Successfully anonymising data sets is one of the key challenges facing those who wish to use health data to carry out research in the digital health space. In this article, Fieldfisher lawyers, Nuria Pastor and Robert Fett look at the reforms and provisions coming to the table as the Government seeks to update UK regulations.
The UK data protection regulator ("ICO") has recently issued draft guidance on anonymisation that identifies factors to be considered when assessing the effectiveness of measures put in place in order to anonymise a data set. The regulator accepts that 'absolute' anonymisation may not always be achievable, and 'effective anonymisation' would suffice to remove data protection compliance requirements.
Additionally, the UK government has recently published the Data Protection and Digital Information Bill to reform some aspects of data protection in the United Kingdom. New provisions defining the concept of 'identifiable individual' narrow down the interpretation of what is personal data and therefore may make it easier to consider a data set anonymous.
If the UK continues with the reforms as published it would mark a shift in the UK regime, in contrast with equivalent law and guidance in the EU, benefiting the UK digital health industry in a post-Brexit world.
Challenges under the existing regime
The present data protection regime in the UK (and in the EU) provides a wide-ranging definition of personal data.
Whilst personal data can be anonymised to bring it outside the scope of data protection law, there is frequent uncertainty about when personal data can be said to be effectively anonymised.
This is because, under both GDPR and UK GDPR, personal data is defined as where a natural person can be identified "directly or indirectly" and (under the GDPR recitals) account should be taken of "all the means reasonably likely to be used" in order to identify the underlying individual. Regulatory guidance has suggested undertaking a "motivated intruder" test in order to assess the risk of identification of a data set (see below).
These broad definitions have made anonymisation all the more difficult since organisations must take into account the state of technological advances and external data sources (both publically and privately available).
The residual risk of identification is often a topic of debate. Regulatory guidance calls for a cautious approach when health data is involved, given its sensitively and protected status under data protection law.
This uncertainty can hinder innovation, particularly in the health sector.
The processing of health data requires a legal basis and a special category condition. Explicit consent is often used as the legal basis for processing, although both data protection and research industry regulators have advised against it. Obtaining valid consent for data protection compliance purposes in a patient-doctor setting can be challenging where there is a clear imbalance between the data subject and the controller.
Other legal bases and conditions can also be difficult to implement – particularly when research is conducted internationally due to the lack of consistency in how these rules apply across countries.
Data controllers can also find it difficult to handle data subjects’ rights requests – for example where a data subject may want to delete information, which is highly integrated into a research process.
Of course, if the data was not "personal data", because it had been successfully anonymised, then these issues would not arise.
Making an objective assessment
The ICO's call for views on anonymisation, pseudonymisation and privacy enhancing technologies closes on 16 September 2022. In it, draft guidance makes clear that even where there is risk of re-identification, controllers and processors can nevertheless carry out an objective assessment to determine whether personal data has been 'effectively anonymised' (i.e. anonymised to such extent that the risk of re-identification is sufficiently remote). This assessment would take into account factors such as:
- Aggregating data. If records are sufficiently aggregated together (with a large data set) then there is less likelihood of identification.
- Linking. It may be possible to infer a link between two pieces of information within a dataset which leads to some individuals being identified.
- Information security. Having technological and organisation measures to protect anonymous data (as well as personal data) can help reduce the risk of re-identification.
- Context. What is the data? Who is it being shared with? Who else has access to related data? Answering these will help organisations to understand where the risks lie in re-identifying data. Bear in mind that the same data set may be anonymous in the hands of one organisation but not in the hands of another. This is known as the 'whose hands' question.
- Motivated intruder. The motivated intruder is a person who starts without any prior knowledge but wishes to identify an individual from whose personal data the anonymous information is derived. Applying this test would allow the organization to work out whether the motivated intruder is likely to be successful when trying to identify that data and what resources they would need to do so.
- Agreements or professional obligations? If only a doctor with knowledge of a particular patient would recognise the patient's identity from the anonymised records, this could still enable a conclusion that the data (following a suitable de-identification process) is indeed anonymised.
Establishing an appropriate governance structure can also reduce risks, particularly where the controller has made a serious effort to comply with data protection law and had a genuine reason to believe that the information was not personal data.
Change is afoot
The UK has proposed amendments to UK data protection law through the Data Protection and Digital Information Bill, which is currently before Parliament. If passed, the proposed changes to the definition of "personal data" could improve the UK position even further for those trying to successfully anonymise personal data by, for example, fleshing out and expanding the motivated intruder test.
If passed in its current form, this would allow organisations to consider the availability of the information (for example due to the organisation's technical and organizational security measures or even contractual restrictions) as a factor when assessing whether individuals may be identifiable from a data set.
Of course, the bill is not yet law, and may well be amended as is proceeds through Parliament. In any event, the UK has already made some headway, with the draft ICO guidance noted above, in improving the position for those processing potentially anonymised data.
Getting ahead of the game
The proposed reforms to the definition of "personal data" outlined in the Bill have the potential to make anonymisation of health data slightly more achievable, and would therefore take an organisation's processing of that anonymised data outside of the UK's data protection regime.
Even before the proposed reforms are enacted, organisations can still consider the extent to which the health data they are processing can effectively be said to be anonymised in light of the updated regulatory guidance. In order to meet their accountability obligations under data protection law, and exposure to questions from customers, data partners and regulators, organizations should also consider undertaking an Anonymisation Risk Assessment to justify their conclusions.
Sign up to our email digest