DATA PROTECTION | LABORATORY INFORMATICS GUIDE 2016 ‘personal data’.11 The definition of genetic data
is of particular relevance for the laboratory environment, as it encompasses all personal data resulting from an analysis of a biological sample12
• can information concerning an individual be inferred? Relating to these three criteria, an overview
from the individual in question within
the scope of data protection law. Furthermore, the definition of ‘data concerning health’ raises the question, whether it is only intended to apply to personal data within the category ‘health’ or to all data related to health as the words ‘personal data’ are missing in this definition. Although the definition does refer to the physical or mental health of an individual, further clarification is necessary to understand the scope.13 Both ‘genetic data’ and ‘data concerning
health’ are treated as sensitive personal data under the proposed GDPR14
, which means the
processing of these data is prohibited unless an exemption is applicable. The most common exemptions are explicit informed consent by the patient, and processing in the context of treatment under a healthcare professional’s duty of confidentiality.
ANONYMISATION: THE CURRENT STATE Anonymisation is a technique applied to personal data in order to achieve irreversible de- identification. Therefore, the starting assumption is that the personal data must have been collected and processed (in order to anonymise it).15
In this context, the anonymisation process,
meaning the processing of such personal data to achieve its anonymisation, is an instance of ‘further processing’. As such, this processing must comply with the data protection law, such as informed consent for processing.16 For data not to be considered as personal data
within the scope of the DPD, it must be rendered anonymous in such a way that identification of the data subject is no longer possible.17
The DPD
itself does not provide further guidance on the concept of anonymisation, but the Article 29 Data Protection Working Party18
adopted an opinion
on anonymisation techniques on 10 April 2014.19
The main anonymisation techniques,
namely randomisation and generalisation, are described in this opinion. In particular, the opinion discusses noise addition, permutation, differential privacy, aggregation, k-anonymity, l-diversity and t-closeness. The opinion helps to choose how to design an adequate anonymisation process in a given context, and furthermore elaborates on the robustness of each technique based on three criteria: • is it still possible to single out an individual? • is it still possible to link records relating to an individual?
of anonymisation techniques is provided in the opinion – see panel below. Pseudonymisation is also addressed; not a
method of anonymisation, it merely reduces the linkability of a dataset to the original identity of a data subject. Accordingly, it is a useful security measure to reduce risk in relation to a set of personal data, but it is not a method for anonymisation of personal data. The outcome of anonymisation as a technique
applied to personal data should, in the current state of technology, be as permanent as erasure of the personal data. It should make processing of personal data impossible. The
Currently, the use of personal data
concerning health cannot be legally justified on the basis of conducting research only
optimal solution for anonymisation should be decided on a case-by-case basis, possibly by using a combination of different techniques. Furthermore, anonymisation should not be regarded as a one-off exercise as even anonymised data – like statistics, – may be used to enrich existing profiles of individuals. A dataset considered to be anonymous may be combined with another dataset in such a way that one or more individuals can be identified, thus creating new data protection issues. The following example is described in
Opinion 05/2014: ‘Genetic data profiles are an example of personal data that can be at risk of identification if the sole technique used is the removal of the identity of the donor due to the unique nature of certain profiles. It has already been shown in the literature20
that the combination of publically
available genetic resources (e.g. genealogy registers, obituary, results of search engine queries) and the metadata about DNA donors (time of donation,
Anonymisation techniques
(1) Is singling out still a risk?
Pseudonymisation Noise addition
Substitution
Yes Yes
Yes
Aggregation or K-anonymity No L-diversity
No Differential privacy Hashing/Tokenisation
May not Yes
(2) Is linkability still a risk?
Yes May not
Yes Yes Yes
May not Yes
(3) Is inference still a risk?
Yes May not
May not Yes
May not May not May not
www.scientific-computing.com/lig2016 | 29
age, place of residence) can reveal the identity of certain individuals even if that DNA was donated “anonymously”.’21
ANONYMISATION UNDER THE GDPR According to recital 23 of the GDPR anonymous data remain outside the scope of the GDPR: ‘The principles of data protection should therefore not apply to anonymous information, that is information which does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is not or no longer identifiable. This Regulation does therefore not concern the processing of such anonymous information, including for statistical and research purposes.’ As tools and computational power evolve, it is neither possible nor useful to provide an exhaustive enumeration of circumstances when identification is no longer possible. To ascertain whether means are reasonably likely to be used to identify the individual, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into account consideration of both available technology at the time of the processing and technological development.22 The Council defines ‘pseudonymisation’23
as: ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person (…).’ This definition introduces a pseudo-category of personal data, leaving it uncertain what standard applies.24
PROCESSING OF DATA FOR RESEARCH PURPOSES Currently, the use of personal data concerning health cannot be legally justified on the basis of conducting research only. That is, use of personal data for research must be legally
➤
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44