Anonymising Records - Frequently Asked Questions
FAQs:
1. Why anonymise personal data in research projects?
2. I am receiving personal data from another organisation to use in my research. Who is the best person to anonymise the personal data?
3. If I remove the subject's name have I anonymised the personal data?
4. Will removing the name and address by sufficient?
5. If I replace the names and addresses with codes have I fully anonymised the personal data?
6. Is it possible to anonymise images of faces?
7. What about other images?
8. Do I need to worry about anonymising records belonging to people who have died?
Glossary
Anonymised data is data prepared from personal data but from which the person cannot be identified by the recipient of the information.
Coded data is identifiable personal data in which the details that could identify someone are concealed in a code, but which can readily be decoded by those using the personal data. Such coded data is not anonymised data.
Linked data is typically used when it may be necessary to refer back to the original records for further information, or for verification, or if it is planned to provide feedback to patients or service providers. Unlinked data usually ensures confidentiality but prevents follow-up, verification or feedback, may not be compatible with the aims of the project and may not be in the interests of the individuals or service providers.
With both linked and unlinked anonymised data it is sometimes possible to deduce an individual’s identity through combinations of information. The most important identifiers are:
- rare disease or treatment, especially if an easily noticed health problem/disability is involved;
- partial postcode or partial address;
- place of treatment or the name of the health professional responsible for care;
- rare occupation or place of work;
- combinations of birth date, ethnicity, place of birth and date of death.
Linked anonymised data is anonymous to the people who receive and hold it (e.g. a research team) but contain information or codes that would allow the suppliers of the data, such as Social Services, to identify people from it.
Personal data means any information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession.
Unlinked anonymised data contain no information that could reasonably be used by anyone to identify people. The link to individuals must be irreversibly broken. As a minimum, unlinked anonymised data must not contain any of the following, or codes traceable by you for the following:
- name, address, phone/fax number, email address, full postcode
- NHS number, any other identifying reference number
- photograph, names of relatives
Frequently Asked Questions
1. Why anonymise personal data in research projects?
Respect for confidentiality is essential to maintain trust between the public and researchers. There is a strong public interest in maintaining confidentiality so that individuals will be encouraged, for example, to seek appropriate treatment and share information relevant to it. If members of the public become suspicious of researchers, they may choose not to take part in research in future.
Wherever possible research should use unlinked, truly anonymised data. If this is not possible, the amount of personal data stored by researchers should be kept to the minimum necessary to achieve the purpose of the study. The law states that data kept should be ‘adequate, relevant, and not excessive’ in relation to the project involved. Personal data should be modified as early as possible in the processing of data so that some or all of those who might see it cannot identify individuals. While anonymisation may introduce delays and risks of error, even a basic coding system can provide a safeguard against accidental or mischievous release of confidential information. Sharing of identifiable data should be limited to those who have a demonstrable need to know it as part of their role in the research project.
Researchers should always consider
- when planning a project,
- when giving data to and receiving data from others, and
- before publishing information,
whether their research data may lead to the identification of individuals or very small groups. Exactly what information is potentially identifiable can only be decided on a case-by-case basis, taking into account the sample size, the way the data will be published, and all the other circumstances of the study.
2. I am receiving data from another organisation to use in my research. Who is the best person to anonymise the data?
Ideally, the organisation providing the data should anonymise it before giving it to you. This means you have received unlinked data, reducing (but not entirely removing) the risk that the data will be identifiable. Where this is not possible, it is better for the research team to anonymise the records than to use identifiable information.
3. If I remove the subject's name have I anonymised the record?
Probably not. Usually, anonymising records does not just involve removing the subject's name. If data are stored as individual data sets there is a risk that the data set could be linked to a data subject by age, postcode or medical condition. The more information included in each data set, the greater the risk of identification. Replacing a name with a pseudonym would not necessarily remove this risk.
4. Will removing the name and address be sufficient?
That will depend on the number of people involved in your study and where they are. If it is a countrywide study using many thousands of records this may be acceptable. However, in small communities it may still be possible to identify an individual even without their name and address, by a combination of other obvious characteristics such as ethnic origin, gender, disability, health issues, postcode (in Britain postcodes contain, on average, 14 contiguous addresses, but some postcodes cover only a few addresses), or even gender. Similarly, cross-tabulation of data in a study with a small number of subjects could identify individuals. In general, the more characteristics there are in a personal record and the fewer people there are sharing those characteristics, the easier it is to identify individuals.
5. If I replace names and addresses with codes have I fully anonymised the data?
The Information Commissioner advises that any personal data that has been encoded remains personal data as defined by the 1998 Data Protection Act as long as the key for decoding it remains in existence. So if the key is in the possession of the University then you cannot be said to have anonymised the data. However, if you have destroyed the key, or another organisation is holding it and will never give you access to it, then the University believes that you have taken suitable steps to anonymise the data, provided you have taken into account the advice given in these guidelines.
6. Is it possible to anonymise images of faces?
Traditionally, blacking out the eyes has been employed to anonymise photographs of faces. However, the International Committee of Medical Journal Editors advises that it is highly unlikely that this successfully disguises identity. Similarly, while digital imaging can distort features, it is entirely possible that a subject could be identified by friends or family. Since complete anonymity of faces is almost impossible to achieve, informed consent should always be sought if there is any doubt.
7. What about other images?
Apparently insignificant features distinguishing marks, such as tattoos, body piercings, posture and gait may still be capable of identifying a patient to others. Informed consent, therefore, should always be obtained before taking and using pictures of individuals for the purpose of teaching, research and publication.
8. Do I need to worry about anonymising records belonging to people who have died?
Data Protection law does not apply to information about people who have died before their data are disclosed. However, it is possible for information about a dead person to betray information about their living friends and relatives, for example if the individual had a hereditary medical condition or transmissible disease. Care should be taken to ensure that this does not happen.
Sources
International Committee of Medical Journal Editors:
http://www.icmje.org/
Institute of Medical Illustrators:
http://www.imi.org.uk/lawethics.htm
Videos, photographs and patient consent’ by Catherine A Hood, Tony Hope, Phillip Dove:
http://bmj.com/cgi/content/full/316/7136/1009
Medical Research Council: ‘Personal Information in Medical Research’
‘Informed consent in medical research: Journals should not publish research to which patients have not given fully informed consent - with three exceptions’, Len Doyal, BMJ 1997;314;1107 (12 April):
http://bmj.com/cgi/content/abstract/314/7087/1107