Reconciling business demands with strong privacy protection is challenging. Smart identifier pseudonymisation can be a crucial, elegant and cost-effective element of the solution. By replacing citizen identifiers by cryptographic pseudonyms, e.g. local codes, identification risks can be drastically reduced.
We have developed three different techniques for smart identifier pseudonymisation, which are listed below. An overview was given in my 2024 Devoxx talk on the topic. Slides as well as the recording, both in English, are publicly available.
Blind Pseudonymisation Service eHealth
eHealth’s blind pseudonymisation service enables a high level of security on a need-to-know basis:
- The healthcare providers learn the citizen identifiers, but not the pseudonyms,
- The backend service learns the backend-specific pseudonyms, but not the citizen identifiers,
- The service itself sees neither.
This increasingly pivotal service in Belgian healthcare is live today and already being used to protect centralized medical data in Belgium such as medical prescriptions.
Format-Preserving Pseudonymisation
Too often, real personal data are exported from the live environment and imported in the test and acceptation environments.
It can indeed be cumbersome to generate well-fitted fake data, especially when business rules are complex and when different applications managed by different organisations need to interact with each other.
Using Format-Preserving Encryption, we developed an elegant, light-weight, non-intrusive approach to solve this issue.
Joining & pseudonymising data fragmented over different sources
To unlock insights in domains such as healthcare, fraud detection, and evidence-based policy-making, researchers need access to data fragmented over multiple organisations. Although they don’t need to know the identity of the involved identifiers, they do need access to the individual joined records in order to conduct their research.
In close collaboration with universities, I developed a novel, privacy-friendly, efficient and distributed protocol to solve this. To maximize privacy, each research questions results in a new, separate join-and-pseudonymize project.
