Limits of anonymisation Pilar Nicolás Inter-University Chair in Law and the Human Genome, University of Deusto, University of the Basque Country (Spain)
Limits of anonymisation 1 2 3 4 5 SUMMARY 1. Limits of anonymisation of human samples /data 2. Limits of the legal concept of personal data / anonymous data 3. Limiting the requirements for the management of the data 4. Anonymisation in Rec (2006) 5. Anonymisation “ limits identification” and excludes the exercise of rights and the implementation of security measures
Limits of anonymisation 1 2 3 4 5 of human samples / data a) Anonymised data /sample: impossible to link to a subject. b) The genome is unique for each subject. c) There is no anonymous biological sample or genetic data sequence
Limits of the legal concept of personal data / 2 3 4 5 anonymous data (1) From….. Directive 95/46/EC Recital 26 (...) to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person. and... R (97) 5 on the Protection of Medical Data An individual shall not be regarded as “identifiable” if identification requires an unreasonable amount of time and manpower . In cases where the individual is not identifiable, the data are referred to as anonymous To…. Proposal for a Regulation on the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (25/1/2012). 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person , in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person (Art. 4.1)
Limits of the legal concept of personal data / 2 3 4 5 anonymous data (2) ● When does identification require an unreasonable amount of time and manpower? ● Papers since 2008: identification of subjects in open access genetic database ● New politics
Limits of the legal concept of personal data / 2 3 4 5 anonymous data (3) - Increasing open access database and GWAS (Genome Wide Association Study) - Increasing possibilities of identification - Impossible to evaluate the possibility of identifying a subject in a single database or project - In the state of art, is a genetic sequence an identifier by itself?
Limits of the legal concept of personal data / 2 3 4 5 anonymous data (4) In the state of art, is a genetic sequence an identifier by itself? (ARTICLE 29 DATA PROTECTION WORKING PARTY. Opinion 4/2007 on the concept of personal data) Identifiers are sufficient to achieve identification depending on the context of the particular situation: Cost the way the processing is structured, Interests at stake, Risk of organisational dysfunctions technical failures This test is a dynamic one and should consider the state of the art in technology at the time The system should be able to adapt to these developments as they happen, and to incorporate then the appropriate technical and organisational measures in due course.
Limiting the requirements for the management 3 4 5 of personal data (1) Proposal for a Regulation on the protection of individuals with regard to the processing of personal data 2012 Art. 9. The processing of genetic data shall be prohibited unless: a. the data subject has given consent (…) i. is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner .
Limiting the requirements for the management 3 4 5 of personal data (2) … data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner . Genetic sequence is not Genetic sequence is an an identifier identifier Consent is not required Consent is not required if the if the user of the data purposes cannot be fulfilled has not access to a otherwise code which enables identification ALL OTHER RIGHTS MUST BE GUARANTEED!!
Anonymisation in Rec (2006)4 4 5 (1) Identifiable biological materials : allow the identification of the persons concerned - directly or - through the use of a code. a. The user has access to the code: “ coded materials ” or b. The user has no access to the code, which is under the control of a third party: “ linked anonymised materials ”. No distinction in the regimen of these two categories.
Anonymisation in Rec (2006)4 4 5 (2) Article 8 – Justification of identifiability 1. Biological materials and associated data should be anonymised as far as appropriate to the research activities concerned. 2. Any use of biological materials and associated data in an identified, coded, or linked anonymised form should be justified by the researcher. Article 15 – Right to change the scope of, or to withdraw, consent or authorisation 1. When a person has provided consent to storage of identifiable biological materials for research purposes, the person should retain the right to withdraw or alter the scope of that consent. (...) When identifiable biological materials are stored for research purposes only, the person who has withdrawn consent should have the right to have, in the manner foreseen by national law, the materials either destroyed or rendered unlinked anonymised. Article 23 – Unlinked anonymised biological materials 1. Unlinked anonymised biological materials may be used in research provided that such use does not violate any restrictions placed by the person concerned prior to the anonymisation of the materials. 2 . Anonymisation should be verified by an appropriate review procedure .
Anonymisation “ limits identification ” and excludes the exercise of rights 5 and the implementation of security measures (1) Identified/ Linked anonymized Anonymized Coded Information and consent (specific or broad ) Consent to each transfer Limits on the use Return of results Right to withdraw Confidentiality guaranteed Security measures Implementable / Difficult / impossible
Anonymisation “ limits identification” and excludes the exercise of rights 5 and the implementation of security measures (2) Coded Linked anonymized Anonymized (under a standarized control) Information and consent (specific or broad ) Consent to each transfer Control of each transfer Limits on the use Control of the use Return of results Mechanisms stablished Right to withdraw Mechanisms stablised Confidentiality Compromised guaranteed Security measures Implementable / impossible
Limits of anonymisation CONCLUSIONS ● Difficulty to identify the categories (identifiable /non identifiable subject) in practice. ● The categorization implies the application / non application of a specific legal regime. ● Anonymisation and linked anonymisation are useful tools to facilitate research. ● If subject turns identifiable the legal regime of personal data must be applied. ● This regime should include specific rules depending on the possibility that the user of the data can access the code and the justification of the interest. Guarantees should be implemented taking into account the characteristics of genetic data. ● Biobanks could play an important role within this framework.
Thank you! Pilar Nicolás
Recommend
More recommend