Læknablaðið - 15.11.1998, Qupperneq 60
s
874
LÆKNABLAÐIÐ 1998; 84
Frumvarp til laga um gagnagrunn
á heilbrigðissviði
Ross Anderson
The DeCODE Proposal for an Icelandic
Health Database
I have been invited by the
Icelandic Medical Association
to evaluate the privacy as-
pects of deCODE's proposal
for a central database of Ice-
landers' medical records,
genealogy and genetic data.
The primary use of the propo-
sed database is research into
hereditary diseases by or on
behalf of drug companies; its
secondary uses will include
providing management infor-
mation to the health service
and supporting other research.
Of the three components of
the database, the genealogies
are essentially public domain,
and the genetic data will be
gathered from patients who
have given their consent to its
use in research. The medical
records will. however, be col-
lected from hospitals and
health centres, de-identified
only to the extent that obvious
identifiers such as names and
social security numbers will
be replaced with a single
pseudonym. Patients will
have the right to opt out of the
database, but will not be
asked to give explicit consent.
This creates a serious con-
flict with medical ethics and
with data protection principles,
both of which demand that
with few exceptions, patients'
Executive Summary
consent be sought for the use
of their personal health infor-
mation.
Many countries permit data
which have been made ano-
nymous to be used in certain
circumstances without con-
sent. For example, health ser-
vice managers routinely gat-
her statistics such as numbers
of operations and consump-
tion of drugs. These statistics
are typically compiled from
current records which give
only a snapshot of healthcare
activity at a certain time or
over a short period; de-iden-
tifying such records is rela-
tively easy.
Some countries maintain
databases of de-identified
medical records which link
together all, or many, of the
health care encounters in a
patient's life. Such records are
in practice impossible to de-
identify completely, as the
combination of data is fre-
quently enough to identify the
patient. They do not even
meet the more usual test of re-
quiring unreasonable effort by
an attacker who wishes to
identify a patient. It is there-
fore necessary to have quite
extensive controls to prevent
abuse.
For example, New Zealand
maintains a database called
the National Medical Data Set
which contains most citizens'
health records, identified by
an encrypted social security
number. In addition, the sys-
tem limits access to a small
group of health service statis-
ticians, limits the type of en-
quiry that can be made, and
rejects any enquiry which
would be answered by refe-
rence to the records of less
than six patients. Even in the
presence of such controls,
special administrative measu-
res are also thought neces-
sary; all the national data-
bases of which I am aware are
operated by government agen-
Breski sérfræðingurinn Ross Anderson sem dvaldi hér á
landi dagana 9.-13. október síðastliðinn hefur sent frá sér álit
um gagnagrunnsfrumvarpið. Læknablaðið birtir hér saman-
tekt Ross Andersons á málinu, en skýrslu hans í heild er hægt
að finna á vefslóð:
http://www.cl.cam.ac.uk/~rjal4/iceland/iceland.html