Within the DIFUTURE architecture, the role of the trust center is to reduce disclosure risks and to implement the regulatory requirement of data minimization by early pseudonymization. To this end, the trust center is an organizational and technical unit responsible for separately storing various types of information which are associated with a high risk of identifiability and which are not needed by the Data Integration Center on a daily basis. The processes supported by the trust center all require the use of identifying information:

  1. The management of identifying data and corresponding identifiers for patients and probands from clinical and research systems, with the aim of uniquely reconciling data from different sources to the corresponding individuals.
  2. Pseudonymization or de-pseudonymization of data with the aim of implementing the legal requirement of data minimization and to reduce privacy risks.
  3. Participation in the implementation of consent withdrawals, requests for data deletion or transfer and their procedural consequences.


Figure 1: Identity management module in the TMF data protection concept.


In order to implement these processes the DIFUTURE architecture closely follows the data protection guideline of the TMF - Technologies, Methods and Infrastructure for Networked Medical Research e.V. [1]. As is shown in Figure 1, the guideline describes an identity management module which is typically located within the trust center and which comprises the components patient list and pseudonymization service (see Figure 1). The patient list is responsible for mapping the identifying data (called IDAT in the TMF guideline) to a patient or proband identifier (called PID in the TMF guideline), which is a level-1 pseudonym, while the pseudonymization service associates each patient or proband identifier to a level-2 pseudonym (called PSN in the TMF guideline).



The DIFUTURE architecture is developed iteratively in several phases. In the current phase, the trust center only stores the identifiers from the primary source systems and no further identifying data. Record linkage of data from different systems on the basis of additional identifying information is therefore not supported. Identical identifiers are mapped to identical pseudonyms in the trust center (cf. Synthetic Derivative of the VUMC). Changes of identifiers and mergers, e.g. of patient identities, can be handled during the transfer of data to the DIC by annotating the source data with several identifiers of the same type (e.g. multiple identifiers per patient). In the trust center, they will then be mapped to a common pseudonym.


Figure 2: Identity management services in the DIFUTURE architecture.


The technical components developed to support the DIFUTURE trust centers implement the two services foreseen by the TMF guideline (patient list and pseudonymization service) by using the same software component, albeit with different configurations.

The identity management services in the trust center accept FHIR Bundles containing a multitude of different types of resources:

To reflect the fact that our components are able to handle a multitude of different information in addition to the information represented by the patient resource, we use the term entity list instead of patient list. As shown in Figure 2, a generic component called resource list can be configured to act as a service for managing identifying information (i.e. the entity list foreseen by the TMF) and as a service for managing pseudonyms (i.e. the pseudonymization service in the TMF guideline).



[1] K. Pommerening, J. Drepper, K. Helbing and T.Ganslandt Leitfaden zum Datenschutz in medizinis- chen Forschungsprojekten. Generische Lösungen der TMF 2.0. Medizinisch Wissenschaftliche Verlags- gesellschaft, Berlin, 2014.