This page contains a Flash digital edition of a book.
DATA PROTECTION | LABORATORY INFORMATICS GUIDE 2016 ‘personal data’.11 The definition of genetic data


is of particular relevance for the laboratory environment, as it encompasses all personal data resulting from an analysis of a biological sample12


• can information concerning an individual be inferred? Relating to these three criteria, an overview


from the individual in question within


the scope of data protection law. Furthermore, the definition of ‘data concerning health’ raises the question, whether it is only intended to apply to personal data within the category ‘health’ or to all data related to health as the words ‘personal data’ are missing in this definition. Although the definition does refer to the physical or mental health of an individual, further clarification is necessary to understand the scope.13 Both ‘genetic data’ and ‘data concerning


health’ are treated as sensitive personal data under the proposed GDPR14


, which means the


processing of these data is prohibited unless an exemption is applicable. The most common exemptions are explicit informed consent by the patient, and processing in the context of treatment under a healthcare professional’s duty of confidentiality.


ANONYMISATION: THE CURRENT STATE Anonymisation is a technique applied to personal data in order to achieve irreversible de- identification. Therefore, the starting assumption is that the personal data must have been collected and processed (in order to anonymise it).15


In this context, the anonymisation process,


meaning the processing of such personal data to achieve its anonymisation, is an instance of ‘further processing’. As such, this processing must comply with the data protection law, such as informed consent for processing.16 For data not to be considered as personal data


within the scope of the DPD, it must be rendered anonymous in such a way that identification of the data subject is no longer possible.17


The DPD


itself does not provide further guidance on the concept of anonymisation, but the Article 29 Data Protection Working Party18


adopted an opinion


on anonymisation techniques on 10 April 2014.19


The main anonymisation techniques,


namely randomisation and generalisation, are described in this opinion. In particular, the opinion discusses noise addition, permutation, differential privacy, aggregation, k-anonymity, l-diversity and t-closeness. The opinion helps to choose how to design an adequate anonymisation process in a given context, and furthermore elaborates on the robustness of each technique based on three criteria: • is it still possible to single out an individual? • is it still possible to link records relating to an individual?


of anonymisation techniques is provided in the opinion – see panel below. Pseudonymisation is also addressed; not a


method of anonymisation, it merely reduces the linkability of a dataset to the original identity of a data subject. Accordingly, it is a useful security measure to reduce risk in relation to a set of personal data, but it is not a method for anonymisation of personal data. The outcome of anonymisation as a technique


applied to personal data should, in the current state of technology, be as permanent as erasure of the personal data. It should make processing of personal data impossible. The


Currently, the use of personal data


concerning health cannot be legally justified on the basis of conducting research only


optimal solution for anonymisation should be decided on a case-by-case basis, possibly by using a combination of different techniques. Furthermore, anonymisation should not be regarded as a one-off exercise as even anonymised data – like statistics, – may be used to enrich existing profiles of individuals. A dataset considered to be anonymous may be combined with another dataset in such a way that one or more individuals can be identified, thus creating new data protection issues. The following example is described in


Opinion 05/2014: ‘Genetic data profiles are an example of personal data that can be at risk of identification if the sole technique used is the removal of the identity of the donor due to the unique nature of certain profiles. It has already been shown in the literature20


that the combination of publically


available genetic resources (e.g. genealogy registers, obituary, results of search engine queries) and the metadata about DNA donors (time of donation,


Anonymisation techniques


(1) Is singling out still a risk?


Pseudonymisation Noise addition


Substitution


Yes Yes


Yes


Aggregation or K-anonymity No L-diversity


No Differential privacy Hashing/Tokenisation


May not Yes


(2) Is linkability still a risk?


Yes May not


Yes Yes Yes


May not Yes


(3) Is inference still a risk?


Yes May not


May not Yes


May not May not May not


www.scientific-computing.com/lig2016 | 29


age, place of residence) can reveal the identity of certain individuals even if that DNA was donated “anonymously”.’21


ANONYMISATION UNDER THE GDPR According to recital 23 of the GDPR anonymous data remain outside the scope of the GDPR: ‘The principles of data protection should therefore not apply to anonymous information, that is information which does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is not or no longer identifiable. This Regulation does therefore not concern the processing of such anonymous information, including for statistical and research purposes.’ As tools and computational power evolve, it is neither possible nor useful to provide an exhaustive enumeration of circumstances when identification is no longer possible. To ascertain whether means are reasonably likely to be used to identify the individual, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into account consideration of both available technology at the time of the processing and technological development.22 The Council defines ‘pseudonymisation’23


as: ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person (…).’ This definition introduces a pseudo-category of personal data, leaving it uncertain what standard applies.24


PROCESSING OF DATA FOR RESEARCH PURPOSES Currently, the use of personal data concerning health cannot be legally justified on the basis of conducting research only. That is, use of personal data for research must be legally





Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44