High Court judgment on whether anonymised data are still “personal data”

In an email bulletin I received today from the Administrative Data Liaison Service, there is a very important  bit of news. In the UK we have what I think I am justified in calling the strongest data protection laws anywhere in the world. In particular, there are restrictions on the use of personal data, which means data that identifies an individual or which contains enough information that someone could, with reasonable effort, identify an individual. “Sensitive personal data” are guarded even more closely, for example healthcare data. It has been unclear for a long time what the status is of detailed healthcare data which is then anonymised or made available only in aggregate form. For several years a modus operandi has developed where data are given only as counts of people in various categories, and those containing fewer than 5 are omitted for anonymity. But what if an additional dataset was also provided, which would identify people when taken together with the counts?

In a recent High Court judgment, clear guidance is given for interpreting this. You can read the details here but basically, if dataset A is provided (for example, through a Freedom Of Information request) and individuals cannot be identified from A, but can be identified once dataset B is attached to it, that means dataset A is still truly anonymous. You do not need to (and indeed, under the FOI, public sector agencies may not) withhold A out of fear of theoretical future abuse. And the fact that you, the data controller, can identify patients by attaching other datasets is irrelevant.

This is very timely for the issue of NHS data being available for research. If services are operated by private or voluntary sector organisations, your data will belong to them and you can expect them to want to keep it because data=$$$. Any excuse for keeping it in-house will be difficult for managers to resist once commercial access (a la GPRD) becomes part of their business plan. As I blogged previously, the draft beefed-up NHS Constitution could be the basic standard requiring all NHS-branded services to make data available for research. This clarification of the grey area between the Freedom of Information Act and the Data Protection Act removes one of the barriers to sharing in a partly-privatised service.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s