fields of health administration and medical research
have revived the idea of digital pseudonyms.
1.3 The Pseudonymisation Process
There are different ways to carry out the process of
generating a digital pseudonym to conceal the data
subject’s real identity.
The simplest form of pseudonyms, used for
decades in research projects based on samples, is to
assign a sequence number to each respondent. To
enhance the respondents’ trust, the researcher could
hire a third party to perform the assigning process.
This method works well for one-time surveys. For a
panel study over time, managing sequence numbers
becomes increasingly more difficult. Coupling data
with relevant data from other sources would require
an overt process of reversing the sequence numbers.
The pseudonyms would be illusory. To exchange a
“real identity” with an unrelated sequence number is
only trustworthy when the researcher grants the
respondent permanent anonymity, without adding to
the data later. It is not a viable method for a long-
term and multi-purpose health register.
A digital pseudonym in a health register involves
advanced cryptography. The input to the algorithm
that generates the pseudonym will have to be a
stable identifying number, which does not change
over time for the same patient. In Norway, the
national identity number provides a convenient
unique input. The health register will not need to
store the national identity number, the algorithm
secures that the same pseudonym is assigned to the
same patient when more data is added to the register.
With a reliable and stable identification, there
are, conceptually, two different ways to generate a
pseudonym. One way is to use an asymmetric hash
function. The encryption algorithm then generates a
digest that is unique to the input, but there is no way
to reverse from the encrypted digest back to the
input identifier. Because the same input identifier
always transforms to the same digest, it is possible
to add data about the same patient in the same health
register. It is, however, not possible to generate data
couplings between individual-level data from two
different health registers. This method provides a
very high degree of confidentiality, but is on the
other hand inflexible. Two health registers cannot be
merged, and it would not be possible to address any
registered patient, for instance if a new treatment
method vital to his particular decease is developed.
The alternative way to generate a pseudonym
resembles the “public key” encryption technology,
and is basically the same as Chaum invented (see
section 1.2 above). The input to the algorithm is the
same stable and reliable patient identity number. An
encryption algorithm, using the “public key” of a
key pair, generates the pseudonym. The same input,
and the same public key, will make it possible to add
data about the same patient to the same health
register. In addition, a decryption algorithm can
reverse the pseudonym back to the “real identity”,
by using the “private key” of the same key pair that
was used for encryption. A trusted third party, which
is an independent pseudonym manager, carry out the
encryption, and if requested, the decryption. The
health register will never see the real identity of the
patient. The trusted third party, who is able to
decrypt the pseudonym, does not have access to any
sensitive information about the patients. This
process provides more flexibility, at the cost of more
fragile pseudonyms. The confidentiality of the
patient is to a higher degree based on trust. Violating
the pseudonyms will be somewhat easier from a
technical point of view.
The latter method, a trusted third party handling
reversible pseudonyms, has been the method of
choice for pseudonymous health registers in Norway
so far. Non-reversible pseudonyms would also
conform to the legislation on health registers, yet it
is not very likely that a register owner voluntarily
would choose this less flexible process.
2 LEGISLATIVE SUPPORT FOR
PSEUDONYMS
Recent technological innovations often seem to be
far ahead of developments in legislation. Society’s
toolbox for protecting values and for distributing
rights and obligations usually adapts slowly, to fit
technological changes that have already taken place.
The introduction of pseudonyms in Norwegian
health registers differs from this typical path of
history. The first Norwegian national register based
on pseudonyms was established in 2004. By that
time participants in various legislation processes had
already advocated this method for more than a
decade. Technologists and professional users of the
registers remained sceptic. Pseudonymous health
registers have not at any rate been “technology-
driven” in Norway, it would be far more correct to
call it a “legislation-driven” development.
Norway has had registers for specific diseases,
such as The Cancer Register, for decades. They
started out as paper files, and were later converted to
computer databases. The specific health registers
ON PSEUDONYMOUS HEALTH REGISTERS - While they Work As Intended, they are Still Controversial in Norway
61