Data linkage privacy

The Department of Health is committed to maintaining privacy and provides multiple layers of protection to safeguard personal information, including:

• A strong professional culture among staff that values the protection of individual privacy. Data Engineers in Data Linkage Services are employed under the Public Sector Management Act 1994 (WA) and are bound by its privacy and confidentiality provisions. Staff also undergo Criminal Record Screening.
• All data linkage staff members sign confidentiality acknowledgements required to link sensitive data.
• The content information provided to data applicants (such as details of diagnosis or treatment) are stored and worked on separately to the identifying information used for linkage (such as name, date of birth and address) – see ‘the separation principle’ below.
• Requests for linked health data for research must be approved by the WA Health Central Human Research Ethics Committee and Research Governance Office.
• A stringent review process is enforced to ensure formal approval for the project has been granted by the data custodian/s (the person who manages that dataset).

The separation principle

The separation principle was developed to address privacy concerns and enable data custodians to retain control over access to information in their care. This protocol, described in Kelman (2002), is now referred to as “best practice protocol” and is used widely by a number of linkage centres around the world.

Data Linkage Services aims to protect privacy by restricting access to personal identifying information through proper application of the separation principle.

The principle consists of four distinct steps, to ensure access to identifying information is restricted to a specialised linkage team who perform the first and second steps. Data custodians are involved in the third step. Data applicants are only involved in the last step and therefore do not need to access any personal identifying information.

1. Data engineers within the Data Linkage team create, store and manage links in a dynamic linkage system using confidential personal demographic information.
2. Data engineers within the Data Engineering Outputs team extract subsets of links from the linkage system, then encrypt these “linkage keys” differently for each particular project.
3. Encrypted “linkage keys” are used to merge with clinical or service details (known as ‘content data’) for that particular project.
4. Data applicants receive content data to conduct their analyses.

For more detailed information, see the article on the separation principle published by the Australian Government National Statistical Service.