In a recent case of March 2019, the First-tier Tribunal took a well-balanced stance when asked to determine whether anonymised clinical trial data are actually identifiable and to specify the criteria of truly anonymous data. In a case involving the Freedom of Information Act (FOIA) requests in relation to anonymised clinical trial data, the Court differentiated from the position of the Information Commissioner’s Office (ICO) and the data controller and held that identifiability must be evidence-supported and not educated guesswork. In this article, we are looking at the reasoning of the Court before extracting the key messages that data controllers should take into account when considering whether they hold personal or anonymous data.
Key facts and legal considerations
The requester, Mr Peters, suffers from chronic fatigue syndrome and had made a number of FOIA requests in relation to research regarding his condition to check the validity of this research. The University rejected his request on the grounds that the requested information was personal data of third parties foreclosed from disclosure under the FOI Act 2000. The University, and later the ICO, argued that although the data of the research participants had been anonymised, individuals could be identified.
In fact, the research covered 100 schoolchildren aged 12-18 in a very limited geographical area. The unusually low attendance records associated with the requester’s condition would enable a match to be made with age and gender in the trial data. The ICO applied her ‘motivated intruder’ test and considered that it is ‘more than remote and reasonably likely that individual children could be identified by combining this information …. with information from other sources, such as school attendance records,’…‘online blogs and forums’. A ‘motivated intruder’ is a determined person, without any prior or expert knowledge, but who wishes to identify the individual and will take all reasonable steps to do so. The motivated intruder is similar to an investigative journalist but without specialist equipment. Moreover, neither the research participants nor their parents had consented to the release of this data. For this reason, the ICO also argued that such data sharing would breach the principle of fairness.
Mr Peters appealed the ICO decision. The Court first acknowledged that the clinical trial data in question was anonymous data and then examined whether individuals were identifiable, considering all reasonable means likely to be used either by the controller or by another person to identify the natural person directly or indirectly.
The Court held that the requester could not be considered a ‘motivated intruder’ since all he wanted was access to raw data for research purposes and not for identifying individuals. Then, it continued with considering whether there was a reasonable likelihood of re-identification based on the balance of probabilities standard. The Court disagreed with the ICO and said that educated guesswork was insufficient and re-identification of the participants was not possible. It added that there is no need to be certain that the release of the requested information could not lead to the re-identification of the research participants. On the contrary, the University should have explained how the ‘motivated intruder’ could access confidential school attendance records and what investigative techniques a motivated intruder would employ. It was not clear either how children could be identified from these records since the records would not indicate whether the child participated in the research. However, the Court held that was this data personal, the disclosure of the requested data would infringe on the principle of fairness.
This decision is of great interest in a period where organisations tend to collect, combine and match personal data more than is necessary and automate the processing with technological means. The Court acknowledged that it is not possible to exclude the risk of re-identification in a world where personal information is constantly being aggregated. As Purtova puts it ‘the intensive compliance regime of the General Data Protection Regulation (GDPR) will become ‘the law of everything’, where distinguishing personal and non-personal may be impractical or impossible if standards are disproportionate or inapplicable.
It is left to be seen, though, how this approach could be applied under the higher standards of Article 29 Data Protection Working Party (A29WP). AW9WP in its Opinion held that anonymisation should irreversibly prevent identification so that re-identification is reasonably impossible. This case makes it clear that even if anonymisation is used on the core data, the wider context in which the data set sits must be considered.
The GDPR and the Data Protection Acts of Ireland and the UK do not specify how this process should or could be performed, but the focus is on the outcome, i.e., data should be such as not to allow the data subject to be identified via all likely and reasonable means.
Therefore, organisations should be vigilant and remember that if information qualifies as personal data then specific obligations arise under data protection law, such as having privacy notices, retention and destruction policies and records of processing in place. Most importantly, organisations should be aware of the types of information they hold and keep an information asset register. Regular context-specific tests should be also conducted to check the accuracy, integrity and confidentiality of information held and whether this remains personal or anonymous data.
Trilateral’s advisors can assist with mapping the information you hold and with conducting the necessary tests.
For more information please refer to our service pages or contact our Data Governance team: