Review of a recent UK Freedom of Information decision about the anonymisation of patient data from clinical trials. In the UK clinical trial data may be disclosable under FOI law if there is a public authority (such as a university or NHS trust) involved. This is a good example of the UK Information Commissioner (supported by the First Tier Tribunal) taking a practical approach to the anonymisation of personal data.
In a recent UK Freedom of Information case, a Tribunal has looked at when patient data from clinical trials is considered anonymised enough that it’s no longer ‘personal data’. The Tribunal confirmed that the test is whether the risk of identifying an individual person from the data is more than remote.
For those in the healthcare and pharmaceutical industry this case is interesting because (i) it’s a reminder that in the UK clinical trial data may be disclosable under the Freedom of Information Act 2000 if a public authority (like a university) is involved; and (ii) it confirms the UK Information Commissioner’s pragmatic approach to the anonymising of patient data from clinical trials – that’s good news for those wanting to manipulate anonymised data without being restricted by the Data Protection Act 1998.
Facts of the case
The Information Commissioner had ordered Queen Mary University London to disclose patient data from a trial on chronic fatigue syndrome under the Freedom of Information Act. The Tribunal reviewed this decision.
QMUL ran several arguments but the one the Tribunal most struggled with was whether the data had been anonymised enough that it should no longer be considered personal data. If so, it would likely be disclosable under FOIA. If the data was not sufficiently anonymised, it would still be ‘personal data’ and would therefore have to be withheld from disclosure.
Although the Tribunal was split in its decision, the majority was in favour of upholding the Information Commissioner’s decision that the data had been adequately anonymised. QMUL was therefore ordered to disclose it.
Key points of interest
- The Tribunal confirmed ICO guidance that anonymisation doesn’t need to be completely risk-free, but the risk of identification must be mitigated until it is remote.
- It was important that the data contained no fixed or direct identifiers, eg names, address, postcode.
- Even though the data sought was ‘one row per one trial participant’, the Tribunal concluded that anonymisation was still possible.
- When looking at the risk of identification from anonymised data, generic references to social media and non-specific assertions that there is ‘so much information out there’ are not sufficient to change the balance of risk from ‘remote’.
- Although the trial had been criticised, and there were so-called ‘activists’ who wanted to contact trial participants, there was no evidence that this would increase the risk of identification from ‘remote’.
- There was no evidence that a third party, alone, could identify participants. The evidence showed that identification would be possible by combining the patient data with NHS data, but this would have involved an NHS employee breaching professional, legal and ethical obligations, and having the skill and motivation to do so. This level of conjecture was considered remote. It is not ‘any conceivable means of identification’ that must be considered, but only ‘those reasonably likely to be used’. We ‘must consider whether any individual is reasonably likely to have the means and the skill to identify any participant and also whether they are reasonably likely to use those skills for that purpose’.