Læknablaðið - 15.10.2001, Blaðsíða 43
FRÆÐIGREINAR / PERSÓNUGREINING í GAGNAGRUNNI
Persónugreining í gagnagrunni
á heilbrigðissviði
Einar Árnason
Fyrirspurnir, bréfaskipti:
Einar Árnason líffræðingur,
Líffræðistofnun Háskólans,
Grensásvegi 12,108
Reykjavík. Sími: 525 4613;
netfang: einar@lif.hi.is
Lykilorð: persónugreinanleiki,
gagnagrunnur á heilbrigðis-
sviði, greiningarlykill, œttartré,
samhengi upplýsinga.
Ágrip
Inngangur: Spurningin um persónugreinanleika er
grundvallaratriði í allri umræðu um frumvarpið og
lögin um gagnagrunn á heilbrigðissviði. Ef gögnin
eru persónugreinanleg gilda þjóðréttarlegar skuld-
bindingar um að afla skuli fyrirfram samþykkis sjúk-
linga fyrir notkun heilsufarsupplýsinga í öðrum til-
gangi en þeirra var aflað. Lögin ganga út frá því að
dulkóðun í eina átt geri gögnin ópersónugreinanleg
og því sé ekki þörf að afla fyrirfram samþykkis sjúk-
linga.
Niðurstöður: Með því að rekja sögu hugtaksins
um persónugreinanleika í umræðunni sést að breyt-
ingar voru gerðar á skilgreiningum um persónugrein-
anleika. Fyrst var miðað við tilmæli ráðherranefndar
Evrópuráðsins en síðar var tekin upp orðrétt skil-
greining úr tilskipun Evrópusambandsins sem nú er
þjóðréttarlega skuldbindandi fyrir ísland. Breytingin
var gerð til að bregðast við umsögn tölvunefndar sem
kollvarpaði hugmyndafræðinni sem lagt hafði verið
upp með varðandi persónugreiningu. Upplýsingar
eru persónuuplýsingar ef til er lykill og engu máli
skiptir hver gætir lykilsins. Dulkóðun í eina átt var þá
sett fram sem aðferð til að gera að engu tilvist lykils.
Þrátt fyrir það viðurkenna talsmenn gagnagrunnsins
að til sé lykill.
Greint er frá því hvernig hægt er að smíða lykla að
grunninum. Þar sem gagnagrunnurinn er langsum
(longitudinal) og iangtímasöfnun og -samtenging
upplýsinga um hvern einstakling hlýtur dulkóðunar-
aðferðin að vera stöðug í tíma. Hver sá sem hefur að-
ferðina í höndunum getur fyrirhafnalítið búið til upp-
flettitöflu yfir nöfn eða kennitölur og fastanúmerin
EIMGLISH SUMMARY
Árnason E
Personal identifiability in the Health Sector
Database
Læknablaöið 2001; 87: 807-16
Introduction: Personal identifiability is a fundamental
question in the debate about the Bill and Act on the Health
Sector Database (HSD). If the data are personally identi-
fiable, lceland's international committments dictate that a
priori consent be obtained from patients for the use of their
health records data. The HSD Act presumes that one way
encryption renders the data non-personally identifiable and
that therefore an a priori consent is not required.
Results: The history of the concept of personal identifiabi-
lity during the debate on the HSD reveals changes made to
the concept. In the first instance a reference was made to
Recommendation R(97)5 of the Council of Europe
Committee of Ministers which was changed by adopting a
direct translation of the definition of personal data from the
Directive 95/46/EC of the European Parliament and of the
Council. These changes were made in response to the
Data Protection Commission's opinion on the HSD Bill
submitted to the Minister of Health that overturned the
ideology previously used regarding indentifiability of
persons. Information is identifiable if there exists a key and
it makes no difference who holds the key. One way
encryption was then adopted as a method that was sup-
posed to mean that a key does not exist. Nevertheless, the
database proponents now admit that a key exists.
The making of keys for opening up the database is dis-
cussed. The database is a longitudinal collection and
linkage of records on each individual and therefore the
method of encryption must remain stable. Therefore, any-
one with access to the method can easily make a lookup-
table containing side by side the names and the personal
numbers produced by the encryption. Although it may be
hard to go from a personal number directly back to a
name, given the table it always is possible to look up what
personal number belongs to a certain person or what per-
son stands behind a certain personal number. This is a key.
If the method of encryption was lost or access to it was
not available it would nevertheless be possible to make a
key. The intention is to encrypt the genealogy of the entire
nation using the same encryption method used for the
HSD. The genealogy of the nation with names is also
generally available. The patterns of family trees become
unique when one family is connected to another through
marriage and childbirth. A comparison of the encrypted
genealogy containing personal numbers with the same
genealogy containing names is therefore a method for
making a key.
Finally a key can be made from the context of general
information. Even if the names were irreversibly removed
there will be enough available bits of general information
connected to a personal number to allow re-identification
of the person in a large number of instances. This amounts
to making a key.
Conclusions: The information in the Health Sector
Database is personal information. Therefore it is both right
and reasonable to obtain an a priori consent of patients for
the transfer of their health data to the database as
lceland's international obligations stipulate. Anything less
is unreasonable.
Key words: personal identification, health sector database,
keys, genealogy, context.
Correspondence: Einar Árnason. E-mail: einar@lif.hi.is
Læknablaðið 2001/87 807