Skip to content

Anonymisation§

Person identifiable information (PII) must not be uploaded to or stored on the UCL XNAT servers. You need to ensure any data is de-identified before upload.

XNAT tools and third-party software can assist with certain types of anonymisation; however, there is no general-purpose anonymisation software or process that can detect and fully anonymise all types of PII. Therefore, anonymisation processes have to be designed in a project-specific manner with full understanding of where and how PII is stored in your data.

For this reason, MIRSG require that you appoint a suitable domain expert to review and test your anonymisation processes before you start uploading data to the UCL XNAT servers.

What counts as PII?§

PII includes any data that can be used to help identify an individual, such as name, date of birth, patient number etc. It also includes data that is not directly identifiable but could be combined with other data to identify an individual (eg a postcode). It may include 3D head scans if a surface rendering of the face would be identifiable.

Requirements for on-site anonymisation§

Anonymisation must be performed on-site before the data are uploaded. This is because PII should not leave a clinical site. It is not sufficient for the sever to anonymise data when it is received.

The XNAT Desktop Client will anonymise DICOM data on-site on your machine before upload. However, the anonymisation scripts first need to be correctly configured for your project (see below). If you are using a different upload method or non-DICOM data, you will need to implement your own on-site anonymisation method.

Pseudonymisation§

In some studies, it is necessary for subjects to be de-identified to researchers, but for certain clinical members of the research team to be able to re-identify subjects if necessary. This is achieved by maintaining a key file within the clinical site which maps the de-identified subject numbers to real subject identities. The key must not leave the clinical site and must not be accessible to non-clinical researchers. This is known as pseudonymisation. It is generally an acceptable method of de-identifiation, because the only individuals who can access and use the key are those that already have access to the subject identities on the clinical site.

DICOM tag anonymisation§

  • See DICOM Supplement 142 for detailed information on clinical trial de-identification.

DICOM images contain embedded metadata in tags, many of which contain PII. Anonymisation involves removing tags which contain PII, or replacing their contents with dummy or anonymous/pseudonamysed replacements. Tags that are certain to not contain PII should be retained as they could provide useful metadata for image analysis.

DICOM Anonymisation with XNAT§

XNAT allows you define an anonymisation script for your project, which can be used with the XNAT Desktop Client. The script is written in the DicomEdit language and describes which DICOM tags are to be removed or modified and you can configure it for your project-specific purposes. The anonymisation is performed locally on your machine by XNAT Desktop Client before the data are sent to the server.

XNAT anonymisation scripts should not be used with zip file upload or the REST API. In those cases you should use an anternative anonymisation method before uploading the data.

How to define a project anonymisation script§

  • Navigate to your project (Click the Browse drop-down, click My Projects and select your project)
  • Select the Manage tab.
  • Select Anonymization Script
  • Enable the Enable Script checkbox
  • Enter the DicomEdit script
  • Click Save

Anonymization Script

:warning: XNAT does not check the syntax of your script. Please ensure your script is reviewed and test it works correctly with fake data before use.

Alternative DICOM anonymisation methods§

Software such as DicomCleaner, CTP, Horos can be used to anonymise DICOM tags. However, be aware that anonymisation has to be correctly configured and default settings may not fully anonymise the data.

DICOM anonymisation considerations§

You should follow the DICOM standard anonymisation profiles when defining your DicomEdit script or anonymisation configuration. Standard public tags that are known to contain PII should be removed, hashed or replaced.

Tags containing free text fields should generally be removed as they potentially contain PII. These fields could be manually entered by the operator and there is no way of knowing what data was entered. However, useful text fields could be retained if you are certain that your equipment and acquisition protocols prevent PII from being entered into the data fields.

Private tags are non-standard values set by manufacturers and could contain anything at all, and freiquently contain PII. All private tags should be removed, with very specific exceptions if there are well-known manufacturer-specific tags that contain data values you need to retain, and you have certainty they do not contain PII in your data.

PII embedded in pixel data§

Many DICOM images contain PII that are burnt into the pixel data. This is common for example in 2D ultrasound images and videos, and in scout and report images that accompany an image series. These images either have to be deleted or the relevant part of the images must be blocked out by overwriting the image pixels containing the PII.

Unfortunately, for certain types of image it is not always possible to know whether or not the image contains burnt-in PII. There are DICOM metadata tags which provide this information, but these are optional and often not set.

The options to deal with this are:

  1. Manually review each file of this type;
  2. Prevent automatic uploading of files of this type;
  3. Implement a project-specific solution based on your knowledge of your project data.

Pixel data anonymisation with XNAT§

The XNAT Desktop Client detects images that need to be reviewed for burnt-in PII and launches the Inspect Images tool which allows you to interactively define areas to redact as part of the upload process.

Inspect Images

Alternative pixel data anonymisation methods§

Software such as DicomCleaner and GIFT-Cloud Uploader also provide pixel data redaction mechanisms.

Skull data and facial recognition§

XNAT does not incorporate built-in default skull stripping. 3D Head scans may be recognisable if a surface rendering is performed on the face. You need to assess this risk and implement your own custom processes to mitigate this if necessary.

PII in other data§

Other files and metadata you upload to your project could contain arbitrary content and there is no way for XNAT to know if this contains PII. You will need to assess whether this could contain PII and implement your own custom processes if necessary to remove any PII before uploading to the servers.