Rapid responses are electronic comments to the editor. They enable our users
to debate issues raised in articles published on bmj.com. A rapid response
is first posted online. If you need the URL (web address) of an individual
response, simply click on the response headline and copy the URL from the
browser window. A proportion of responses will, after editing, be published
online and in the print journal as letters, which are indexed in PubMed.
Rapid responses are not indexed in PubMed and they are not journal articles.
The BMJ reserves the right to remove responses which are being
wilfully misrepresented as published articles or when it is brought to our
attention that a response spreads misinformation.
From March 2022, the word limit for rapid responses will be 600 words not
including references and author details. We will no longer post responses
that exceed this limit.
The word limit for letters selected from posted responses remains 300 words.
EDITOR - Ragnarsson states that personally identifiable data
cannot be linked to medical data held in the proposed
Icelandic central database, as `it is made impossible
through encryption'.
This is not so. I evaluated the database design on behalf of
the Icelandic Medical Association, and it became clear that
the proposal to encrypt personal identity numbers into
pseudonyms was inadequate. Longitudonal record linkage
means that the encryption function cannot change over time,
so if someone can enter a record into an Icelandic hospital
or general practice computer system and then observe its
`de-identified' version appearing in the central database,
they can deduce the linkage between the patient ID and the
pseudonym. Even if pseudonyms could not be deduced directly,
de-identified databases suffer from the intrinsic limitation
that many patients can be identified from partial
information about their circumstances, and this may be
particularly problematic in a database which will contain
genealogical data as well as medical records.
Doctors in Britain should take note of Iceland's problems
when considering, for example, whether to construct
central databases of HIV/AIDS episodes that are identified
using encrypted NHS numbers.
In his letter to BMJ, Nigel Duncan states that the health database
legislation, passed by Iceland's parliament in December last year, allows
a private company to link their medical records with genealogical and
genetic data.
This statement is false.
It is not possible to link personally identifiable data to the
encrypted medical data in the central database. The legislation simply
forbids such use and it is made impossible by the encryption's method.
Iceland medical database is insecure
EDITOR - Ragnarsson states that personally identifiable data
cannot be linked to medical data held in the proposed
Icelandic central database, as `it is made impossible
through encryption'.
This is not so. I evaluated the database design on behalf of
the Icelandic Medical Association, and it became clear that
the proposal to encrypt personal identity numbers into
pseudonyms was inadequate. Longitudonal record linkage
means that the encryption function cannot change over time,
so if someone can enter a record into an Icelandic hospital
or general practice computer system and then observe its
`de-identified' version appearing in the central database,
they can deduce the linkage between the patient ID and the
pseudonym. Even if pseudonyms could not be deduced directly,
de-identified databases suffer from the intrinsic limitation
that many patients can be identified from partial
information about their circumstances, and this may be
particularly problematic in a database which will contain
genealogical data as well as medical records.
Doctors in Britain should take note of Iceland's problems
when considering, for example, whether to construct
central databases of HIV/AIDS episodes that are identified
using encrypted NHS numbers.
Competing interests: No competing interests