Anonymising information for medical research purposes
Keeping people anonymous is a real hurdle for those carrying out clinical research. In efforts to illuminate and address this matter, the Medical Research Council (MRC) – part of UK Research and Innovation – recently published guidance on identifiability and anonymisation.
Identifiability of information
Data is either recognised as ‘personal data’ (subject to the General Data Protection Regulation 2016/679 (GDPR)) or ‘anonymised data’ (outside the range of the GDPR). However, identifiability is a complicated matter.
The guidance recognises that achieving total anonymity of person-level information may be impossible and, that virtually no person-level information, valuable enough to be useful for research, could be considered fully anonymous.
The MRC claims that it’s possible to anonymise personal data for research purposes without being subject to GDPR. For this to happen, organisations involved in clinical research should:
- Exclude all real-world identifiers from the information – pseudonymisation.
- Use different techniques, such as Barnardisationto limit ANY potential identifiability of the information remaining.
Additionally, the control of the context of how others will view the information is also essential, and the following steps should occur:
- Ensuring that data recipients have no access to the pseudonymisation codes used and that they hold no other information which could aid identification – such as data information.
- Necessary controls MUST be set to limit the risk of re-identification attempts by information recipients – a criminal offence under the Data Protection Act 2018.
It’s worth noting that the European Data Protection Board’s (EDPB) and the ICO’s traditional (pre-GDPR) standards for anonymisation are somewhat higher than those of the MRC and, therefore, institutions and organisations should view the guidance carefully and be aware that following it carries a risk.