Introduction

entici is an identity management and pseudonymization software that has been developed since 2016 in the context of the MI-I consortium DIFUTURE in order to provide the newly established trustcenters on a technical level.

Within the DIFUTURE architecture, the role of the trustcenter is to reduce disclosure risks and to implement the regulatory requirement of data minimization by early pseudonymization. To this end, the trustcenter is an organizational and technical unit responsible for separately storing various types of information which are associated with a high risk of identifiability and which are not needed by the Data Integration Center (DIC) on a daily basis. The processes supported by the trust center all require the use of identifying information:

  1. The management of identifying data and corresponding identifiers for patients and probands from clinical and research systems, with the aim of uniquely reconciling data from different sources to the corresponding individuals.
  2. Pseudonymization or de-pseudonymization of data with the aim of implementing the legal requirement of data minimization and to reduce privacy risks.
  3. Participation in the implementation of consent withdrawals, requests for data deletion or transfer and their procedural consequences.

tmf-components
Figure 1: Identity management module in the TMF data protection concept.

In order to implement these processes the DIFUTURE architecture closely follows the data protection guideline of the TMF - Technologies, Methods and Infrastructure for Networked Medical Research e.V. [1]. As is shown in Figure 1, the guideline describes an identity management module which is typically located within the trustcenter and which comprises the components patient list and pseudonymization service (see Figure 1). The patient list is responsible for mapping the identifying data (called IDAT in the TMF guideline) to a patient or proband identifier (called PID in the TMF guideline), which is a level-1 pseudonym, while the pseudonymization service associates each patient or proband identifier to a level-2 pseudonym (called PSN in the TMF guideline).

Overview

In the DIFUTURE architecture the trustcenter stores identifiers from the primary source systems and further identifying data. Identical identifiers are mapped to identical pseudonyms in the trustcenter (cf. Synthetic Derivative of the VUMC). Changes of identifiers and mergers, e.g. of patient identities, can be handled during the transfer of data to the DIC by annotating the source data with several identifiers of the same type (e.g. multiple identifiers per patient). In the trustcenter, they will then be mapped to a common pseudonym.

trustcenter-components
Figure 2: Identity management services in the DIFUTURE architecture.

entici implements the two services foreseen by the TMF guideline (patient list and pseudonymization service) by using the same software component, albeit with different configurations. All relevant services accept FHIR Bundles containing arbitrary domain resources, such as patient or encounter.

To reflect the fact that our components are able to handle a multitude of different information in addition to the information represented by the patient resource, we use the term entity list instead of patient list. As shown in Figure 2, a generic component called resource list can be configured to act as a service for managing identifying information (i.e. the entity list foreseen by the TMF) and as a service for managing pseudonyms (i.e. the pseudonymization service in the TMF guideline).

[1] K. Pommerening, J. Drepper, K. Helbing and T.Ganslandt Leitfaden zum Datenschutz in medizinis- chen Forschungsprojekten. Generische Lösungen der TMF 2.0. Medizinisch Wissenschaftliche Verlags- gesellschaft, Berlin, 2014.