In your role, you may have access to confidential information, including personal identifiable data and St George’s, University of London business and research information. You will be expected to be circumspect and professional regarding this, although you may be required to share this information with colleagues, and perhaps other researchers, subject to law and relevant procedures.
Why confidentiality matters
St George’s partner organisations and stakeholders involved in our research, academic and corporate activities have expectations that the information will be dealt with in a professional manner.
Individuals would expect their confidential personal data to remain confidential in all their dealings with the university unless informed otherwise.
Handling confidential data
One way to deal with confidential data is to either anonymise or pseudonymise it and it is important to understand the main differences between them and how this will affect the processing of personal data.
Anonymisation
The UK General Data Protection Regulation (GDPR) defines anonymous data as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. GDPR does not apply to anonymised data. The ICO Code of Conduct on Anonymisation (PDF) provides further guidance on anonymisation techniques.
The ICO’s code suggests applying a Motivated Intruder Test for ensuring the adequacy of de-identification techniques. See St George’s Motivated Intruder Test SOP (PDF).
Pseudonymisation
Pseudonymisation is not the same as anonymisation and is defined within the GDPR as “the processing of personal data in such a way that the data cannot be attributed to a specific data subject without the use of additional information, as long as additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual”.
Unlike anonymisation, pseudonymisation techniques will not exempt controllers from the GDPR altogether. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
GDPR provides that “personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person” – which means that pseudonymised personal data can still fall within the scope of the GDPR.
Use in research
Where pseudonymised data is in use, there is a residual risk of re-identification; the motivated intruder test can be used to assess the likelihood of this. By applying this test and documenting the decisions, the study will have evidence that the risk of disclosure has been properly considered. This may be a requirement if the study is audited.