an addition to other NEN care standards concerning quality and information security.