The Myth of Anonymization: Has Big Data Killed Anonymity? White Paper. by Jessica Santos, Ph.D. March 2015

Transcription

1 White Paper Catalysts driving successful decisions in life sciences. The Myth of Anonymization: Has Big Data Killed Anonymity? by Jessica Santos, Ph.D. March

2 Anonymization has been a golden ticket for researchers, a get out of jail free card to use data or to legitimize the use of personal data in our normal business practice. Anonymization is aimed to protect individuals personal details, or in the grander scope human rights. But as Big Data is continually growing, will anonymized data still exist? As Big Data is continually growing, will anonymized data still exist? Anonymous Data No More To qualify data as anonymous, either the data subject is no longer identifiable or identification is no longer possible, whether by the data controller or any other person taking account of all the likely means to be reasonably used either by the controller or any other persons to identify the individual. 1 One common myth among researchers is that data will be considered anonymized as long as the name and address are removed. With Big Data being collected all around us, a name and address are no longer needed to identify an individual. For example, an average UK postcode covers 15 households; 2 with just a postcode, all that is needed to locate a person is to see who is the one who mows his lawn on early Saturday morning. With shopping behavior plus demographic categories, service providers can predict a specific teenage pregnancy before her family. 3 Geolocation data can gather a person s place of work and place of residence, which is enough to identify most individuals. How many of us have an identical self who lives and works at the same location? It is not impossible to identify an individual with genetic data combined with profiles available on social media, especially considering 80% of rare diseases are genomic. 4 Big Data knows your personality and potential behavior before you are aware of it, remembers where you ve been after you ve forgotten, and tells your employer whether you re a reliable worker before you submit your application. 5 Few of us are aware that when we find a missing data cell in our anonymized dataset, matching it with another anonymized dataset or Googling are actually attempts of identification. It can be argued that in the Big Data era, with reasonable effort, all anonymous data can be identifiable again. After all, Big Data remembers everything you forgot or wanted to forget. Pseudonymous Data What Is It? Most researchers are aware that heavy restriction on use of personal data is welldocumented in privacy legislation. Researchers are eager to strip off the obviously identifiable information (e.g., name, telephone, address), put them in a separate file in case the original data needs to be verified, and are happy to carry on with the processed anonymised data file. However, few researchers realize they are handling pseudonymous dataset, not the anonymous one they intended. Pseudonymization is the process of distinguishing individuals in a dataset by using a unique identifier that does not reveal their real-world identity. Pseudonymous data is also indirectly identifiable and, therefore, personal data. Although the European Commission s Article 29 Working Party acknowledges that the application of data protection rules may be more flexible, pseudonymous data are still within the scope of the personal data category. One example is whether key-coded clinical trial data is considered anonymous data and therefore is exempted from data protection legislation. Some of the major DPAs (data protection agencies) (e.g., Italy s Garante per la protezione dei dati personali, Spain s Agencia Española de Protección de Datos, the UK s Information Commissioner s Office) are not giving the affirmative go-ahead; some even explicitly include key-coded pseudonymous data within the data protection domain. To truly qualify as anonymous, researchers must completely erase the original data

3 Data breaches cost healthcare firms $5.6 billion annually. or traceable file containing any personal information. This raises several questions. If data is completely non-retraceable, how do we ensure quality? How do we manage risk of adverse events for safety purposes? Most prospective cohort studies and RCTs (randomized clinical trials) cannot use the word anonymous anymore. So What Should Practitioners Do? Burying our heads in the sand and believing that we are processing anonymous data are certainly not recommended. After all, data breaches already cost healthcare firms $5.6 billion annually. 6 In the absence of harmonized local data protection acts, the implications of pseudonymous data are still unclear. If we use a narrow interpretation (or safest approach) to treat all pseudonymous data as the strictest sense of personal data, we would apply the informed explicit consent from individuals practice to the pseudonymous dataset before proceeding. This will certainly be a deliberate identification process, and the biggest challenge is most informed consent requests will not yield any reply, let alone the huge effort and costs associated with this practice. Some data protection legislations stated that statistical guarantee can be a method to ensure anonymity, but it is still an area of active research and can often be challenged. Motive First, what is your motive to analyze pseudonymous data? Where is it coming from, and where will it go? What is the original consent process, and it is compatible with your motive? It is worth mentioning that disproportionate effort is a possible exemption noted in Article 11 of the EU s Data Protection Directive, but it should always be interpreted narrowly. A typical example is a researcher receiving a pseudonymous dataset that is ready for analysis. The personal identifiers are retained by another affiliate (e.g., vendor, client or another in-house department). With some effort, individual personal identifiable information (PII) can be retraced. Before applying the disproportionate effort exemption, we could check the original consent purpose. If the purpose is compatible, analysis can be legitimate. Purpose Limitation What will you do with the data? It is likely the aggregated analytical results will be send to a client or third party. Is this purpose specified, explicit and legitimate? Will the data be further processed in a way incompatible with the original collection purpose? For example, pseudonymous data collected based on consent for research shouldn t be used for marketing purposes. Consider Potential Consequences What are the potential consequences of your analysis? Will it cause any harm to individuals? For example, will the client who receives the data use it to raise insurance premiums or deny treatment for certain individuals? Prohibition of unfair or deceptive acts or practices is explicitly stated in the US FTC (Federal Trade Commission) Act (Section 5). This is particularly significant if the original purpose is not clear or obtainable. General Practices Removing directly identifying elements is not enough; additional measures to prevent identification also should be taken, such as permanently separating the storage location of identifiable data or encryption. In addition, randomization and generalization are data treatment methods to prevent identification and maintain data integrity. 7 What Is the Reference Guideline on This? The Big Data phenomenon is evolving faster than most legislation and industry codes. Different national DPAs (Data Protection

4 Authorities) are suggesting different measures in recognition of this topic. practice principles of transparency, confidential and honesty at all times. Not all practitioners should follow BMW s example of saying no thanks to Big Data analytics. The UK s ICO introduced the motivated intruder test : The motivated intruder is a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymized data has been derived. 8 The test assesses whether the motivated intruder would be successful. France s data protection authority, the CNIL (Commission Nationale de l Informatique et des Libertés), included a section in its 2010 guidance on security of personal data about anonymization that outlines basic measures for anonymizing data. The measures include generating a secret code of the appropriate length and complexity, applying a oneway function to the data, and setting up organizational measures to guarantee the confidentiality of the secret code if it needs to be preserved. Across the pond, U.S. HIPAA rules have 18 clear identifiers to achieve the safe harbor method of de-identification that is cheered by most practitioners, but any doubtful unfair and deceptive act will still be governed by the Federal Trade Commission. Motive, purpose limitation and potential harm are still applicable. ISO s Technical Specification for pseudonymization also contains principles and requirements for privacy protection using pseudonymization services and defines a basic methodology for pseudonymization services, including organizational and technical aspects, and specifies a policy framework and minimal requirements for trustworthy practices for the operations of a pseudonymization service. Last Thoughts Not all practitioners should follow BMW s example of saying no thanks to Big Data analytics. 9 However, we should be extremely careful to know that the safety net of anonymity is no longer clear. Researchers should balance public and individual harm with benefit to future medical advancement with Although Big Data is the cause of death for anonymity, it also reveals beneficial consequences for medical research. Through Big Data, individuals with high genetic risk have been discovered before they themselves were aware of it; an epidemic can be prevented down to individuals who are in the second or third layer to be infected. If the future of healthcare is developing personalized medicine, should the position on the contribution of personal data be reconsidered? After all, isn t medicine for me better than medicine for people like me? References 1 European Commission. Article 29 Working Party. index_en.htm. Accessed 27 Jan Office for National Statistics. 3 Piatetsky, Gregory. Did Target Really Predict a Teen s Pregnancy? 7 May kdnuggets.com/2014/05/target-predict-teenpregnancy-inside-story.html 4 EURORDIS Rare Diseases Europe. About Rare Diseases. Accessed 27 Jan Five really scary things Facebook knows about you. Yahoo News. html. Accessed 27 Jan Solove, Daniel J. The Best Preventative Medicine for Health Data Breaches. Teach Privacy. 6 Oct Sidley Austin Anonymisation: How Anonymous is Anonymous? The EU Legal Position. IAPP Europe Information Commissioner s Office. Anonymisation: managing data protection risk code of practice. documents/1061/anonymisation-code.pdf 9 Murphy, Margi. BMW says no thanks to tech companies asking for its connected car data. Computerworld UK. 14 Jan 2015.

5 For more information, please visit About Kantar Health Kantar Health is a leading global healthcare consulting firm and trusted advisor to many of the world s leading pharmaceutical, biotech and medical device and diagnostic companies. It combines evidence-based research capabilities with deep scientific, therapeutic and clinical knowledge, commercial development knowhow, and brand and marketing expertise to help clients evaluate opportunities, launch products and maintain brand and market leadership. Kantar Health deeply understands the influence of patients, payers and physicians, especially as they relate to the performance and payment of medicines and the delivery of healthcare services. Our advisory services, built on a solid foundation of market research and data, span three areas critical to bringing new medicines and pharmaceutical products to market commercial development, clinical strategies and marketing effectiveness. Kantar Health operates in more than 40 countries and employs more than 600 healthcare industry specialists and practitioners, including a high number of medical doctors, epidemiologists, PhDs, PharmDs and pharmacists, and biologists, biochemists and biophysicists. We work across the product lifecycle, from preclinical development to launch, and are experts at bringing multiple stakeholders together to advance the commercialization of pharmaceutical products. Our team acts as catalysts to successful decision making in the life sciences industry, helping our clients prioritize their product development and portfolio activities, differentiate their brands and drive product success post-launch. Kantar Health is part of Kantar, the data investment management division of WPP. About the Author Jessica Santos, Ph.D. Dr. Jessica Santos is the Global Compliance Director in Kantar Health, the largest custom market research company focused on the life sciences industry. She is primarily responsible for providing oversight and support across the 40+ Kantar Health global offices in the areas of regulation, interaction with clients, suppliers and others within Kantar Health, Kantar and WPP. Dr. Santos is responsible for maintaining, anticipating and coordinating all activities with regard to compliance laws/regulations, industry guidelines, pharamcovigilance and client contracts, defining and driving the execution of Kantar Health s Quality Strategy our approach to measuring and improving our quality efforts. Dr. Santos is an experienced statistician, analyst, methodologist and market research scientist. She gained her reputation through her publications and professional committee work in the industry. She is a frequent speaker and contributor in major conferences and has a Ph.D. in Marketing, an MRS fellowship and Chartered Marketer status. Dr. Santos is a member of UK Research Ethics Committee, EphMRA, BHBIA and PMRG Government Affairs Committee, reviewer and co-chair of ISPOR, and MRS Professional Development Advisory Board and Examiner. If you would like us to act as catalysts for you, contact us at