. 2015 May 30:15:46.

doi: 10.1186/s12874-015-0038-6.

Privacy preserving probabilistic record linkage (P3RL): a novel method for linking existing health-related data and maintaining participant confidentiality

Kurt Schmidlin¹, Kerri M Clough-Gorr^{2

3}, Adrian Spoerri⁴; SNC study group

Affiliations

¹ Institute of Social and Preventive Medicine (ISPM), University of Bern, Finkenhubelweg 11, CH-3012, Bern, Switzerland. kurt.schmidlin@ispm.unibe.ch.
² Institute of Social and Preventive Medicine (ISPM), University of Bern, Finkenhubelweg 11, CH-3012, Bern, Switzerland. kerri.clough@ispm.unibe.ch.
³ Section of Geriatrics, Boston University Medical Center, 88 East Newton St., Boston, MA, 02118, USA. kerri.clough@ispm.unibe.ch.
⁴ Institute of Social and Preventive Medicine (ISPM), University of Bern, Finkenhubelweg 11, CH-3012, Bern, Switzerland. adrian.spoerri@ispm.unibe.ch.

PMID: 26024886
PMCID: PMC4460842
DOI: 10.1186/s12874-015-0038-6

Privacy preserving probabilistic record linkage (P3RL): a novel method for linking existing health-related data and maintaining participant confidentiality

Kurt Schmidlin et al. BMC Med Res Methodol. 2015.

. 2015 May 30:15:46.

doi: 10.1186/s12874-015-0038-6.

Authors

Kurt Schmidlin¹, Kerri M Clough-Gorr^{2

3}, Adrian Spoerri⁴; SNC study group

Affiliations

¹ Institute of Social and Preventive Medicine (ISPM), University of Bern, Finkenhubelweg 11, CH-3012, Bern, Switzerland. kurt.schmidlin@ispm.unibe.ch.
² Institute of Social and Preventive Medicine (ISPM), University of Bern, Finkenhubelweg 11, CH-3012, Bern, Switzerland. kerri.clough@ispm.unibe.ch.
³ Section of Geriatrics, Boston University Medical Center, 88 East Newton St., Boston, MA, 02118, USA. kerri.clough@ispm.unibe.ch.
⁴ Institute of Social and Preventive Medicine (ISPM), University of Bern, Finkenhubelweg 11, CH-3012, Bern, Switzerland. adrian.spoerri@ispm.unibe.ch.

PMID: 26024886
PMCID: PMC4460842
DOI: 10.1186/s12874-015-0038-6

Abstract

Background: Record linkage of existing individual health care data is an efficient way to answer important epidemiological research questions. Reuse of individual health-related data faces several problems: Either a unique personal identifier, like social security number, is not available or non-unique person identifiable information, like names, are privacy protected and cannot be accessed. A solution to protect privacy in probabilistic record linkages is to encrypt these sensitive information. Unfortunately, encrypted hash codes of two names differ completely if the plain names differ only by a single character. Therefore, standard encryption methods cannot be applied. To overcome these challenges, we developed the Privacy Preserving Probabilistic Record Linkage (P3RL) method.

Methods: In this Privacy Preserving Probabilistic Record Linkage method we apply a three-party protocol, with two sites collecting individual data and an independent trusted linkage center as the third partner. Our method consists of three main steps: pre-processing, encryption and probabilistic record linkage. Data pre-processing and encryption are done at the sites by local personnel. To guarantee similar quality and format of variables and identical encryption procedure at each site, the linkage center generates semi-automated pre-processing and encryption templates. To retrieve information (i.e. data structure) for the creation of templates without ever accessing plain person identifiable information, we introduced a novel method of data masking. Sensitive string variables are encrypted using Bloom filters, which enables calculation of similarity coefficients. For date variables, we developed special encryption procedures to handle the most common date errors. The linkage center performs probabilistic record linkage with encrypted person identifiable information and plain non-sensitive variables.

Results: In this paper we describe step by step how to link existing health-related data using encryption methods to preserve privacy of persons in the study.

Conclusion: Privacy Preserving Probabilistic Record linkage expands record linkage facilities in settings where a unique identifier is unavailable and/or regulations restrict access to the non-unique person identifiable information needed to link existing health-related data sets. Automated pre-processing and encryption fully protect sensitive information ensuring participant confidentiality. This method is suitable not just for epidemiological research but also for any setting with similar challenges.

PubMed Disclaimer

Figures

**Fig. 1**
Basic steps of Privacy Preserving Probabilistic Record Linkage (P3RL)

**Fig. 2**
Flowchart of Privacy Preserving Probabilistic Record Linkage (P3RL) methods

**Fig. 3**
Example of Privacy Preserving Probabilistic Record Linkage (P3RL) masking and shuffling procedures

**Fig. 4**
Example of Privacy Preserving Probabilistic Record Linkage (P3RL) pre-processing data cleaning rules

**Fig. 5**
Example of Bloom filter encryption for surname (bigrams, two hash-functions, Bloom filter length 28 bits)

See this image and copyright information in PMC

Cited by

Age and Cancer Incidence in 5.2 Million People With Human Immunodeficiency Virus (HIV): The South African HIV Cancer Match Study.
Ruffieux Y, Muchengeti M, Olago V, Dhokotera T, Bohlius J, Egger M, Rohner E. Ruffieux Y, et al. Clin Infect Dis. 2023 Apr 17;76(8):1440-1448. doi: 10.1093/cid/ciac925. Clin Infect Dis. 2023. PMID: 36461916 Free PMC article.
Sensing the (digital) pulse. Future steps for improving the secondary use of data for research in Switzerland.
Martani A, Geneviève LD, Wangmo T, Maurer J, Crameri K, Erard F, Spoendlin J, Pauli-Magnus C, Pittet V, Sengstag T, Soldini E, Hirschel B, Borisch B, Kruschel Weber C, Zwahlen M, Elger BS. Martani A, et al. Digit Health. 2023 Apr 20;9:20552076231169826. doi: 10.1177/20552076231169826. eCollection 2023 Jan-Dec. Digit Health. 2023. PMID: 37113255 Free PMC article.
Evaluation of approximate comparison methods on Bloom filters for probabilistic linkage.
Brown AP, Randall SM, Boyd JH, Ferrante AM. Brown AP, et al. Int J Popul Data Sci. 2019 May 23;4(1):1095. doi: 10.23889/ijpds.v4i1.1095. Int J Popul Data Sci. 2019. PMID: 32935029 Free PMC article.
Cohort profile: the South African HIV Cancer Match (SAM) Study, a national population-based cohort.
Muchengeti M, Bartels L, Olago V, Dhokotera T, Chen WC, Spoerri A, Rohner E, Bütikofer L, Ruffieux Y, Singh E, Egger M, Bohlius J. Muchengeti M, et al. BMJ Open. 2022 Apr 11;12(4):e053460. doi: 10.1136/bmjopen-2021-053460. BMJ Open. 2022. PMID: 35410922 Free PMC article.
Record linkage without patient identifiers: Proof of concept using data from South Africa's national HIV program.
Shumba K, Bor J, Nattey C, Gareta D, Lauren E, Macleod W, Fox MP, Puren A, Mlisana K, Onoya D. Shumba K, et al. PLOS Glob Public Health. 2025 Jul 9;5(7):e0004835. doi: 10.1371/journal.pgph.0004835. eCollection 2025. PLOS Glob Public Health. 2025. PMID: 40632720 Free PMC article.

See all "Cited by" articles

References

1. Stark C, MacLeod M, Hall D, O'Brien F, Pelosi A. Mortality after discharge from long-term psychiatric care in Scotland, 1977–94: a retrospective cohort study. BMC Public Health. 2003;3(1):30. doi: 10.1186/1471-2458-3-30. - DOI - PMC - PubMed
1. Alavi M, Law MG, Grebely J, Thein HH, Walter S, Amin J, et al. Lower life expectancy among people with an HCV notification: a population-based linkage study. J Viral Hepat. 2014;21(6):e10–e18. doi: 10.1111/jvh.12245. - DOI - PubMed
1. Wartenberg D, Thompson WD. Privacy versus public health: the impact of current confidentiality rules. Am J Public Health. 2010;100(3):407–412. doi: 10.2105/AJPH.2009.166249. - DOI - PMC - PubMed
1. Detmer DE. Your privacy or your health–will medical privacy legislation stop quality health care? Int J Qual Health Care. 2000;12(1):1–3. doi: 10.1093/intqhc/12.1.1. - DOI - PubMed
1. Jaro MA. Probalistic linkage of large public health data files. Stat Med. 1995;14:491–498. doi: 10.1002/sim.4780140510. - DOI - PubMed

Publication types

Actions

MeSH terms

Actions
Actions
Actions
Actions
Actions
Actions
Actions

LinkOut - more resources

Full Text Sources
Other Literature Sources
- The Lens - Patent Citations Database
- scite Smart Citations

Save citation to file

Email citation

Add to Collections

Add to My Bibliography

Your saved search

Create a file for external citation management software

Your RSS Feed

Privacy preserving probabilistic record linkage (P3RL): a novel method for linking existing health-related data and maintaining participant confidentiality

Affiliations

Privacy preserving probabilistic record linkage (P3RL): a novel method for linking existing health-related data and maintaining participant confidentiality

Authors

Affiliations

Abstract

Figures

Similar articles

Cited by

References

Publication types

MeSH terms

LinkOut - more resources

Full Text Sources

Other Literature Sources

Abstract

Figures

Similar articles

Cited by

References

Publication types

MeSH terms

Related information

LinkOut - more resources

Full Text Sources

Other Literature Sources