Privacy by Design for Secondary Data Analysis

Objective Secondary data analysis is becoming more powerful and commonly utilized for biomedical research using patient records and genomic data. In both data, de-identification has been proven to be ineffective due to linkage attacks that can re-identify some subpopulation of the data. We need a better model for privacy protection in secondary analysis of biomedical data. Design In this paper, we review state of the art privacy protection technology and policy frameworks from widely different fields – WWW, software management, social computing, statistics, and law – and synthesize the findings to present a comprehensive model of privacy protection in biomedical research using the privacy by design approach. Based on common activities in the research pipeline, we propose four different data access systems that minimize risk and optimize utility in data. We then evaluate the model by analyzing the risk and utility of data through a realistic example. Results We found that there are four common types of activity in the research pipeline that require different levels of data and protection – decoupled microdata, de-identified microdata, raw aggregate data, and sanitized data. The four corresponding levels of data access – restricted access, controlled access, monitored access, and open access – together can provide a comprehensive model for privacy protection, balancing the risk and utility of secondary data analysis for biomedical research. Discussion and Conclusion Privacy protection is a complex issue and requires a holistic approach combining technology, statistics, policy and a shift in culture of information accountability through transparency rather than secrecy. Keywordsprivacy by design, secondary data analysis, open access, monitored access, controlled access, restricted access