Enhancing Data Protection via Auditable Informational Separation of Powers Between Workflow Engine Based Agents: Conceptualization, Implementation, and First Cross-Institutional Experiences.

German best practice standards for secondary use of patient data require pseudonymization and informational separation of powers assuring that identifying data (IDAT), pseudonyms (PSN), and medical data (MDAT) are never simultaneously knowable by any party involved in data provisioning and use. We describe a solution meeting these requirements based on the dynamic interaction of three software agents: the clinical domain agent (CDA), which processes IDAT and MDAT, the trusted third party agent (TTA), which processes IDAT and PSN, and the research domain agent (RDA), which processes PSN and MDAT and delivers pseudonymized datasets. CDA and RDA implement a distributed workflow by employing an off-the-shelf workflow engine. TTA wraps the gPAS framework for pseudonym generation and persistence. All agent interactions are implemented via secured REST-APIs. Rollout to three university hospitals was seamless. The workflow engine allowed meeting various overarching requirements, including auditability of data transfer and pseudonymization, with minimal additional implementation effort. Using a distributed agent architecture based on workflow engine technology thus proved to be an efficient way to meet technical and organizational requirements for provisioning patient data for research purposes in a data protection compliant way.