Participant Privacy & Confidentiality in Opal
Participant privacy and confidentiality have always been a first concern for the OBiBa developer teams and OBiBa users. Opal implements state-of-the-art architecture design ensuring that participant privacy and data security are fully respected.
Participant Privacy
To ensure participant privacy, data pooling without consent among different organizations must be prevented. In a 1985 pioneer paper, David Chaum stated three general principles to avoid collusions
- Each organization must use its own participant identifiers (IDs)
- New specific IDs must be used when exchanging data on participants
- IDs are accessible to a very restricted number of people within an organization
Figure 1 shows how Opal implements these three principles. In summary, Opal generates automatically its own internal participant ID for each new participant created in its database. This internal ID is attached to the other participant IDs used by the external organizations to exchange data with Opal. Only the Opal internal ID is accessible to the study staff members (managers, data analysts, etc.) while they work with the data. Indeed, Opal stores participant data and the participants IDs in two distinct databases allowing database administrators to apply very restrictive access policies on the IDs database.
Figure 1: Opal implementation of privacy principles
Confidentiality
Confidentiality is the necessity to protect data from unauthorized access.
Opal includes a comprehensive Public Key Infrastructure (PKI) for organization authentication and data encryption (see figure 2).
Opal
- create specific private-public key pairs for each organization it exchanges data with
- use specific private keys to automatically decrypt data received from organizations. Decryption is done in-memory so that decrypted data files never exist on file system