Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Does de-identification require consent under the GDPR and English common law?
Journal of Data Protection & Privacy,
3
(3),
291-298
(2020)
Abstract
Data de-identification has many benefits in the context of the General Data Protection Regulation (GDPR). One of the recurring questions is whether consent is required to anonymise or de-identify data. In this paper, the authors make the case that no consent is required for anonymisation or other forms of de-identification under the GDPR, although additional conditions have to be met where special category data is anonymised. Further, under the English equitable duty of confidentiality, consent is generally not required if the de-identification is performed by the direct care team or on behalf of the direct care team; it is arguable that de-identification can also be performed by others outside of the direct care team, but less clear. The alternative would be special authorisation under section 251 of the National Health Service (NHS) Act.
Keywords: Privacy-enhancing technologies; de-identification; anonymisation; consent; secondary purposes; data sharing; General Data Protection Regulation Compliance; English common law
The full article is available to subscribers to the journal.
Author's Biography
Khaled El Emam is the founder and President of Privacy Analytics, an IQVIA company. As an entrepreneur, Khaled founded or co-founded five companies involved with data management and data analytics. He has worked in technical and management positions in academic and business settings in the UK, Germany, Japan and Canada. Khaled is also a senior scientist at the Children’s Hospital of Eastern Ontario (CHEO) Research Institute and director of the multidisciplinary Electronic Health Information Laboratory (EHIL) team, conducting academic research on de-identification and re-identification risk. He is a recognised expert in statistical de-identification and re-identification risk measurement. Khaled was one of the first Privacy by Design Ambassadors recognised by the Ontario Information and Privacy Commissioner. In 2003 and 2004, Khaled was ranked as the top systems and software engineering scholar worldwide by the Journal of Systems and Software, based on his research on measurement and quality evaluation and improvement. Previously, Khaled was a senior research officer at the National Research Council of Canada. He also served as the head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany. He previously held the Canada Research Chair in Electronic Health Information at the University of Ottawa and is a professor in the Faculty of Medicine (Pediatrics) at the university. He has a PhD from the Department of Electrical and Electronics Engineering, King’s College, at the University of London, UK.
Mike Hintze is a partner at Hintze Law PLLC. As a recognised leader in the field, he advises companies, industry associations and other organisations on global privacy and data protection law, policy and strategy. He was previously Chief Privacy Counsel at Microsoft, where for over 18 years he counselled on data protection compliance globally and helped lead the company’s strategic initiatives on privacy differentiation and public policy. Mike also teaches privacy law at the University of Washington School of Law, serves as an adviser to the American Law Institute’s project on Information Privacy Principles and has served on multiple advisory boards for the International Association of Privacy Professionals and other organisations. Mike has testified before Congress, state legislatures and European regulators; and he is a sought-after speaker and regular writer on data protection issues. Prior to joining Microsoft, Mike was an associate with Steptoe & Johnson LLP, which he joined following a judicial clerkship with the Washington State Supreme Court. Mike is a graduate of the University of Washington and the Columbia University School of Law.
Ruth Boardman is based in London and cohead of Bird & Bird’s International Privacy and Data Protection Group. Ruth provides practical advice and solutions to complex legal issues. Ruth has had extensive experience advising a broad range of organisations on data-privacy matters. She advises on the data protection aspects of new products or services and on commercial arrangements involving personal data and personal data breaches. She also advises clients on their dealings with data protection authorities, with the European Data Protection Board and with those involved in passing new data protection legislation. Ruth works with clients in many sectors — including online providers and ad-tech, new technology and electronics, life sciences, financial services including payments, creative industries (such as music and film), automotive and sports. She is coauthor of Data Protection Strategy (Sweet & Maxwell), which has just been republished to take account of the General Data Protection Regulation (GDPR) and UK legislation. Ruth has edited the Encyclopaedia of Data Protection (Sweet & Maxwell) and sits on the editorial board of the professional journal Data Protection Leader. She is also a Board Member of the International Association of Privacy Professionals. Ruth assists the Global Alliance on Responsible Genome and Clinical Data Sharing, where she is a member of its Regulatory and Legal Group.
