UK: Patient data-sharing may not take account of anonymisation concerns
Earlier this week the Government announced proposals (40-page / 2.1MB PDF) to change the NHS Constitution so that information stored about patients would be automatically shared with life sciences researchers via a new anonymised database unless patients elect for their details not to be included.
While welcomed by the life sciences industry as a boost to research, the proposals raised concerns about the use of patient data.[…]
“Let me be clear, this does not threaten privacy, it doesn’t mean anyone can look at your health records, but it does mean using anonymous data to make new medical breakthroughs,” Cameron said in a speech detailing the Government’s plans, according to a report by the BBC.
Mr. Cameron may firmly believe that, but studies on re-identifying supposedly “anonymized” data make it clear that data are often not as “anonymized” as one might think or home when the data are combined with other data often readily available in public databases.
The article also quotes Paul Ohm, who has been instrumental of increasing awareness about the risks of relying on “anonymization:”
Academic Paul Ohm, Associate Professor at University of Colorado Law School, told Out-Law.com in 2009 that research had shown that it is possible to use anonymised data to identify individuals. He said at the time that misplaced trust in anonymisation had been enshrined in privacy legislation.
“Virtually every privacy law allows you to escape the strictures and requirements of the privacy law completely once you’ve anonymised your data,” he said. “Every policy maker who has ever encountered a privacy law, and that’s in every country on earth, will need to re-examine the core assumptions they made when they wrote that law.”
Ohm said at the time that, in some fields of research such as health, it would be possible to open up much more data than is currently permitted as long as access to the information was controlled.
“We can’t trust technology any more but at the same time we don’t want to keep this information from researchers. So my solution is that we shift our trust from the technology to the people,” he said. “We write down the rules of trust among health researchers … [we say] you can get my data but only on a need to know basis,” he said.
Read more on Out-Law.com
Part of determining trustworthiness of a research clearly needs to be assessing their security and privacy protections, as the researcher may be professionally trustworthy, but if they outsource their database security to another party, well….