Musings on privacy issues in health research involving disaggregate geographic data about individuals
Tóm tắt
This paper offers a state-of-the-art overview of the intertwined privacy, confidentiality, and security issues that are commonly encountered in health research involving disaggregate geographic data about individuals. Key definitions are provided, along with some examples of actual and potential security and confidentiality breaches and related incidents that captured mainstream media and public interest in recent months and years. The paper then goes on to present a brief survey of the research literature on location privacy/confidentiality concerns and on privacy-preserving solutions in conventional health research and beyond, touching on the emerging privacy issues associated with online consumer geoinformatics and location-based services. The 'missing ring' (in many treatments of the topic) of data security is also discussed. Personal information and privacy legislations in two countries, Canada and the UK, are covered, as well as some examples of recent research projects and events about the subject. Select highlights from a June 2009 URISA (Urban and Regional Information Systems Association) workshop entitled 'Protecting Privacy and Confidentiality of Geographic Data in Health Research' are then presented. The paper concludes by briefly charting the complexity of the domain and the many challenges associated with it, and proposing a novel, 'one stop shop' case-based reasoning framework to streamline the provision of clear and individualised guidance for the design and approval of new research projects (involving geographical identifiers about individuals), including crisp recommendations on which specific privacy-preserving solutions and approaches would be suitable in each case.
Tài liệu tham khảo
US CDC Public Health Law 101 Foundational Course for Public Health Practitioners – Unit 6: Privacy and Confidentiality.http://www2a.cdc.gov/phlp/phl101/docs/PHL101-Unit%206%20-%2016Jan09-Secure.ppt
Ware W: Lessons for the future: Privacy dimensions of medical record keeping. Proceedings of the Conference on Health Records: Social Needs and Personal Privacy, Sponsored by the Department of Health and Human Services Task Force on Privacy, Office of the Assistant Secretary for Planning and Evaluation and the Agency for HealthCare Privacy and Research: 11–12 February 1993 (Document No. PB94-168192). 1993, Washington, DC: US Government Printing Office, 43-51.
Anderson R: The devil is in the detail-A case in Finland on the privacy of medical records puts two major NHS systems in legal peril (Smart Healthcare – 1 April 2009). http://www.smarthealthcare.com/anderson-database-01apr09
Anderson R, Brown I, Dowty T, Inglesant P, Heath W, Sasse A: Database State. 2009, York, England: The Joseph Rowntree Reform Trust Ltd,http://www.jrrt.org.uk/uploads/Database%20State.pdf
Secondary Uses Service (SUS) – NHS Connecting for Health.http://www.connectingforhealth.nhs.uk/systemsandservices/sus
Malheiros M: Medical data secondary use issues (Privacy Value Networks – 10 June 2009).http://www.pvnets.org/2009/06/medical-data-secondary-use-issues/
Pension details of 109,000 stolen (BBC News – 28 May 2009).http://news.bbc.co.uk/1/hi/business/8072524.stm
ElcomSoft Distributed Password Recovery Software: High-performance distributed password recovery with NVIDIA GPU acceleration.http://www.elcomsoft.com/edpr.html
Kamel Boulos MN: Descriptive review of geographic mapping of severe acute respiratory syndrome (SARS) on the Internet. Int J Health Geogr. 2004, 3: 2-10.1186/1476-072X-3-2.
Woo RB: Epidemics, Privacy Rights and Public Concerns: The Hong Kong SARS Experience. Workshop: Globalisation and New Epidemics: Ethics, Security and Policy Making, Organised by European Commission – Science and Society: 22–23. 2006,http://www.pcpd.org.hk/english/files/infocentre/speech_20060522.pdf
Curtis AJ, Mills JW, Leitner M: Spatial confidentiality and GIS: re-engineering mortality locations from published maps about Hurricane Katrina. Int J Health Geogr. 2006, 5: 44-10.1186/1476-072X-5-44.
Brownstein JS, Cassa CA, Kohane IS, Mandl KD: An unsupervised classification method for inferring original case locations from low-resolution disease maps. Int J Health Geogr. 2006, 5: 56-10.1186/1476-072X-5-56.
Cassa CA, Wieland SC, Mandl KD: Re-identification of home addresses from spatial locations anonymized by Gaussian skew. Int J Health Geogr. 2008, 7: 45-10.1186/1476-072X-7-45.
Van Wey LK, Rindfuss RR, Gutmann MP, Entwisle B, Balk DL: Confidentiality and spatially explicit data: concerns and challenges. Proc Natl Acad Sci USA. 2005, 102 (43): 15337-15342. 10.1073/pnas.0507804102.
Gutmann M, Witkowski K, Colyer C, O'Rourke JM, McNally J: Providing Spatial Data for Secondary Analysis: Issues and Current Practices relating to Confidentiality. Popul Res Policy Rev. 2008, 27 (6): 639-665. 10.1007/s11113-008-9095-4.
Werneck GL: Georeferenced data in epidemiologic research. Cien Saude Colet. 2008, 13 (6): 1753-66.
Cassa CA: Privacy and identifiability in clinical research, personalized medicine, and public health surveillance. PhD thesis. 2008, Harvard University–MIT Division of Health Sciences and Technology,http://hdl.handle.net/1721.1/45624
Sherman JE, Fetters TL: Confidentiality concerns with mapping survey data in reproductive health research. Stud Fam Plann. 2007, 38 (4): 309-21. 10.1111/j.1728-4465.2007.00143.x.
Siffel C, Strickland MJ, Gardner BR, Kirby RS, Correa A: Role of geographic information systems in birth defects surveillance and research. Birth Defects Res A Clin Mol Teratol. 2006, 76 (11): 825-33. 10.1002/bdra.20325.
Matthews SA, Moudon AV, Daniel M: Work group II: Using Geographic Information Systems for enhancing research relevant to policy on diet, physical activity, and weight. Am J Prev Med. 2009, 36 (4 Suppl): S171-6. 10.1016/j.amepre.2009.01.011.
Smolders R, Casteleyn L, Joas R, Schoeters G: Human biomonitoring and the INSPIRE directive: spatial data as link for environment and health research. J Toxicol Environ Health B Crit Rev. 2008, 11 (8): 646-59.
Foley R: Assessing the applicability of GIS in a health and social care setting: planning services for informal carers in East Sussex, England. Soc Sci Med. 2002, 55 (1): 79-96. 10.1016/S0277-9536(01)00208-8.
Armstrong MP, Rushton G, Zimmerman DL: Geographically masking health data to preserve confidentiality. Stat Med. 1999, 18 (5): 497-525. 10.1002/(SICI)1097-0258(19990315)18:5<497::AID-SIM45>3.0.CO;2-#.
Cassa CA, Grannis SJ, Overhage JM, Mandl KD: A context-sensitive approach to anonymizing spatial surveillance data: impact on outbreak detection. J Am Med Inform Assoc. 2006, 13 (2): 160-5. 10.1197/jamia.M1920.
Kamel Boulos MN, Cai Q, Padget JA, Rushton G: Using software agents to preserve individual health data confidentiality in micro-scale geographical analyses. J Biomed Inform. 2006, 39 (2): 160-70. 10.1016/j.jbi.2005.06.003.
Wieland SC, Cassa CA, Mandl KD, Berger B: Revealing the spatial distribution of a disease while preserving privacy. Proc Natl Acad Sci USA. 2008, 105 (46): 17608-13. 10.1073/pnas.0801021105.
Olson KL, Grannis SJ, Mandl KD: Privacy protection versus cluster detection in spatial epidemiology. Am J Public Health. 2006, 96 (11): 2002-8. 10.2105/AJPH.2005.069526.
Ozonoff A, Jeffery C, Manjourides J, White LF, Pagano M: Effect of spatial resolution on cluster detection: a simulation study. Int J Health Geogr. 2007, 6: 52-10.1186/1476-072X-6-52.
Snow J: On the Mode of Communication of Cholera. London, England: John Churchill, 1855-2,http://www.ph.ucla.edu/EPI/snow/snowbook.html
Onsrud HJ, Johnson JP, Lopez X: Protecting Personal Privacy in Using Geographic Information Systems. Photogrammetric Engineering and Remote Sensing. 1994, 60 (9): 1083-1095.http://www.spatial.maine.edu/~onsrud/tempe/onsrud.html
Google Latitude.http://www.google.com/latitude
Microsoft Vine.http://www.vine.net/
Yahoo! Fire Eagle.http://fireeagle.yahoo.net/
Mokbel MF: Privacy in Location-Based Services: State-of-the-Art and Research Directions. Proceedings of the 8th International Conference on Mobile Data Management (MDM'07): 7–11 May 2007; Mannheim, Germany. 2007, IEEE, 228-228. DOI: 10.1109/MDM.2007.45
Kamel Boulos MN: Chapter 49: Principles and techniques of interactive Web cartography and Internet GIS. Manual of Geographic Information Systems. Edited by: Madden M. 2009, Bethesda, Maryland: ASPRS–American Society for Photogrammetry and Remote Sensing, 935-974. ISBN: 1-57083-086-X,http://www.asprs.org/gis_manual/index.html
Microsoft Windows BitLocker Drive Encryption.http://technet.microsoft.com/en-us/library/cc766200(WS.10).aspx
Securing Sensitive Information with Identity and Access Assurance (RSA/Courion White Paper).http://www.rsa.com/solutions/IA/wp/10292_RSA-Courion_WP_0609.pdf
IronKey: Secure USB Flash Drive with Internet Protection Services.https://www.ironkey.com/
Integral Crypto Drive.http://www.integralmemory.com/crypto/?gclid=CMW528i5ipsCFU0B4wod7GSUoA
SDelete.http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
El Emam K, Neri E, Jonker E: An Evaluation of Personal Health Information Remnants in Second-Hand Personal Computer Disk Drives. J Med Internet Res. 2007, 9 (3): e24-10.2196/jmir.9.3.e24.http://www.jmir.org/2007/3/e24
AbdelMalik P, Kamel Boulos MN, Jones R: The perceived impact of location privacy: a web-based survey of public health perspectives and requirements in the UK and Canada. BMC Public Health. 2008, 8: 156-10.1186/1471-2458-8-156.
GeoPKDD – Geographic Privacy-Aware Knowledge Discovery and Delivery.http://www.geopkdd.eu/
First Interdisciplinary Workshop on Mobility, Data Mining and Privacy: Preserving anonymity in geographically referenced data: 14 February 2008; Rome, Italy.http://wiki.kdubiq.org/mobileDMprivacyWorkshop/
HCLS Patient Data Security and Privacy.http://esw.w3.org/topic/HCLS/SecurityPrivacy
URISA – The Association for GIS Professionals.http://wwww.urisa.org/
El Emam K, Brown A, AbdelMalik P: Evaluating Predictors of Geographic Area Population Size Cut-offs to Manage Re-identification Risk. J Am Med Inform Assoc. 2009, 16: 256-266. 10.1197/jamia.M2902.
Panel on Confidentiality Issues Arising from the Integration of Remotely Sensed and Self-Identifying Data, National Research Council: Putting People on the Map: Protecting Confidentiality with Linked Social-Spatial Data. 2007, Washington, DC: The National Academies Press
Brownstein JS, Cassa CA, Mandl KD: No place to hide–reverse identification of patients from published maps. N Engl J Med. 2006, 355 (16): 1741-2. 10.1056/NEJMc061891.
Google Street View.http://maps.google.com/help/maps/streetview/
Kamel Boulos MN, Scotch M, Cheung KH, Burden D: Web GIS in practice VI: a demo playlist of geo-mashups for public health neogeographers. Int J Health Geogr. 2008, 7: 38-10.1186/1476-072X-7-38.
Tondel M, Axelson O: Concerns about privacy in research may be exaggerated. BMJ. 1999, 319 (7211): 706-7.