Abstract
BACKGROUND: Pseudonymization refers to a process in which data that directly identify individuals, such as names and addresses, are stored separately from data needed for scientific purposes. The connection between both types of data is maintained through a protected link, represented by pseudonyms. This is a central data protection method in translational research, which enables researchers to collect, process, and share data while adhering to "data protection by design and by default" and data minimization best practices. However, integrating pseudonymization into high-throughput data processing workflows is challenging, and open-source solutions are rare. A typical example is the need to pseudonymize millions of electronic health records for secondary use in translational research platforms. OBJECTIVE: This paper introduces the Advanced Confidentiality Engine (ACE), a highly scalable open-source pseudonymization service focused on creating and managing the protected link between identifying and research data. METHODS: ACE has been designed to have a lean architecture, consisting of a compact database schema that mimics the design of data warehouses. It is implemented using modern open-source software technologies and provides a Representational State Transfer application programming interface. Among its features are a fine-grained access control mechanism, a domain-based structuring of pseudonyms with attribute inheritance, and a comprehensive audit trail. We performed a structured evaluation to study ACE's scalability under various workload scenarios. RESULTS: For generating protected links, ACE supports 9 different pseudonymization algorithms, including approaches based on cryptographic primitives and random number generation. Pseudonyms can be encoded using different alphabets that can be combined with check digits. Pseudonyms can be annotated with metadata, such as validity periods, and those properties can be inherited through a hierarchical domain structure. As all information is persisted by ACE, it supports pseudonymization and depseudonymization, for which access can be controlled individually. Our experiments show that ACE is able to handle around 6000 transactions per second in different workload settings. ACE combines the efficiency of cryptography-based pseudonymization methods with the flexibility of persistence-based approaches. CONCLUSIONS: ACE is a modern and highly scalable implementation of a pseudonymization service tailored toward the specific requirements in biomedical research. It is available as open-source software. As the space of openly available pseudonymization services is limited, we believe that ACE is valuable to institutions establishing or improving their translational data infrastructure.