In a joint piece for Digital Health, Paul Affleck – a current member of the Ministry of Defence Research Ethics Committee and a research programme manager at the University of Leeds and GP Dr Imran Khan, explore when health data is anonymous.
Routine healthcare data provides tremendous opportunities for research and improving future care. It is also an area of considerable controversy as demonstrated by the care.data and GP Data for Planning and Research programmes.
The law governing the use of routine healthcare data is complex and, in some areas, open to differing interpretations. Therefore, the Information Commissioner’s Office (ICO) is to be applauded for seeking feedback on its draft anonymisation, pseudonymisation and privacy enhancing technologies guidance.
A crucial point for healthcare researchers is whether data is ‘personal’ (it is data relating to an identified or identifiable individual) and falls under the UK General Data Protection Regulation (UK GDPR). Under the UK GDPR, pseudonymisation does not, in itself, render data anonymous. This is because with the addition of other information (not least the identity of the pseudonyms) individuals can be identified. However, the draft ICO guidance elaborates a concept of “effectively anonymised”. This contends pseudonymous information can be anonymous if the holder of the data does not hold the identity of the pseudonyms and technical and contractual controls are in place to prevent identification of individuals.
The concept of effectively anonymised may well hold appeal for researchers and providers of information because the requirements of the UK GDPR will fall away once the data is no longer judged as personal. However, the concept is problematic. Firstly, the prime driver for the technical and contractual controls is that it is personal information; if it was anonymous information the controls would not be required.
Secondly, it means that data can be both personal and anonymous at the same time (personal data to the body holding the identity of the pseudonyms but not necessarily personal data to other bodies). From the perspective of the data subject this may seem as trying to re-interpret the word anonymous as to remove their UK GDPR rights.
Thirdly, the concept of effectively anonymised may not be compatible with the UK GDPR. The definition of pseudonymisation in UK GDPR article 4(5) mentions technical and organisational measures to prevent identification. Holding the identities of pseudonyms in a different organisation could be simply seen as one of these technical and organisational measures, not as ‘effectively anonymising’ the data. UK GDPR Recital 26 is clear that personal data which has undergone pseudonymisation is still personal data. However, it also says determining if data is identifiable should take account “…of all the means reasonably likely to be used” to identify someone. It could be argued that if the “means” are being limited by technical and contractual measures the data is effectively anonymous. However, it is far from clear that this is what the authors of the UK GDPR intended, especially as the pseudonym link has not been removed, merely controlled.
If the concept of effectively anonymised is compatible with the UK GDPR, it is unclear why it is required. It does not remove the need for contractual and technical controls in the way that rendering data truly anonymous would. Presumably it would simplify information governance procedures and remove the need to make transparency information available to data subjects. Reducing the administrative burden on those charged with managing data should not be dismissed lightly. However, such a move risks removing the protection offered to data subjects under UK GDPR and undermining public trust.
Regardless of whether you would support or oppose the concept of effectively anonymised, it is well worth engaging with the ICO consultation and helping them refine the guidance.
Both authors are writing in a personal capacity but have interests to declare.
Affleck is a member of the Independent Group Advising on the Release of Data (IGARD), the Ministry of Defence Research Ethics Committee, the UK Longitudinal Linkage Collaboration’s Involvement Network and the University of Leeds. He is also a public contributor to the Blood and Transplant Research Unit in Donor Health and Genomics at the University of Cambridge.
Dr Khan is a General Practitioner, a member of IGARD and Deputy Chair of the RCGP Health Informatics Group.