Resources for health data de-identification
SPHN supports researchers in de-identifying personal health data in line with Swiss legal requirements. The resources include expert guidance that elaborates on a sound data de-identification methodology and a practical Risk Assessment Template to help researchers implement the methodology in practice.
To comply with Swiss law, applying a fixed set of de-identification rules is not sufficient to protect personal data. In addition, an assessment of re-identification risks is also required, taking into account the specific dataset, project context, and additional risk mitigation measures. To meet these requirements, SPHN provides resources that combine both rule-based and risk-based approaches. The de-identification guidance helps meet the new requirement of the Human Research Ordinance for a documented process of anonymization and re-identification risk assessment. While the use of SPHN's resources is not mandatory, Swissethics recommends their adoption.
The resources include a Guidance Paper based on international expertise, outlining a legally compliant methodology for data de-identification in Switzerland. The methodology includes a practical tool – the Excel Risk Assessment Template. The template allows project leaders to iteratively identify re-identification risks, select appropriate de-identification rules for their data, and define contextual risk mitigation measures.
The completed risk assessment provides a project-specific risk profile, which can be used for project submission to the ethics committee.
How to use the template
The Risk Assessment Template guides researchers and project leaders through a series of 40 questions. It assesses both the risks inherent in the data and contextual control measures in place. These include what data is being used, who has access to it, where it is stored, and which rules are selected to de-identify data. The template then classifies a project's risk profile as high, medium, or low. Researchers can iteratively define additional mitigation measures until they achieve a risk profile that is acceptable to all project partners.
The template should not be used as the Data Protection Impact Assessment (DPIA). The DPIA must be carried out if the processing of personal data is likely to result in a high risk of violating a data subject's personality or fundamental rights. However, the Data Protection Officer might well rely on their assessment on the information provided in the Risk Assessment Template.