Anonymous data is not covered as part of the Data Protection Act (DPA) - meaning if patient information were to be leaked or misused, this would not be against the law.
This is according to the Information Commissioner’s Office (ICO), which claims this is the case even if it were to be found out that confidential patient data had been made available to the public.
ICO claims that such information only becomes protected by the DPA when any anonymity is removed and people can be recognised by name.
Meanwhile, the Health and Social Care Information Centre (HSCIC) – the organisation responsible for overseeing the controversial care.data programme – has been left to decide whether records where patient names have been replace with pseudonyms places them at risk.
This information came to light via a Freedom of Information (FOI) request by privacy campaigner Neil Bhatia, who opposes the NHS data sharing scheme.
In the letter sent to Bhatia by ICO, the organisation claims that because there is no risk of identifying anyone from anonymous data, this type of information cannot be considered personal data and therefore is not covered by the DPA.
It says this same theory applies to records containing pseudonyms, however, ICO claims this does become more complicated when third parties become involved.
“It is possible that pseudonymised data may become personal data if it is held by an organisation that holds other information which could be used in conjunction with the pseudonymised data to identify individuals,” said the letter.
“As such, whether pseudonymised data would be covered by the DPA would depend on other if information in the data controller’s possession,” it added.
Bhatia has chosen to follow up his initial request and ask for further clarification on over processes ICO has in place to ascertain whether a third-party holds information that may make this data personal.