Processing Anonymous Data

April 30, 1998

Traditionally, processors of anonymous or anonymised data have been able to go about their business without having to worry about obligations which apply to the use of “personal data”.1 This approach actually predated the Data Protection Act 1998 (DPA) (and was not thought to have been affected by the DPA’s introduction) as those familiar with the comments of the Court of Appeal in the Source Informatics case2 will remember.

However, the new guidelines issued by the UK Information Commissioner3 now suggest instead that, in certain situations, data controllers are going to have to start taking the DPA into account even where the data they are processing is anonymous.

The Source Informatics case

In the Source Informatics case, the UK Court of Appeal considered whether the anonymisation of data, and the disclosure of those anonymised data, came within the ambit of EU Directive 94/56/EC (not implemented in the UK at the time, but implemented now by the DPA). It held that it did not.

In 1997, Source Informatics Ltd launched a service to supply pharmaceutical companies with data indicating the prescribing patterns of GPs. To do this, it first had to obtain the raw data which was then aggregated so that it could be passed on to Source Informatics’ customers in a form useful to them.

The raw data was collated from prescription forms completed by doctors and handed over to pharmacists by patients. The pharmacists then added the data to their own databases. Source Informatics was not interested in the names or identities of individual patients but rather the additional information on the prescriptions. It therefore provided the pharmacists with software which enabled them to anonymise their database by downloading only that information which did not identify any individuals and pass on the anonymised data to Source Informatics in return for a fee.

The Department of Health advised health authorities that confidentiality obligations prohibited disclosure of this information, even though it was anonymous, without the consent of the patient or doctor who had originally provided it. Source Informatics appealed to the Court of Appeal for a declaration that the Department of Health’s guidance was wrong in law. Although the application did not address data protection directly, this issue was addressed as part of the case.

Considering whether either disclosure or anonymisation breached the terms of the Directive, the Court of Appeal looked at the wording of the Directive, which states that:

“Member states shall prohibit . the processing of data concerning health . [unless] the data subject has given his consent to the processing of those data. [or] the processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional [which the parties agreed included a pharmacist].”

In addition, Recital 26 of the Directive provides that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”. Recital 26 goes on to state “Codes of conduct within the meaning of Article 27 [of the Directive] may be a [sic] useful instrument for providing guidance as to the ways in which data may be rendered anonymous”. 4

In its comments, the Court agreed that:

“the Directive can have no more application to the operation of anonymising data than to the use or disclosure of anonymous data (which . by definition are not “personal data” and to which, therefore, . the Directive has no application)”.

Relying on the wording in Recital 26, it held that the process contemplated in this case probably fell outside the scope of the Directive.

So what’s new?

In the authors’ views, the DPA definition of “processing” includes, the process of anonymisation. The UK Commissioner’s latest data protection guidance contains a specific section on dealing with the anonymisation of data in which she says:

“In anonymising personal data the data controller will be processing such data and, in respect of such processing, will still need to comply with the provisions of the Act.”

She adds:

“true anonymisation may be difficult to achieve in practice.because the data controller may retain the original data set from which the personal identifiers have been stripped to create the “anonymised” data. The fact that the data controller is in possession of this data set which, if linked to the data which have been stripped of all personal identifiers, will enable a living individual to be identified, means that all the data, including the data stripped of personal identifiers, remain personal data in the hands of the data controller and cannot be said to have been anonymised. The fact that the data controller may have no intention of linking these two data sets is immaterial.”

If this is the case, the data in an anonymised database may still qualify as “personal data” if the data controller also holds the pre-anonymised version of the database and could therefore effectively reverse-engineer the anonymised version using the original.

By applying the above definition and the UK Commissioner’s comments, it is difficult to argue that the pharmacists’ actions in the Source Informatics case would no longer be interpreted by a court as “processing” under the DPA. It seems more likely that the UK Commissioner would expect both the use of the software to anonymise data, as in the Source Informatics case, and the anonymised data itself if kept by the pharmacists, to be regulated.

If this is correct then, under the current law according to today’s guidelines, both the pharmacists’ use of the source software and disclosure of the anonymised data to Source Informatics would be contrary to the DPA, unless either the patients had given their consent, or one of the other DPA Schedule 2 pre-conditions or any exemptions under the Act applied.

The words quoted from Recital 26 above indicate that the legislators who drew up the Data Protection Directive may already have had such a potential problem in mind and that some anonymisation at least was intended to remain legal.

From the point of view of the data subjects whose personal data are being anonymised, there will be no disclosure to a third party in the process of anonymisation. Afterwards, there will be a disclosure but, if properly anonymised and unrelated to other information which could identify living individuals, the data will not be personal data because the disclosure will not identify any data subjects.

One solution would be to issue a code of practice which would permit data anonymisers to continue to operate as long as they did not harm or prejudice the rights, freedoms or legitimate interests of living individuals.

The authors believe that due consideration should also be given to Schedule 1, Part II to and s 33 of the DPA in relation to the anonymisation process.

Schedule 1, Part II could be applied in relation to the First Data Protection principle, according to which personal data shall be processed “fairly and lawfully”.

“Lawful” processing clearly includes processing in accordance with the principles of the Source Informatics case in relation to confidential data. “Fair” processing requires the data subjects to be notified of certain information in relation to the processing, but there is an exception where “the provision of that information would involve a disproportionate effort”.5 “Fair” processing also includes meeting one of the conditions in Schedule 2 which, in the case of personal data which are not sensitive, allows for processing where it is:

“necessary for the purposes of legitimate interests pursued by the data controller . except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. 6

Conclusion

The issue of exactly how anonymous data may be processed arises not only in the UK but throughout the EU. Therefore, it is vital that practitioners carefully examine their enabling legislation to see whether or not exemptions will apply. In the UK, for example, they would be wise to examine the “disproportionate effort” and “legitimate interests” exemptions. Furthermore, the data protection commissioners could also do well to consider introducing a code of practice as was originally envisaged by Directive 94/56/EC years ago.

The authors are a partner and solicitor at Field Fisher Waterhouse, London. They can be contacted at ndw@ffwlaw.com or mjt@ffwlaw.com.

1. As defined in the DPA 1998, s. 1(1).

2. R v Secretary of State for the Department of Health, ex parte Source Informatics (21 December 1999).

3.See http://www.dataprotection.gov.uk/dpr/dpdoc.nsf for complete text.

4. As far as the authors are aware, no such code of conduct is available.

5. Paragraph 3(2)(a) of Part II of Schedule 1 to the DPA.

6. Paragraph 6(1) of Schedule 2 to the DPA.

.