Anonymising information for medical research purposes

Keeping people anonymous is a real hurdle for those carrying out clinical research. In efforts to illuminate and address this matter, the Medical Research Council (MRC) – part of UK Research and Innovation – recently published guidance on identifiability and anonymisation.

Although the support and development of said guidance happened with the Information Commissioner Office’s aid (ICO), it is not ICO-approved. With this in mind, organisations should be careful and not rely solely on the guidance criteria.

Identifiability of information 

Data is either recognised as ‘personal data’ (subject to the General Data Protection Regulation 2016/679 (GDPR)) or ‘anonymised data’ (outside the range of the GDPR). However, identifiability is a complicated matter.

The guidance recognises that achieving total anonymity of person-level information may be impossible and, that virtually no person-level information, valuable enough to be useful for research, could be considered fully anonymous.

The MRC claims that it’s possible to anonymise personal data for research purposes without being subject to GDPR. For this to happen, organisations involved in clinical research should:

  • Exclude all real-world identifiers from the information -pseudonymisation.
  • Use different techniques, such as Barnardisation to limit ANY potential identifiability of the information remaining.

Additionally, the control of the context of how others will view the information is also essential, and the following steps should occur:

  • Ensuring that data recipients have no access to the pseudonymisation codes used and that they hold no other information which could aid identification – such as data
  • Necessary controls MUST be set to limit the risk of re-identification attempts by information recipients- a criminal offence under the Data Protection Act 2018.

So, while the MRC has acknowledged that it’s possible to anonymise personal data, MANY respectful steps must be taken, being incredibly mindful of the content and context of the information.

It’s worth noting that the European Data Protection Board’s (EDPB) and the ICO’s traditional (pre-GDPR) standards for anonymisation are somewhat higher than those of the MRC and, therefore, institutions and organisations should view the guidance carefully and be aware that following it carries a risk.

If you need any further clarification, advice, guidance or training, please contact the specialists here at the Griffin House Consultancy or call us on +44 (0)1673 88 55 33.

How breaching GDPR is all too easy

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.










This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.