Rapid Responses to:

NEWS:
Nigel Duncan
World Medical Association opposes Icelandic gene database
BMJ 1999; 318: 1096a [Full text]
*Rapid Responses: Submit a response to this article

Rapid Responses published:

[Read Rapid Response] Opposition based on false information.
G Ragnarsson   (4 May 1999)
[Read Rapid Response] Iceland medical database is insecure
Ross Anderson   (19 May 1999)

Opposition based on false information. 4 May 1999
Next Rapid Response Top
G Ragnarsson,
assistent principal
Fj÷lbrautask¾linn Ý Gar­abµ

Send response to journal:
Re: Opposition based on false information.

In his letter to BMJ, Nigel Duncan states that the health database legislation, passed by Iceland's parliament in December last year, allows a private company to link their medical records with genealogical and genetic data.

This statement is false.

It is not possible to link personally identifiable data to the encrypted medical data in the central database. The legislation simply forbids such use and it is made impossible by the encryption's method.

Gisli Ragnarsson

Iceland medical database is insecure 19 May 1999
Previous Rapid Response Top
Ross Anderson,
Lecturer
Cambridge University Computer Laboratory

Send response to journal:
Re: Iceland medical database is insecure

EDITOR - Ragnarsson states that personally identifiable data cannot be linked to medical data held in the proposed Icelandic central database, as `it is made impossible through encryption'.

This is not so. I evaluated the database design on behalf of the Icelandic Medical Association, and it became clear that the proposal to encrypt personal identity numbers into pseudonyms was inadequate. Longitudonal record linkage means that the encryption function cannot change over time, so if someone can enter a record into an Icelandic hospital or general practice computer system and then observe its `de-identified' version appearing in the central database, they can deduce the linkage between the patient ID and the pseudonym. Even if pseudonyms could not be deduced directly, de-identified databases suffer from the intrinsic limitation that many patients can be identified from partial information about their circumstances, and this may be particularly problematic in a database which will contain genealogical data as well as medical records.

Doctors in Britain should take note of Iceland's problems when considering, for example, whether to construct central databases of HIV/AIDS episodes that are identified using encrypted NHS numbers.