Limits of anonymisation Pilar Nicols Inter-University Chair in Law - - PowerPoint PPT Presentation

Limits of anonymisation

Pilar Nicolás

Inter-University Chair in Law and the Human Genome, University of Deusto, University of the Basque Country (Spain)

• 1. Limits of anonymisation of human samples /data
• 2. Limits of the legal concept of personal data / anonymous data
• 3. Limiting the requirements for the management of the data
• 4. Anonymisation in Rec (2006)
• 5. Anonymisation “limits identification” and excludes the

exercise of rights and the implementation of security measures Limits of anonymisation SUMMARY

1 2 3 4 5

Limits of anonymisation

• f human samples / data

1 2 3 4 5 a) Anonymised data /sample: impossible to link to a subject. b) The genome is unique for each subject. c) There is no anonymous biological sample or genetic data sequence

From….. Directive 95/46/EC Recital 26 (...) to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person. and... R (97) 5 on the Protection of Medical Data An individual shall not be regarded as “identifiable” if identification requires an unreasonable amount of time and manpower. In cases where the individual is not identifiable, the data are referred to as anonymous To…. Proposal for a Regulation on the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (25/1/2012). 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data,

• nline identifier or to one or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of that person (Art. 4.1) Limits of the legal concept of personal data / anonymous data (1)

2 3 4 5

• When does identification require an unreasonable amount of time and

manpower?

• Papers since 2008: identification of subjects in open access genetic database

Limits of the legal concept of personal data / anonymous data (2)

2 3 4 5

• New politics

Limits of the legal concept of personal data / anonymous data (3)

2 3 4 5

• Increasing open access database and GWAS (Genome Wide Association

Study)

• Increasing possibilities of identification
• Impossible to evaluate the possibility of identifying a subject in a single

database or project

• In the state of art, is a genetic sequence an identifier by itself?

Limits of the legal concept of personal data / anonymous data (4)

2 3 4 5

In the state of art, is a genetic sequence an identifier by itself? (ARTICLE 29 DATA PROTECTION WORKING PARTY. Opinion 4/2007 on the concept of personal data) Identifiers are sufficient to achieve identification depending on the context of the particular situation: Cost the way the processing is structured, Interests at stake, Risk of organisational dysfunctions technical failures This test is a dynamic one and should consider the state of the art in technology at the time The system should be able to adapt to these developments as they happen, and to incorporate then the appropriate technical and organisational measures in due course.

Proposal for a Regulation on the protection of individuals with regard to the processing of personal data 2012

• Art. 9. The processing of genetic data shall be prohibited unless:
• a. the data subject has given consent

(…)

• i. is necessary for historical, statistical or scientific research purposes subject to the conditions

and safeguards referred to in Article 83: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner. Limiting the requirements for the management

• f personal data (1)

3 4 5

… data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.

ALL OTHER RIGHTS MUST BE GUARANTEED!!

Limiting the requirements for the management

• f personal data (2)

3 4 5

Genetic sequence is not an identifier Genetic sequence is an identifier Consent is not required if the user of the data has not access to a code which enables identification Consent is not required if the purposes cannot be fulfilled

• therwise

4 5

Anonymisation in Rec (2006)4 (1)

Identifiable biological materials : allow the identification of the persons concerned

• directly or
• through the use of a code.
• a. The user has access to the code: “coded materials”
• r
• b. The user has no access to the code, which is under

the control of a third party: “linked anonymised materials”. No distinction in the regimen of these two categories.

4 5

Anonymisation in Rec (2006)4 (2) Article 8 – Justification of identifiability

• 1. Biological materials and associated data should be anonymised as far as appropriate to the

research activities concerned.

• 2. Any use of biological materials and associated data in an identified, coded, or linked

anonymised form should be justified by the researcher. Article 15 – Right to change the scope of, or to withdraw, consent or authorisation

• 1. When a person has provided consent to storage of identifiable biological materials for

research purposes, the person should retain the right to withdraw or alter the scope of that

• consent. (...)

When identifiable biological materials are stored for research purposes only, the person who has withdrawn consent should have the right to have, in the manner foreseen by national law, the materials either destroyed or rendered unlinked anonymised. Article 23 – Unlinked anonymised biological materials

• 1. Unlinked anonymised biological materials may be used in research provided that such use

does not violate any restrictions placed by the person concerned prior to the anonymisation

• f the materials.
• 2. Anonymisation should be verified by an appropriate review procedure.

Identified/ Coded Linked anonymized Anonymized

Information and consent (specific or broad ) Consent to each transfer Limits on the use Return of results Right to withdraw Confidentiality guaranteed Security measures

Implementable / Difficult / impossible Anonymisation “limits identification” and excludes the exercise of rights and the implementation of security measures (1)

5

Coded Linked anonymized

(under a standarized control)

Anonymized

Information and consent (specific or broad ) Consent to each transfer

Control of each transfer

Limits on the use

Control of the use

Return of results

Mechanisms stablished

Right to withdraw

Mechanisms stablised

Confidentiality guaranteed

Compromised

Security measures

Implementable / impossible Anonymisation “limits identification” and excludes the exercise of rights and the implementation of security measures (2)

5

• Difficulty to identify the categories (identifiable /non identifiable subject) in

practice.

• The categorization implies the application / non application of a specific

legal regime.

• Anonymisation and linked anonymisation are useful tools to facilitate research.
• If subject turns identifiable the legal regime of personal data must be applied.
• This regime should include specific rules depending on the possibility that the

user of the data can access the code and the justification of the interest. Guarantees should be implemented taking into account the characteristics of genetic data.

• Biobanks could play an important role within this framework.

Limits of anonymisation CONCLUSIONS

Thank you!

Pilar Nicolás