A number of legal instruments exist to protect privacy in different ways, but developments in data science and the incentives to link and re-use data have put significant pressure on conventional governance approaches.
In the UK, the Human Rights Act guarantees a right to privacy, except where there is an accepted and overriding public interest.
Data protection law in the UK and Europe controls the processing of certain categories of data and applies enhanced controls to sensitive data such as health data. Specific relationships also generate duties of confidence, such as that between a doctor and a patient.
Where data are to be re-used in other contexts, or for other purposes, procedures to seek the consent of individuals to share data or to de-identify data are typically used in order to ensure their privacy is not breached. However, in the context of modern data initiatives, there can be significant problems with these strategies.
The limitations of de-identification
Examples of how data may be de-identified include:
- Aggregating data into large data sets.
- Removing identifying information such as the names or addresses of individuals (anonymisation).
- Replacing identifiers with a unique code (pseudonymisation).
On their own, these techniques reduce the risk of re-identification but they do not reliably eliminate it. Whether or not an individual is identifiable will depend on what other information is or may be available (now or in the future), and on the means and motivation of the person who might wish to re-identify them
- The de-identification of individual-level data cannot, on its own, protect
privacy as it is simply too difficult to prevent re-identification.
- This can only be expected to become more difficult as the accumulation of
data, and corresponding processing and analytical power, make potentially
identifying linkages increasingly possible. [Chapter 4]
The limitations of consent
Consent to data use is usually sought at the time the data is collected. As time goes on, and when it comes to making further use of the data, two obvious problems arise: does the consent still reflect the wishes or views of the individual who gave it; and does the new proposed use still fall within the possible uses that the individual who gave the consent originally intended?
While consent acknowledges an individual’s right to decide against some uses of data, it does not necessarily prevent harms occurring to them when there may be poorly understood or unforeseen consequences of data use.
- Where a person providing data about themselves cannot foresee or comprehend the possible consequences of how their data will be available for linkage or re-use, consent at the time of data collection cannot, on its own, protect all of their interests.
- Those who manage data initiatives therefore have a continuing duty to promote and protect the legitimate rights and interests of those who have provided data about themselves irrespective of the terms of any consent given. [Chapter 4]
The need for good governance
Whether in health care or biomedical research, the widest access to the richest data is implicitly desirable in order to advance research or improve the efficiency of public services. Those designing data initiatives find themselves in a situation where they are obliged to generate, use and extend access to data, while at the same time protecting privacy.
The limitations of ‘consent or anonymise’ mean that additional governance arrangements are usually required, including oversight committees authorising access to data; limiting data access through ‘safe havens’; or formal agreements on the limitations of data use.
The key issues facing data initiatives are not merely to do with re-identification of individuals. Decisions about how data are used may have consequences for the way different people and groups are treated.
The changing context and potential for data re-use means that compliance with the law is not enough to ensure a data initiative is ethically appropriate. Continuing, active participation in governance by those with relevant interests is needed.