ICO says anonymous data "not covered" by Data Protection Act - until it's de-anonymised

ICO admission leaves care.data hole open to the abuse of patient records

The Information Commissioner's Office (ICO) has claimed that anonymous data is not covered under the Data Protection Act, meaning that if anonymised patient record data were to be leaked or mis-used it would not consider it against the law - if anyone found out about it.

And it has left it to the Health and Social Care Information Centre (HSCIC), the organisation overseeing the transfer of patient data into a centralised database, called care.data, to decide whether "pseudonymised" patient data will be at risk when it passes on patient data to third parties.

The disclosure was made in a written response to a Freedom of Information (FOI) request from privacy campaigner Neil Bhatia, a GP opposed to the government's care.data initiative.

"Anonymous data is not covered by the DPA [Data Protection Act], as if there is no way an individual can be identified from the information, the information is not considered to be personal data... Pseudonymised data on its own would not constitute personal data as it does not enable individuals to be identified," according to the ICO.

However, the ICO's guidance becomes more complicated when such data is exported to third parties.

"It is possible that pseudonymised data may become personal data if it is held by an organisation which holds other information which could be used in conjunction with the pseudonymised data to identify individuals. As such, whether pseudonymised data would be covered by the DPA would depend on other information which is in the data controller's possession.

"In these specific circumstances it would be the responsibility of the HSCIC to determine whether any organisations in receipt of the pseudonymised data would hold other information which may make this data personal."

Bhatia has followed up the response by writing to the HSCIC for clarification over the process that the organisation should have in place to determine whether a third-party holds other information that could be used to identify individuals, and whether the HSCIC will provide those third parties with details that potentially identify individuals.

The ICO's position also does not take into account circumstances in which an organisation may not hold other personal data that could de-pseudonymise care.data records acquired from the HSCIC - but does so subsequently.