1st Annual EUBIROD meeting

Dasman Center for Research and Treatment of Diabetes, Kuwait City

Kuwait City, Kuwait, 2nd-4th May 2009

Privacy Impact Assessment

C.T. Di Iorio, Serectrix, Italy

First BIRO Academy Residential Course, Kuwait City, Kuwait, 2nd May 2009


The BIRO Information System involves the use of sensitive-medical data collected through diabetes registries within national boundaries and further processed for public health studies at the international level. Privacy impact assessment is a systematic and flexible process for evaluating a proposal/project in terms of its impact upon privacy, which has been specifically adapted to the BIRO context.

In this presentation Dr. Concetta Tania Di Iorio, a legal expert leader of the privacy impact assessment for Serectrix, explains how the process allowed to provide a description of relevant privacy risks, legislation and mitigation strategies, and the methodology that led to the successful identification of the best architecture for the BIRO Information System.

In her talk, Tania describes the various steps involved in the conduction of the assessment. A multidisciplinary team carried out a preliminary systematic review of the privacy literature, followed by a general discussion on the data flow. Data flow analysis focused on alternatives identified in the first step.

A Delphi consensus procedure defined the best alternative through the production of data flow tables (possible scenarios for the collection, use and disclosure of personal information/data, with related options) information flow questionnaire (marks for each scenario/option); overall consensus table (ranking all alternative architectures, scenarios and options). Privacy analysis covered issues arising in data transfer from local centres to the central database. Potential privacy risks have been identified and thoroughly analysed through a summary table indicating mitigation strategies to be implemented. The level of risk was classified according to an ordinal scale of intensity.

Dr. Di Iorio reports that three main candidate architectures were initially identified: “individual patient data, de-identified through a pseudonym”; “aggregation by group of patients, with Centre’s identifiers available in de-identified form, securely encrypted”; and “Aggregation by Region”. Data flow analysis selected the second as the best solution in terms of privacy protection, information content, scientific soundness and feasibility.

Following this step, privacy analysis performed a detailed assessment of the various aspects involved in the adoption of the final BIRO architecture. The transfer of information occurring in the system, based upon the exchange of de-identified data and targeted mitigation strategies, corresponds to a low level of privacy risk.

Tania explains how according to the EU Data Protection Directive, BIRO can be placed outside the scope of the data protection principles therein contained. The system processes only statistical objects stored as aggregate comma delimited files: there is no possibility, according to the state of the art, to identify a patient, either directly or indirectly, with a reasonable effort. Aggregate data processed by the local database engine are sent to the central statistical engine through “ad hoc” communication software ensuring secure information exchange and compliance with security requirements enshrined in EU and international data protection norms. Therefore, further processing by the global statistical engine cannot pose any privacy risk, either directly or indirectly. Trans-border data flow envisaged in BIRO is legally viable according to the EU legislation. Publication of project results is performed to avoid any direct/indirect identification of data subjects and/or local centres.

In conclusion, privacy impact assessment shows that the selected BIRO architecture fulfils privacy protection requirements by addressing and resolving broad privacy concerns from different angles.