Transparency builds trust
Transcription
Transparency builds trust
Transparency builds tr ust Introducing ZorgTTP All organisations that process privacy-sensitive information are subject to the Dutch Personal Data Protection Act, the We t B e s c h e r m i n g P e r s o o n s g e g e v e n s ( W B P ) . T h e i n d e p e n d e n t D u t c h D a t a P r o t e c t i o n A u t h o r i t y ( D PA ) s t r i c t l y m o n i t o r s t h e compliance with the regulations. And so they should, as our privacy should be handled with care. It is by no means easy to ensure that your sensitive data is fully protected according to the existing laws and regulations. F o r t u n a t e l y, y o u a r e n o t a l o n e . Wo u l d n ’ t i t b e n i c e t o h a v e a reliable third party by your side, to advise and support you? P l e a s e m e e t Z o r g T T P. ZorgTTP is a so-called ‘Trusted Third Party’; an experienced and straightforward partner offering support with the exchange and sharing of privacy sensitive data. We have the knowledge, experience and competence to process personal data in such a way that it is completely anonymous and ready to be used within all legal boundaries. ZorgTTP services ZorgTTP offers a complete range of services in the field of privacy protection of personal data. Our integral services allow us to do and achieve more. ZorgTTP is proud to offer high quality services. Contents Introducing ZorgTTP 3 It’s all about trust! 5 Our services 7 from different perspectives and About Tres® (encryption/decryption) 8 everything. However, I can’t seem ‘Being an academic, I am used to looking at things finding shortcomings in just about to find any in the ZorgTTP services.’ Extensive network 9 Some of ZorgTTP’s clients 10 Jaap van Lakerveld, PhD Executive Director Plato BV, Leiden University 2 3 It’s all about trust! With delicate matters like the careful processing of sensitive personal information, you have to be able to fully trust our services and integrity. Your trust is the foundation of our success. Therefore, together we will make sure that your wishes comply with the starting points and guaranteed services of ZorgTTP. ZorgTTP operates from the following starting points: • B efore closing any agreement, ZorgTTP and the customer carefully investigate if the client’s demands concur with ZorgTTP’s basic principles and objectives; •D ata collection, processing and opening up remain strictly separated at all times; • In all respects, in any situation, during the entire process, ZorgTTP assumes an open and transparent professional attitude; •A ll processes, the software as well as the procedures are regularly audited, by independent audits. Thus, we guarantee high quality, secure services. Clients ZorgTTP aims to secure privacy sensitive information streams in health care as well as in other fields. When it is essential to be able to monitor individuals over periods of time or link several sources of information, pseudonymization provides great value. ZorgTTP has increasingly been working with companies and partners in the fields of justice, welfare and education. ‘ZorgTTP is without a doubt the most used ‘pseudonymisator ’ of the important actors in the care sector. It considerably simplifies the exchange of data files.’ Eric Hans Eddes, MD Managing Director DICA and surgeon, Deventer Hospital 5 Our services About Tres® (encryption/decryption) ZorgTTP has developed a number of services to meet the particular needs and demands of their potential clients. They are: •Q uick scan: preliminary inquiry dealing with identifying personal data and information security; •A dvising on security, unique client coding and privacy protection; •K ey development, anonymization; • P seudonymization; •A uthentication /encryption: Tres® (Trusted Reversible Encryption Service); • S ecured data archives. ‘ZorgTTP is an expert in pseudonymizing care data and enjoys an impeccable reputation.’ Barry Egberts, senior manager Kenniscentrum Zorg and Gezondheid, About pseudonymization With pseudonymization all data that can lead to identification of individuals is replaced by unique pseudonyms that cannot be traced back to these individuals. These irreversible pseudonyms allow stakeholders to exchange information without jeopardizing any person’s privacy in any aspect. The conversion of sensitive personal data to an irreversible pseudonym has two stages. The party owning the personal data that needs to be shared (the source) uses the pseudonymization software to convert the data to a so-called ‘pre-pseudonym’, following Dutch DPA requirements. Then, ZorgTTP converts the pre-pseudonym to a final pseudonym. The final pseudonym with the data attached to it, is disclosed to the receiving party. Only ZorgTTP knows how the final pseudonym is created. Neither the source nor the recipient can retrace the original personal information. This way, data can be exchanged without violating privacy. Furthermore, if necessary, researchers are able to file transparent and controlled requests for additional information with the source without jeopardizing the security of sensitive personal data. Tres® (Trusted Reversible Encryption Service) is developed by Advanced Data Management (ADM) of the LUMC (University Medical Centre of Leiden) and ZorgTTP. Tres® is based on reversible encryption to shield personal data for non-authorized use. Tres® is developed for registrations which have legal grounds to register personal information. Examples of typical data are our social security number (BSN) or an individual’s name combined with other identifying data. The user uses his/her own information system to log on to Tres®. While saving the information the designated variables are simultaneously encrypted through Tres®. In the end, it is only ‘ZorgTTP is always ready and prepared to keep searching for acceptable solutions for all parties. This constructive attitude is exactly what we will be needing in the future.’ Mrs ir. Hannelore Hofhuis, PhD Secretary of the board, Achmea PALGA Foundation 6 7 the encrypted data that is saved in the user’s information system. Only authorized users are able to decrypt the values. By trusting ZorgTTP with your encryption and decryption you can be sure that no other party than the authorized users have access to the converted data. The pseudonymization and Tres® can be used complementary. Extensive network Finally For the future, ZorgTTP has but one goal, which is to provide the best services possible in the field of personal data protection. We intend to reach this goal by staying true to our key values: transparency, innovation and effectiveness, and by always putting the client first. By doing so, ZorgTTP has been able to become a Trusted Third Party with high quality and client-oriented services. Together with our clients and partners, we look forward to continuing and expanding this position. We have built an extensive network of companies, organizations and clients with whom we work closely. In recent years we have been working with the independent Dutch Data Protection Authority (CBP), the Ministry of Health, Welfare and Sport, the Dutch umbrella organization for health insurers (Zorgverzekeraars Nederland), Medical Specialists in mental care, the Dutch National Tax Services, various research bureaus, and many more. Thousands of data sources all over the Netherlands To date, ZorgTTP has contributed largely to the realization of a large number of projects in the field of data exchange. The data sources that are providing personal data through an operational pseudonymization chain contain from twelve to thousands of records per chain. ‘ZorgTTP works apt and effective. Communication lines are short and they are readily available at any given time. Their power lies in the fact that they know their responsibilities and maintain clear and open communications.’ Eise Douma, manager DBC Informatie Systeem (DIS), DBC Onderhoud 9 Some of ZorgTTP’s clients •A GIS / ACHMEA, Amersfoort; • Informatie Voorziening Zorg (IVZ), Houten; •C AK, The Hague; • L eids Universitair Medisch Centrum (authentication in developmental stage, Tres®); • C entraal Bureau voor de Statistiek (CBS), The Hague; •M enzis, Enschede; •C entrum Indicatiestelling Zorg (CIZ), •M inisterie van Volksgezondheid, Welzijn en Driebergen; Sport (VWS), The Hague; •C ollege voor zorgverzekeringen (Cvz), •M inisterie van Defensie, The Hague; Diemen; •N ederlands Instituut voor Onderzoek Eerste •D BC Onderhoud, Utrecht; Lijn (NIVEL), Utrecht; •D utch Hospital Data (DHD), Utrecht; •N ederlandse Vereniging van Heelkunde (NVvH), Utrecht; •D utch Institute for Clinical Auditing (DICA), Leiden; • P athologisch Landelijk Geautomatiseerd Archief (PALGA), Utrecht; • E xpertisecentrum Forensische Psychiatrie (EFP), Utrecht; • P erinatale Registratie Nederland (PRN), Utrecht; •G emeente Leiden en Plato BV Universiteit • Leiden; •R egio Twente van de Provincie Overijssel; G G&GD, Amsterdam; • •H ans Mak Instituut (HMi), Naarden; S tichting Benchmark GGZ (SBG), Bilthoven; •V ektis, Zeist. The utmost care had been taken with this publication. However, nothing from this publication may be duplicated and/or published without the written consent of Zorg TTP Summer 2012 10 Visiting address: Randhoeve 225 3995 GA Houten The Netherlands Postal adddress: Postbus 529 3990 GH Houten The Netherlands Telephone: +31-30-636 0649 info@zorgttp.nl Servicedesk: +31-30-637 8708 servicedesk@zorgttp.nl www.zorgttp.nl Pseudonymization allows exchange of sensitive information without privacy violating.