Consent and anonymisation: beware binary constructions
Consent and anonymisation: beware binary constructions
Authors: Edward S. Dove* and Graeme T. Laurie
JK Mason Institute for Medicine, Life Sciences and the Law, School of Law, University of Edinburgh, United Kingdom.
*Correspondence to: Edward S. Dove, email: email@example.com
We thank El Emam and colleagues for describing key concepts and principles for anonymising health data (particularly individual patient data) in such a way that retains their utility for health research.1 Beneficially, the authors describe and show how anonymisation is not a Sisyphean task (or a failure2) for much health data, and that robust standards and guidance exist that can help data custodians sufficiently protect data while promoting the use of data for various research purposes. We agree wholeheartedly that anonymisation can, depending on context, serve to meet both of these ends. However, we wish to nuance a couple of the points El Emam and colleagues make in the context of European data protection law.
First, we desire to expand on the statement (apparently stemming from the recent, admittedly ambiguous, Article 29 Data Protection Working Party report on anonymisation techniques3 as well as earlier commentary4) that, ‘In most jurisdictions, including the European Union, anonymisation is considered a permitted use. This means that it is not necessary to obtain patient consent to anonymise the data.’1 Anonymisation, which we take to signify a process performed on personal data (thus making the personal data no longer identifiable), is categorically distinct from anonymous data, which we take to signify a status of data, namely data that never were identifiable. This is a crucial distinction because it means that as per Recital 26 of the EU Data Protection Directive, the processing of personal data for the purposes of achieving anonymisation (i.e. the rendering of personal data to an anonymised state) remains subject to data protection laws because prior to the completion of this process, the data are still personal. In data protection terms, it is ‘further processing’.
Further consequences are that there must be a legitimate basis for anonymisation of personal data on any of the grounds mentioned in Article 8(2) of the Data Protection Directive (including the data controller’s legitimate interests). Additionally, the data quality principles of Article 6 of the Directive must be satisfied, as must Articles 10 and 11, which require data custodians to inform patients (subject to exemption) of the purposes of anonymisation and its effects, and their right to object to processing (Article 14). Even if anonymisation is ‘compatible with the original purposes of the processing’ as the 2014 Working Party report opines,3 this satisfies only the principle of data quality (Article 6), not a basis for making further processing of patient data lawful (Article 8), nor the obligations under Articles 10, 11 and 14. In other words, satisfying Article 6 does not absolve a data custodian of his other data protection obligations. European data protection laws offer an array of legitimate bases for processing data – of which consent is only one – but the point remains: a legitimate basis must be afforded. Anonymisation of individual patient data in Europe cannot proceed absent authorization under the law. Thus, while it is arguably correct that consent may not be needed to anonymise individual patient data (though even this is debatable under European Court of Human Rights jurisprudence, which suggests any further processing of health data requires consent5), some legitimate basis under the law is needed. As Deryck Beyleveld and David Townend note, ‘the only times that data rendered non-personal can be said to be beyond the scope of the principles of protection is where the data no longer has a history that can link it to an identifiable data controller who obtained the personal source data from the data subject or where it is known that the source data was given for unlimited purposes.’6
This brings us to our second point. The two legal mechanisms El Emam and colleagues highlight that would permit data custodians to share patient data for secondary purposes (absent an exemption in the law), namely consent and anonymisation, should not be treated as a legal binary nor as a necessary and sufficient condition for ethical health research. Individual patient data that been anonymised does not absolve data custodians (and data users generally) from their legal obligations for all time coming, and equally it does not absolve them from ethical obligations. As anonymisation is a process and not a status, it impels researchers to consider how uses of these data may impact on the interests or sensibilities of patients and their connected others (e.g. family and community members) across time. Law does not provide guidance here; the law permits certain uses of anonymised data, but it does sufficiently guide us how they should be used. As the recent Nuffield Council on Bioethics report aptly remarks, ‘[c]ompliance with the law cannot guarantee that a use of data is morally acceptable. Faced with contemporary data science and the richness of the data environment, protection of privacy cannot reliably be secured merely by anonymisation of data or by using data in accordance with the consent from “data subjects”. Effective governance of the use of data is indispensable.’7 Thus, researchers must always ask what privacy norms are engaged by use of data, including whether anonymisation is appropriate, whether ostensibly anonymised data can re-become identifiable, and who will have access to the data and for what purposes. Deryck Beyleveld notes that as privacy is a subjective notion that broadly defined can include a right to know for oneself the personal implications of research, anonymisation can violate privacy rather than protect it.8 These observations require us to look beyond the ‘consent or anonymise’ paradigm, to understand that additional controls on data, such as data access and follow-on use restrictions, implicate both administrative and technical aspects and are vital for effective information governance.9
El Emam and colleagues have made a fine contribution to the literature about the benefits of anonymisation and sharing of individual patient data. But it behoves us to be cognizant that the binary construction of ‘consent or anonymise’ is more rhetoric than reality, and that our ethical and legal obligations owed to patients must always reach beyond the narrow confines of a consent form or a technical process. These are enduring obligations that persist as long as the data have value, which is to say, until they are extinguished.
1. El Emam K, Rodgers S, Malin B. Anonymising and sharing individual patient data. BMJ 2015;350:h1139.
2. Ohm P. Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev 2010;57:1701–1777.
3. Article 29 Data Protection Working Party, Opinion 05/2014 on anonymisation techniques, 10 April 2014.
4. El Emam K, Álvarez C. A critical appraisal of the Article 29 Working Party Opinion 05/2014 on data anonymization techniques. Int Data Privacy Law 2015;5:73–87.
5. M.S. v. Sweden (1997) 28 EHRR 313, paras 34–35.
6. Beyleveld D, Townend DMR. When is personal data rendered anonymous? Interpreting Recital 26 of Directive 95/46/EC. Med Law Int 2004;6:73–86.
7. Nuffield Council on Bioethics, The collection, linking and use of data in biomedical research and health care: ethical issues. Nuffield Council on Bioethics, 2015.
8. Beyleveld D. Privacy, confidentiality and data protection. In Chadwick R, Ten Have H, and Meslin EM (eds) The SAGE handbook of health care ethics: core and emerging issues. SAGE, 2011:95–105.
9. Council of Canadian Academies, The Expert Panel on Timely Access to Health and Social Data for Health Research and Health System Innovation, Accessing health and health-related data in Canada. Council of Canadian Academies, 2015.
Competing interests: No competing interests