3LGM2IHE: Requirements for Data-Protection-Compliant Research Infrastructures—A Systematic Comparison of Theory and Practice-Oriented Implementation

• Abstract
• Introduction
• The TMF Data Protection Guide Supports Medical Research in Germany
• The 3LGM2IHE Project Supports the Planning of Interoperable IT Architectures
• Open Source Tools Help Build Privacy-Compliant Research Infrastructures
• Objectives
• Methods
• Step 1: Categorization of Requirements
• Step 2: Identification of Relationships, Dependencies, and Boundaries
• Step 3: Systematic Extraction of Requirements from the TMF-DP
• Step 4: Exemplary Matching of the Requirements with the TTP Tools
• Results
• (1) Systematized Requirements of the TMF-DP
• (2) Exemplary Comparison of the Identified Requirements with Solutions Established in the Community
• Discussion
• Conclusions
• References

Abstract

Objectives The TMF (Technology, Methods, and Infrastructure for Networked Medical Research) Data Protection Guide (TMF-DP) makes path-breaking recommendations on the subject of data protection in research projects. It includes comprehensive requirements for applications such as patient lists, pseudonymization services, and consent management services. Nevertheless, it lacks a structured, categorized list of requirements for simplified application in research projects and systematic evaluation. The 3LGM2IHE (“Three-layer Graphbased meta model – Integrating the Healthcare Enterprise [IHE] ” ) project is funded by the German Research Foundation (DFG). 3LGM2IHE aims to define modeling paradigms and implement modeling tools for planning health care information systems. In addition, one of the goals is to create and publish 3LGM² information system architecture design patterns (short “design patterns”) for the community as design models in terms of a framework. A structured list of data protection-related requirements based on the TMF-DP is a precondition to integrate functions (3LGM² Domain Layer) and building blocks (3LGM² Logical Tool Layer) in 3LGM² design patterns.

Methods In order to structure the continuous text of the TMF-DP, requirement types were defined in a first step. In a second step, dependencies and delineations of the definitions were identified. In a third step, the requirements from the TMF-DP were systematically extracted. Based on the identified lists of requirements, a fourth step included the comparison of the identified requirements with exemplary open source tools as provided by the “Independent Trusted Third Party of the University Medicine Greifswald” (TTP tools).

Results As a result, four lists of requirements were created, which contain requirements for the “patient list”, the “pseudonymization service”, and the “consent management”, as well as cross-component requirements from the TMF-DP chapter 6 in a structured form. Further to requirements (1), possible variants (2) of implementations (to fulfill a single requirement) and recommendations (3) were identified. A comparison of the requirements lists with the functional scopes of the open source tools E-PIX (record linkage), gPAS (pseudonym management), and gICS (consent management) has shown that these fulfill more than 80% of the requirements.

Conclusions A structured set of data protection-related requirements facilitates a systematic evaluation of implementations with respect to the fulfillment of the TMF-DP guidelines. These re-usable lists provide a decision aid for the selection of suitable tools for new research projects. As a result, these lists form the basis for the development of data protection-related 3LGM² design patterns as part of the 3LGM2IHE project.

Introduction

The TMF Data Protection Guide Supports Medical Research in Germany

The TMF (Technology, Methods, and Infrastructure for Networked Medical Research) “Guidelines for Data Protection in Medical Research Projects” (TMF-DP)[1] deal with the data protection-compliant implementation of medical research projects. The guidelines are acknowledged by the state data protection authorities. Both technical and organizational measures can be derived from the recommendations in the guide. These measures can be supported by variants of software implementations (so-called application systems), e.g. for generating pseudonyms or patient/proband identifiers (PIDs) and for managing consent documents. These application systems can be combined into 3LGM² design patterns, which can be used to create concrete information technology (IT) security concepts for a research project. In particular chapter 6 of the TMF-DP is the subject of further consideration, as it contains requirements for the application systems of a Trusted Third Party (TTP). Nevertheless, it lacks a structured, categorized list of requirements for simplified application in research projects and systematic evaluation.

The 3LGM2IHE Project Supports the Planning of Interoperable IT Architectures

3LGM2IHE (Three-Layer Graph-based Meta Model—Integrating the Healthcare Enterprise) is a Deutsche Forschungsgemeinschaft (DFG)-funded collaborative project (Grant Number BI 1930/2−2, 2019−2022) of the University of Leipzig (Prof. Alfred Winter), Heidelberg University Hospital (Angela Merzweiler), Kiel University (Prof. Bergh), University Medicine Greifswald (UMG; Martin Bialke) and TMF.

In this context 3LGM² represents a modeling paradigm and tool for the planning of information systems in health care, which has been used in teaching and in medical informatics projects for many years.

In the first funding phase (2016–2018) of the 3LGM2IHE project, an approach for modeling information systems via the 3LGM² toolbox and IHE (Integrating the Healthcare Enterprise) was developed.

This concept will now be expanded in the second funding phase (2019–2022) to include suitable design patterns and common IT architectures. The aim is to take into account current technical developments and the requirements of the community (usability, user experience, user acceptance) to significantly simplify the planning of interoperable and low-error IT architectures for medical research projects, also with regard to the topic of data protection.

3LGM² design patterns for data protection demand a 3LGM² Domain Layer (in terms of functions or structured requirements) and 3LGM² Logical Tool Layer (in terms of building blocks or software functionalities).

Open Source Tools Help Build Privacy-Compliant Research Infrastructures

In order to fulfill data protection requirements, modular, practical solutions for the application areas of identity management, pseudonymization, and consent management have been developed, published,[2] and made available to the scientific community free of charge under an open source license (AGPL v3) within the DFG-funded MOSAIC project (Grant Number HO 1937/2−1, 2012−2015) (www.ths-greifswald.de). The resulting tools for identity management and record linkage,[3] administration of pseudonyms (gPAS),[2] and consent management (gICS)[4] are used in numerous projects and in a variety of institutions (National Cohort, German Center for Cardiovascular Research e.V., Medical Faculty of RWTH Aachen,[5] Clinical Cancer Registry MV [Mecklenburg, Western Pomerania], DKMS [German Bone Marrow Donor File], Charité and DFPN [German Research Practice Network], NUM [Network University Medicine]) for the realization of TTP functionalities.[2]

A structured comparison of these TTP tools with the data protection requirements of the TMF-DP has not yet been carried out and forms an essential basis for the development of 3LGM² data protection design patterns. Furthermore, such a comparison could also be helpful as a basis for decision-making for future users and the development of research infrastructures.

Objectives

The goal of the work is to identify and systematize the requirements from the TMF-DP in terms of record linkage, pseudonymization, and consent management. The resulting structured lists of requirements allow a comparison with existing tools. The TMF-DP considers the requirements on a methodological level. It is now interesting to present the coverage of requirements by tools that have emerged in practice and through project experience. Are there discrepancies between requirement-driven software development and the requirements of the TMF-DP concept? Such a comparison was made using the tools of the “Independent Trusted Third Party of the University Medicine Greifswald” (TTP). A purpose of this comparison was to check the coverage of the TMF-DP by the provided function of the TTP tools.

Methods

For structuring the contents of a continuous text, the focus and some definitions concerning the delineations of the extraction have to be defined first.

• What is the goal of the structuring process regarding focus or topic?

• Which facts are to be classified or categorized?

• To which essential facts can the structuring be reduced?

• How can the reader be enabled to easily understand the extracted contents?

The application of these definitions leads to a thematically focused extract, which should be easier and faster to grasp than the original full text. At the same time, this method leads to a loss of information concerning other subject areas that are not in the focus of the current consideration.

In the presented case, the use of a tabular representation is sufficient, as the focus is on extracting enumerable requirements and classifying them into requirement types. The requirements are then assigned to the basic components “ID Management”—consisting of the “Patient List” and the “Pseudonymization Service”—and “Consent Management.”

Step 1: Categorization of Requirements

First of all, the various requirement types were considered in more detail and classified uniformly. This standardization allows distinguishing one textual content from the other in order to achieve the desired systematic structure.

[Table 1] documents all requirement types that could be derived from the TMF-DP.

The systematic structuring of the requirements took into account the requirement types: “solution variant”—hereafter referred to as “variant”—“recommendation,” and functional “requirements.”

Organizational requirements that only involve human-to-human interaction were not taken into account, since they do not specify any requirements for a machine or software implementation. Of course, devices can also be involved in a human-to-human interaction, such as “Person A informs person B,” but person A needs a working telephone for this interaction. In this case, there would actually be a technical requirement, which, however, is outside the functional scope under consideration and does not have to be listed as a condition, because it is a matter of course. Incidentally, the mapping of human-to-human interactions with the 3LGM² tools is quite possible, but rather rarely a modeling goal. Organizational requirements that concern human-to-machine interactions contain requirements for machines or software implementations. These can be described under the requirement type functional requirement.

Methodical requirements do not contain a purely technical description, but describe a method of procedure in general. This category has the character of a guideline and does not result in a technical requirement. Therefore, it is not considered in this publication either.

In the case of functional requirements, a distinction has to be made between the set of requirements that arise as part of an implementation and those that arise from a project. An implementation usually covers requirements from several projects. Requirements arising from a project represent only a subset of the expected requirements of an implementation. A distinction has to therefore to be made between the view of the project and that of the implemented product. In addition, the perspective also influences the prioritization of requirements. The TMF-DP describes, among other things, requirements for TTP implementations that have emerged from a set of well-known projects. This perspective can be interpreted as a specification of product requirements and will be used in the course of the project to compare them with established solutions of the community.

Step 2: Identification of Relationships, Dependencies, and Boundaries

As the terms “function” and “use case” relate to requirements, their meaning and limits have to be specified ([Table 2]).

Both terms are not part of the requirement types. However, a function or several related functions can be rephrased as a requirement. The terms “requirement,” “recommendation,” and “solution variant” can be used again as sub-categorizations. The “use case” is closely tied to the intended use scenario or project. In a project, use cases are defined in order to check the suitability of a software product and to be able to identify necessary enhancements. The use case is composed of several requirements and is therefore not considered separately in the requirements tables.

[Use Case] m → n [Functional Requirements] m → n [Functions].

The following example illustrates two different use cases requiring the same partial function.

• Use case—additional pseudonymization step (“second pseudonymization”) during data export by a transfer unit (use-and-access procedure): by generating application-related “secondary pseudonyms” (PSN2), an accumulation of research data across different research projects is prevented. A “separation of powers” within the transfer unit is not required as part of this pseudonymization step. A transfer unit may have knowledge of the relationship between PSN1 and PSN2.

• Use case—pseudonymization of data from health care for data transfer to research repository: within this pseudonymization step, a “separation of powers” through MDAT (medical data), PSN1, and PID is mandatory.

In both use cases, the “pseudonymization” sub-function works identically. Generic functions would in turn have to support pseudonymization both with (2) and without (1) separation of powers—depending on the use case. These functions may in turn be interpreted as requirements.

Step 3: Systematic Extraction of Requirements from the TMF-DP

Taking into account the definitions and relationships made in steps 1 and 2, the textually described requirements from chapter 6 of the TMF-DP were transformed into a structured, categorized form. The requirements were assigned to the following services.

• Patient list (Record Linkage, short: RL) ([Table 3]).

• Pseudonymization service (PSN) ([Table 4]).

• Consent Management (CM) ([Table 5]).

• Cross-Component (WF) ([Table 6]).

In addition to the systematic extraction of the requirements, the text analysis also documented relevant facts for further work in the 3LGM2IHE project with regard to the creation of design patterns for data protection tools (like E-PIX, gPAS, gICS) and their interaction based on the TMF data protection concepts. In addition, this resulted in review comments with regard to a new edition of the TMF-DP.

Step 4: Exemplary Matching of the Requirements with the TTP Tools

The lists of requirements generated in step 3 were preassessed in an initial assessment by the first author. This was followed by a separate interview with two product managers from the TTP of the UMG. During the interview, the exact content of each requirement was discussed in detail and, if necessary, the wording of the TMF-DP was consulted again. If no specific software configuration was necessary for the evaluation of the degree of fulfillment, the functions were evaluated using the “Live-Demos of the Trusted Third Party tools E-PIX, gICS, and gPAS.”[6]

The consultation identified required support categories that provide information on the degree or type of support provided by the software tools for the respective requirement. Important findings and details were recorded in the requirements tables ([Tables 3]–[6]) (column “Comment”). The documentation was again done separately for the services “patient list,” “pseudonymization service,” and “consent management.”

The matching was made according to the component–product relationships. “ID Management” splits into a patient list (compared with E-PIX for RL) and a pseudonymization service (compared with gPAS for PSN). The component “Consent Management” (CM) is compared with the consent management service gICS.

Results

(1) Systematized Requirements of the TMF-DP

The TMF-DP combines the components “patient list” and “pseudonymization service” into the term “ID Management” (chapter 6.1[1]). Requirements mentioned in connection with “ID Management” were then assigned to both services. An example of this is the management of users and their roles and rights. It is necessary in both components, but should be considered per component (compare [Table 3] [RL−21] and [Table 4] [PSN−25]).

The column “Ref” indicates the respective requirement. The column “Description” briefly specifies the actual requirement. The column “TMF-DP” contains one or more reference(s) to the TMF-DP. The meaning of the column “Requirement Type” is described in [Table 1].

[Table 3] shows the list of requirements for a patient list or record linkage that are derived from the TMF-DP. [Table 4] contains the list of requirements referred to a pseudonymization service. [Table 5] emerged for consent management. Some requirements identified require higher level processing services. These specific requirements are documented in the fourth requirements list ([Table 6]).

(2) Exemplary Comparison of the Identified Requirements with Solutions Established in the Community

The structured lists of requirements from (1) were exemplarily compared with the functional scope of the open source tools E-PIX (record linkage), gPAS (pseudonym management), and gICS (consent management). The question is to what extent these project-driven components fulfill the conceptually developed requirements catalogue of the TMF-DP.

The consultation of TTP employees and developers resulted in the required support level needed for the evaluation of the degree of fulfillment. The relationship in [Table 7] resulted from the comparison of the functions of E-PIX and the requirements for a patient list ([Table 3]). [Table 8] shows the results of the comparison of the functions of gPAS and the requirements for a pseudonymization service ([Table 4]). The assessments in [Table 9] resulted from the comparison of the requirements for consent management and functions of the gICS tool ([Table 5]). This is followed by an evaluation of the functions ([Table 10]) that require cross-component service processing ([Table 6]).

The coverage of TMF-DP requirements by the individual components is shown in [Table 11]. The requirement type “Recommendations” is not listed here, as these are optional requirements. Related “variants” have been considered as one requirement and counted as such.

Discussion

[Table 11] shows an 86.2% coverage of the requirements from the TMF-DP by the TTP tools. [Table 12] lists the unsupported requirements, which account for the remaining 13.8%.

These unfulfilled requirements can be divided into two reasons for nonsupport.

• There has been no such use case from a project so far (affects five requirements).

• Technical or methodical constraints (affects three requirements).

Only one requirement is not supported due to a divergent view of the product owners (RL−11).

The assessment of coverage was purely quantitative. Better than an unweighted quantitative assessment would be a qualitative assessment, i.e., a consideration of the different importance of the individual requirements. This might make it easier to assess the degree of fulfillment and to make a prioritization of requirements.

A qualitative assessment was not the subject of the study and should be considered in a more in-depth analysis in a separate project. This would require a survey of all existing projects that use TTP components. This survey should be conducted individually for each project using a standardized questionnaire and include a prioritization along the lines of “must have” and “nice to have.” This information may then be used to derive a generalized weighting based on experience. In the case of projects at an early stage, in which no TTP-relevant software installations exist yet, one could possibly consult already existing data protection concepts of the project to answer the questionnaire.

It was not always possible to find a comprehensive 1:1 correspondence to the software components for all requirements from the TMF-DP. In such cases, a collaborative consideration based on knowledge and experience was made by the product owners together with the first author. The mentioned components offer functions that go beyond the TMF-DP. The TMF-DP specifies requirements depending on the project circumstances and situation, but does not set any limits on the scope of implementation. In regular operation, further requirements have become relevant, such as support for pseudonym hierarchies, multi-identities, modular consent, and withdrawal management as well as federated record linkage. Such requirements arose after 2014 (publication date of the TMF-DP), for example, by supporting federated implementations between decentralized (site) installations and the central data sharing platform in the Medical Informatics Initiative (MII).[7]

Another example of this is the clearer separation of the term “Identity Management” into “Record Linkage” (TMF-DP: Patient list) and “Pseudonymization Management” (TMF-DP: Pseudonymization Service). The first mentions of this distinction can already be found in the TMF-DP (chapter 6.1). This clearer separation is helpful for a more modularized and generic implementation and for the allocation of personnel and technical areas of responsibility. A separation between the components “Record Linkage,” “Pseudonymization Management,” and “Consent Management” has proven useful in recent years[2] and should be adopted in the revision of the TMF-DP.

When considering the requirements from the TMF-DP on consent management, it is noticeable that the requirements are likely to be incomplete according to current knowledge. After the time of publication (2014), the relevance of managing informed consents increased due to legal developments like the EU General Data Protection Regulation (EU GDPR) and practical reasons. In particular, within the DZHK (German Centre for Cardiovascular Research),[8] requirements for consent management comprise requirements beyond the TMF-DP, amongst others:

• Support in automatically determining the current consent status of a patient.

• Support with quality checks of consents.

• Individualization of modular consent templates.

• Automatic support for consideration of validity dates and validity periods of consent.

Moreover, paperless digital consent management has become much more important since 2014. With regard to a revision of the TMF-DP, it would also make sense to add guidelines that cover recent developments of legal conditions and current project requirements.

It is also becoming apparent that requirements can no longer be covered by a single component ([Table 10]), but that a cross-component service is needed to coordinate the complex workflows. In such a component, project-specific processes and the necessary communication paths can be configured or, if necessary, implemented.[2] This reduces the need for project-specific adaptations of the basic components and their project-specific communication with each other.

Conclusions

We extracted a list from the TMF Data Protection Guide (TMF-DP), a comprehensive reference manual in Germany, where items can be checked off. The list of requirements was applied to assess exemplary software components E-PIX (record linkage), gPAS (pseudonym management), and gICS (consent management), developed in the independent Trusted Third Party in Greifswald (TTP). The assessed software tools meet all basic requirements of the TMF-DP. A few exceptions are documented. However, to further prioritize and weigh the requirements, it is necessary to analyze a sufficiently large number of projects. Requirements that have not yet appeared in the project context can be supported by new or extended functions. The list of requirements is extensive and complex, but more tangible than the continuous text variant of the TMF-DP. This presentation variant is also recommended for a revision of the TMF-DP (planned for 2022) in addition to the continuous text.

The lists of requirements ([Tables 3]–[6]) and the matching lists ([Tables 7]–[10]) support the scientific research community in the design of the data infrastructure and its implementation in research projects.

Users who already use the existing TTP tools feel affirmed in their decision to use suitable tools for a data protection-compliant infrastructure. Interested scientists in new research projects who are looking for software tools are provided with re-usable lists of requirements as well as corresponding software tools (covering these requirements) which can help to comply with the regulations of the EU-GDPR.

The results of the assessment (list of requirements, comparison of the requirements with the exemplary tools) form the basis for follow-up activities within the 3LGM2IHE project. With these results, the preconditions for the development of re-usable data-protection design patterns for 3LGM² have been created. These design patters aim to simplify the modeling of data protection-compliant infrastructures and the documentation of requirements according to the TMF-DP.

Conflict of Interest

None declared.

Acknowledgements

TMF-DP references follow the notation “ch. <chapter> p. <page number> par. <page paragraph> [ opt. pt. <bullet point> ].” The page paragraph count starts with the first complete paragraph on the respective page. The designation “par. 0” stands for a page-crossing paragraph, which already begins on the preceding page, if the actual quotation is however on the page mentioned. The information refers to the German print edition of the TMF-DP.[1] In tables presented here, the citations originally included have been removed from the TMF-DP. An extended version containing the text quotation is available (upon request to the first author).

Statement of Ethical Approval

This research does not require an ethical approval.

• References

• 1 Pommerening K, Drepper J, Helbing K, Ganslandt T. Guideline for Data Protection in Medical Research Projects: TMF's Generic Solutions 2.0. 1st ed. Berlin: ; MVW; 2014
  Google Scholar
• 2 Bialke M, Penndorf P, Wegner T. et al. A workflow-driven approach to integrate generic software modules in a trusted third party. J Transl Med 2015; 13: 176
  CrossrefPubMedGoogle Scholar
• 3 Hampf C, Geidel L, Zerbe N. et al. Assessment of scalability and performance of the record linkage tool E-PIX^® in managing multi-million patients in research projects at a large university hospital in Germany. J Transl Med 2020; 18 (01) 86
  CrossrefPubMedGoogle Scholar
• 4 Rau H, Geidel L, Bialke M. et al. The generic Informed Consent Service gICS^®: implementation and benefits of a modular consent software tool to master the challenge of electronic consent management in research. J Transl Med 2020; 18 (01) 287
  CrossrefPubMedGoogle Scholar
• 5 Volmerg J, Bienzeisler J, Klausen A. et al. The technical principles of the ILEG study – preparing the connection of primary and secondary healthcare data. , at: https://dx.doi.org/10.3205/21gmds034
  PubMedGoogle Scholar
• 6 ths-greifswald.de. Live-demos of the trusted third party tools E-PIX, gICS and gPAS. May 15, 2019. Accessed September 02, 2021, at: https://www.ths-greifswald.de/en/live-demos-of-trusted-third-party-tools/
  PubMedGoogle Scholar
• 7 www.medizininformatik-initiative.de . Medical Informatics Initiative – Strengthening research and advancing healthcare. Accessed December 01, 2021, at: https://www.medizininformatik-initiative.de/en
  PubMedGoogle Scholar
• 8 Hoffmann W, Rienhoff O. Verfahrensbeschreibung und Datenschutzkonzept des Zentralen Datenmanagements des DZHK. Version 1.2, March 24, 2014, at: https://dzhk.de/fileadmin/user_upload/Datenschutzkonzept_des_DZHK.pdf
  PubMedGoogle Scholar

Address for correspondence

Publikationsverlauf

Eingereicht: 16. Februar 2022

Angenommen: 23. September 2022

Accepted Manuscript online:
23. September 2022

Artikel online veröffentlicht:
15. Dezember 2022

© 2022. The Author(s). This is an open access article published by Thieme under the terms of the Creative Commons Attribution-NonDerivative-NonCommercial License, permitting copying and reproduction so long as the original work is given appropriate credit. Contents may not be used for commercial purposes, or adapted, remixed, transformed or built upon. (https://creativecommons.org/licenses/by-nc-nd/4.0/)

Georg Thieme Verlag KG
Rüdigerstraße 14, 70469 Stuttgart, Germany

• References

• 1 Pommerening K, Drepper J, Helbing K, Ganslandt T. Guideline for Data Protection in Medical Research Projects: TMF's Generic Solutions 2.0. 1st ed. Berlin: ; MVW; 2014
  Google Scholar
• 2 Bialke M, Penndorf P, Wegner T. et al. A workflow-driven approach to integrate generic software modules in a trusted third party. J Transl Med 2015; 13: 176
  CrossrefPubMedGoogle Scholar
• 3 Hampf C, Geidel L, Zerbe N. et al. Assessment of scalability and performance of the record linkage tool E-PIX^® in managing multi-million patients in research projects at a large university hospital in Germany. J Transl Med 2020; 18 (01) 86
  CrossrefPubMedGoogle Scholar
• 4 Rau H, Geidel L, Bialke M. et al. The generic Informed Consent Service gICS^®: implementation and benefits of a modular consent software tool to master the challenge of electronic consent management in research. J Transl Med 2020; 18 (01) 287
  CrossrefPubMedGoogle Scholar
• 5 Volmerg J, Bienzeisler J, Klausen A. et al. The technical principles of the ILEG study – preparing the connection of primary and secondary healthcare data. , at: https://dx.doi.org/10.3205/21gmds034
  PubMedGoogle Scholar
• 6 ths-greifswald.de. Live-demos of the trusted third party tools E-PIX, gICS and gPAS. May 15, 2019. Accessed September 02, 2021, at: https://www.ths-greifswald.de/en/live-demos-of-trusted-third-party-tools/
  PubMedGoogle Scholar
• 7 www.medizininformatik-initiative.de . Medical Informatics Initiative – Strengthening research and advancing healthcare. Accessed December 01, 2021, at: https://www.medizininformatik-initiative.de/en
  PubMedGoogle Scholar
• 8 Hoffmann W, Rienhoff O. Verfahrensbeschreibung und Datenschutzkonzept des Zentralen Datenmanagements des DZHK. Version 1.2, March 24, 2014, at: https://dzhk.de/fileadmin/user_upload/Datenschutzkonzept_des_DZHK.pdf
  PubMedGoogle Scholar