GPDPR - #NHSDataGrab - Why pseudonymisation isn't safe

– Psuedonymisation [from pseudo anonymisation] means key bits of your data have been replaced with a coded version of that information, such ss your name, address, NHS Number and so on. Unlike anonymisation, this coding can be decoded, with a special key, held by NHS Digital, in this case.

So, after turning on GPDPR and collecting your GP record, NHS Digital will be holding your GP record, and lots of other NHS medical records, and linking them together as your Pseudonymised [coded] NHS number and name are the same, in all the data sets, which allows a link to be made.

For most uses, they can do all they need to, plan, support research, without using the key to unlock your identity.

Phil Booth of MedConfidential used a phrase ‘temporary anonymisation’ to describe this. In other words it’s a bit like ‘The Masked Singer’, with the patient’s identity revealed at the end [mask off = using the key to decode your name etc.]

For a while, lots of people running smaller NHS databases [e.g. a county level] that combine data, support planning and through ‘risk stratification’ try and find patients who need extra care, all believed Psuedonymisation was a magic bullet to solve issues with holding massive databases with lots of personal confidential information in.

So far so good.

Then, academic researchers came along and spoiled the party by suggesting that patients could be re-identified, without using the key, by combining the [row-level] data with other sources of data, e.g. from social media, phone records and so on.

Over time, with the revolution in mobile technology, we create a bigger and bigger pool of data about ourselves, to enable this to happen.

A simple example would be location tracking by Google using Google Maps / Android. Right now, if I go into Google Maps and look up my GP Practice, Google tells me I visited on 4 different days since March. That’s more than enough for Google to uniquely identify me, my NHS number and thus reveal who my entire medical record belongs to. Even Google’s own engineers don’t know how to disable Google location tracking, by the way.

If a database of ‘psuedonymised’ or ‘anonymised’ information gets into the wrong hands, this would be a disaster on a number of levels. For example; – it could reveal the home addresses of people of interest to enemy states, or celebrity stalkers – it could reveal the home addresses of domestic abuse survivors – it could be used to create really believable scams and frauds – it could be used for black-mail – it could be used to target people for propaganda campaigns and on and on….

And this is why, lots of campaigners are worried about these pseudonymised data sets being released, as pseudonymisation is no protection at all.