Enhancing Data Protection via Auditable Informational Separation of Powers Between Workflow Engine Based Agents: Conceptualization, Implementation, and First Cross-Institutional Experiences.

German best practice standards for secondary use of patient data require pseudonymization and informational separation of powers assuring that identifying data (IDAT), pseudonyms (PSN), and medical data (MDAT) are never simultaneously knowable by any party involved in data provisioning and use. We describe a solution meeting these requirements based on the dynamic interaction of three software agents: the clinical domain agent (CDA), which processes IDAT and MDAT, the trusted third party agent (TTA), which processes IDAT and PSN, and the research domain agent (RDA), which processes PSN and MDAT and delivers pseudonymized datasets. CDA and RDA implement a distributed workflow by employing an off-the-shelf workflow engine.