You learned that a lot of data are being collected and used within the healthcare sector in order to treat patients as well as for medical research purposes. As long as the personal health data can be used to identify a natural person, like Anna, the GDPR applies.
For treating a patient it is important that the right health data is connected to the right patient. This means that in this context, health data cannot be anonymised. Anonymisation means that personal data can no longer identify a natural person. The GDPR however also mentions another safeguard: pseudonymisation.
Article 4 (5) GDPR explains what is meant by pseudonymisation in light of the GDPR. It means that the processing of personal data cannot be linked to a natural person on its own, addition information is needed to identify a person. It is important that the additional information is kept separately and that technical and organisational measures have been taken to ensure that this information cannot be attributed to a natural person. This means that pseudonymised data can be used to treat a patient and helps keep the data safe against unauthorised access.
For research purposes it is not always necessary to attribute personal data to a natural person, meaning that more drastic measures can be taken. This is why research data can, most of the time, be anonymised. We heard Anna’s research nurse explain that her health data is anonymised before it is transferred to another research institution.
The difference between pseudonymisation and anonymisation is that pseudonymised personal data can still, by using addition information, be used to identify a natural person. Anonymised data can never be used to identify a natural person, not even with addition information. The conclusion that can be drawn from this is that anonymised data does not need to comply with the GDPR, considering that the risks to the fundamental rights and freedoms of a natural person no longer exist.
When anonymising data it is however important to make sure that it is truly anonymised. With modern technologies, a lot of information is available and combining different data sets, makes it sometimes possible to re-identify a natural person in an anonymised data set. In 2015 Latanya Sweeney published an article which proved that she was able to re-identify anonymised datasets which she bought from a hospital, by comparing the dataset to newspaper stories in the same year. By using this technique she was able to identify 43% of the people in the anonymised dataset. This research showed that it is almost impossible to really anonymise data. If data is not anonymised, the risks to the fundamental rights and freedoms of a natural person are still present, and the GDPR applies.
If you have not done so already, we invite you to read Latanya Sweeney’s entire article called ‘Only You, Your Doctor, and Many Others May Know’ from Technology Science.
© University of Groningen