Line to take - LTT144 - Personal data - anonymised statistics: Difference between revisions

From FOIwiki
Jump to navigationJump to search
(ltt144)
 
m (Reverted edits by 112.207.246.196 (talk) to last revision by Alex skene)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
* FOI/EIR: FOI
* FOI/EIR: FOI
* Section/Regulation: s40
* Section/Regulation: [[LTT Exemption::FOI 40|s40]]
* Issue: Personal data - anonymised statistics
* Issue: [[LTT Title::Anonymised Personal Data]]
* Source: Policy Team
* Source: Policy Team
* Details: Department of Health (Decision Notice -28 July 2008) — APPEALED; Common Services Agency / Scottish Information Commissioner  
* Details: Department of Health (Decision Notice 28 July 2008); Department of Health / Pro-Life Alliance (15 October 2009); Common Services Agency / Scottish Information Commissioner  
* Related Lines to Take: [[LTT71]]
* Related Lines to Take: [[LTT71]], [[LTT162]]
* Related Documents: [[FS50122432]] (DoH), [2008] UKHL 47 (Common Services Agency), DP Technical Guidance “Determining what is personal data”  
* Related Documents: [[FS50122432]] (DoH), [2008] UKHL 47 (Common Services Agency), DP Technical Guidance “Determining what is personal data”, [[EA/2008/0074]] (DOH)
* Contact: RM/HD
* Contact: HD/RM
* Date: 24/02/2009
* Date: [[LTT Date::11/11/2010]]
* Policy Reference: LTT144  
* Policy Reference: [[LTT Ref::LTT144]]
 
* {{Copyright-ICO}}
[[Category:ICO Line To Take]]


== Line to take ==
== Line to take ==


'''INTERIM LINE'''
Truly anonymised data is not personal data and thus can be disclosed without reference to the Data Protection Act.  
 
Truly anonymised data / statistics is not personal data and thus can be disclosed without reference to the Data Protection Act.  


The Commissioner does not accept that where a public authority holds information to identify living individuals from the anonymised data, that this turns the anonymised data into personal data. The Commissioner draws support for this approach from the House of Lords’ judgment in the case of the Common Services Agency v Scottish Information Commissioner [2008] UKHL 47.  
The Commissioner does not accept that where a public authority holds information to identify living individuals from the anonymised data, that this turns the anonymised data into personal data. The Commissioner draws support for this approach from the House of Lords’ judgment in the case of the Common Services Agency v Scottish Information Commissioner [2008] UKHL 47.  
Line 24: Line 24:
== Further Information ==
== Further Information ==


'''** PLEASE NOTE THAT THIS IS AN INTERIM LINE AS THE CASE ON WHICH IT IS BASED IS CURRENTLY UNDER APPEAL TO THE INFORMATION TRIBUNAL ** '''
'''For the Commissioner’s view on the recent D0H (abortion stats) case - SEE IT SUMMARY. Please also note that the DoH has appealed the Tribunal's decision to the High Court.'''
 
 
'''The Commissioner’s approach'''


The Commissioner considers that truly anonymised data is not personal data and thus there is no need to consider the application of any Data Protection Act principles when considering whether or not to disclose truly anonymised data.  
The Commissioner considers that truly anonymised data is not personal data and thus there is no need to consider the application of any Data Protection Act principles when considering whether or not to disclose truly anonymised data.  
'''The alternative view'''


However, some data controllers point to the wording of s1(1) of the Data Protection Act which states that “''...personal data means data which relate to a living individual who can be identified — (a) from those data, or (b) from those data and other information which is '''in the possession of''', or is '''likely to come into the possession of the data controller'''...''” (emphasis added) to argue that although no living individual could be identified from the requested information on its own, that as the data controllers hold other information which would allow individuals to be identified, this must necessarily make the information, personal data.  
However, some data controllers point to the wording of s1(1) of the Data Protection Act which states that “''...personal data means data which relate to a living individual who can be identified — (a) from those data, or (b) from those data and other information which is '''in the possession of''', or is '''likely to come into the possession of the data controller'''...''” (emphasis added) to argue that although no living individual could be identified from the requested information on its own, that as the data controllers hold other information which would allow individuals to be identified, this must necessarily make the information, personal data.  


The Commissioner does not accept this approach.  
The Commissioner does not accept this approach because it has the potential to restrict the amount that can be disclosed in, broadly speaking, two scenarios.
 
The most obvious is where it is not possible to identify any individual from any of the information falling within the scope of the request, but the data controller holds additional, unrequested, information which would allow the data controller to identify individuals from that which has been requested. A good example of this is where the information that has been requested consists of a table of statistics. Although it may not be possible to identify anyone from the statistics alone, the data controller that produced those statistics will have the raw data from which those statistics were compiled and so will be able to identify those individuals that the statistics refer to. By adopting the alternative view outlined above, even though the statistics themselves were anonymised they would still be considered personal data since the data controller held additional, identifying, information. Therefore it would be necessary to consider the application of the data protection principles before disclosing the statistics. This could be problematic for example, where the statistics related to criminal offences or health issues and would therefore have to be treated as sensitive personal data.
 
The second situation is where individuals can be identified from the information that has been requested when considered in its entirety. For example, an applicant requests a report into a major overspend at a local authority involving allegations of corruption. The report deals with the actions, responsibilities and competences of the officials involved. It may be possible to redact information from that report that identifies the individuals concerned. However under the approach outlined above the disclosure of the residual, redacted, anonymised information would still require consideration of the data protection principles.
 
 
'''The Commissioner's approach in more detail'''


Therefore the Commissioner considers that even where the data controller holds that additional ‘identifying’ information, that this does not prevent them from anonymising that information to the extent that it would not be possible to identify any living individual from that information alone and thus would no longer be personal data.  
Therefore the Commissioner considers that even where the data controller holds that additional ‘identifying’ information, that this does not prevent them from anonymising that information to the extent that it would not be possible to identify any living individual from that information alone and thus would no longer be personal data.  


However it is then necessary to go onto to consider the information which is available to the public. The test of whether the information is truly anonymised is whether a (or any) member of the public could identify individuals by cross-referencing the ‘anonymised’ data with information or knowledge already available to the public. Whether this ‘cross-referencing’ is possible is a question of fact based on the circumstances of the specific case.  
This would accommodate the disclosure of information in both the scenarios discussed above without having to consider the data protection principles. The table of statistics could be disclosed because no one could be identified from the statistics alone. And similarly the redacted version of report could be disclosed because, again, at the point of disclosure, no one could be identified from it.
 
 
'''Truly anonymised data'''
 
However before deciding whether the information is anonymised and so can be disclosed without reference to the data protection principles it is also necessary to go on to consider the information which is available to the public. The test of whether the information is truly anonymised is whether a (or any) member of the public could identify individuals by cross-referencing the anonymised data with information or knowledge already available to the public. Whether this ‘cross-referencing’ is possible is a question of fact based on the circumstances of the specific case.
 
Returning to the two scenarios above, with the table of statistics it would still be necessary to consider whether, for example, a low cell count revealing that only one person in a small geographical area had a particular illness would allow people from that area to use their local knowledge to identify that person. Similarly with the report into the treatment of patient it would be necessary to consider whether information gleaned from any news reports of the allegations would enable someone to identify who the references in the report related to. In practice the onus would be on the public authority to explain how such identification may occur.
 
Policy Delivery is currently considering whether it is possible to provide any additional guidance on this issue.


If identification is possible the information is still personal data and the data protection principles do need to be considered when deciding whether disclosure is appropriate. However, where the anonymised data cannot be linked to an individual using the additional available information (i.e. the information had been truly anonymised) then, the information can be considered for disclosure without any reference to DPA principles.  
If identification is possible the information is still personal data and the data protection principles do need to be considered when deciding whether disclosure is appropriate. However, where the anonymised data cannot be linked to an individual using the additional available information (i.e. the information had been truly anonymised) then, the information can be considered for disclosure without any reference to DPA principles.  
Line 42: Line 64:
“''...Rendering data anonymous in such a way that the individual to whom the in formation from which they are derived refers is no longer identifiable would enable the information to be released without having to apply the principles of [data] protection ...'' ” (para 25).  
“''...Rendering data anonymous in such a way that the individual to whom the in formation from which they are derived refers is no longer identifiable would enable the information to be released without having to apply the principles of [data] protection ...'' ” (para 25).  


The approach outlined above has been taken in the following case which is currently under appeal to the Information Tribunal.


'''Case reference [[FS50122432]] '''
'''Department of Health — Abortion Statistics Case'''
 
'''The Decision Notice ([[FS50122432]])'''


The complainant made a request to the Department of Health (the “DoH”) for a full statistical breakdown of the number of abortions carried out in 2003 under ground (e) — abortions where there is a substantial risk that if the child were born it would suffer from serious physical or mental abnormalities. This information is supplied to the Chief Medical Officer on Abortion Notification Forms which also include details of abortions of foetuses over 24 weeks gestation.  
The complainant made a request to the Department of Health (the “DoH”) for a full statistical breakdown of the number of abortions carried out in 2003 under ground (e) — abortions where there is a substantial risk that if the child were born it would suffer from serious physical or mental abnormalities. This information is supplied to the Chief Medical Officer on Abortion Notification Forms which also include details of abortions of foetuses over 24 weeks gestation.  
Line 54: Line 77:
At paragraphs 45 & 46, the Commissioner confirmed that he was not persuaded by this argument and said that “''...the statistical information is so far removed from the information on the Abortion Notification forms that it no longer retains the attributes of personal data. In reaching this view the Commissioner has noted that the DoH accepts that an individual cannot be identified by the requested information alone...''”  
At paragraphs 45 & 46, the Commissioner confirmed that he was not persuaded by this argument and said that “''...the statistical information is so far removed from the information on the Abortion Notification forms that it no longer retains the attributes of personal data. In reaching this view the Commissioner has noted that the DoH accepts that an individual cannot be identified by the requested information alone...''”  


The Commissioner is maintaining this approach at the forthcoming appeal before the Tribunal although accepts that this approach has not been adopted in previous cases, for example, [[FS50133250]] (Caerphilly County Borough Council — pupils excluded from schools as a result of drugs finds).
Thus it was the Commissioners conclusion that anonymous information is not personal data and provided the data subject is not identifiable upon disclosure to a third party, it is not personal data. The Commissioner sought to rely upon the House of Lords decision in the CSA v Scottish Agency case referred to above.
 
The Commissioner accepts that this approach has not been adopted in previous cases, for example, [[FS50133250]] (Caerphilly County Borough Council — pupils excluded from schools as a result of drugs finds).
 
 
'''The Tribunal's Decision ([[EA/2008/0074]])'''
 
On appeal to the Tribunal, the Commissioner maintained the position taken in the decision notice. The DOH argued that the statistical information is not anonymous in the hands of the data controller.
 
The Tribunal concluded that the question of fact for the Scottish Commissioner (in the CSA case) was whether the process of barnardisation would mean that the data could not be reconstituted to its original form by the agency, in which case it could be released without further reference to the DPA. Consequently the Tribunal is satisfied that for the purposes of section 40(2)(a) FOIA, the statistics derived from the HSA4 forms "''constitute personal data''" pursuant to section 1(1)(b) DPA "''in the hands of the DOH, because the data relates to individuals who may be identified from those data and other information held in the HSA4 forms.''" (para 43).
 
Thus, the Tribunal found that the disputed information was personal data in the hands of the DoH. However the Tribunal also concluded that the likelihood of identifying any of the individuals was so remote as to make any disclosure fair. This lack of identifiability also meant that Schedule 2, condition 6 was satisfied given that the disclosure would serve the legitimate interest in publishing abortion statistics but would not cause any unwarranted interference with the rights of the data subjects.
 
Therefore, the Tribunal arrived at the same conclusion as the Commissioner but on the alternative premise that the statistical information was personal data in the hands of the data controller.
 
The DoH has now appealed the decision of the Tribunal to the High Court (it has been listed for early Feb 2011, however the actual decision may not be promulgated until later in 2011). However pending any High Court judgment, the Commissioner will maintain his position that anonymous information is not personal data and that as long as the data subject is not identifiable upon disclosure to a third party, it is not personal data.

Latest revision as of 22:27, 27 June 2011

  • FOI/EIR: FOI
  • Section/Regulation: s40
  • Issue: Anonymised Personal Data
  • Source: Policy Team
  • Details: Department of Health (Decision Notice 28 July 2008); Department of Health / Pro-Life Alliance (15 October 2009); Common Services Agency / Scottish Information Commissioner
  • Related Lines to Take: LTT71, LTT162
  • Related Documents: FS50122432 (DoH), [2008] UKHL 47 (Common Services Agency), DP Technical Guidance “Determining what is personal data”, EA/2008/0074 (DOH)
  • Contact: HD/RM
  • Date: 11/11/2010
  • Policy Reference: LTT144
  • © Copyright Information Commissioner's Office, re-used with permission
  • Original source linked from here: LTT


Line to take

Truly anonymised data is not personal data and thus can be disclosed without reference to the Data Protection Act.

The Commissioner does not accept that where a public authority holds information to identify living individuals from the anonymised data, that this turns the anonymised data into personal data. The Commissioner draws support for this approach from the House of Lords’ judgment in the case of the Common Services Agency v Scottish Information Commissioner [2008] UKHL 47.

However if a member of the general public could identify individuals by cross-referencing the anonymised data with information already in the public domain, then the information is personal data. Whether it is possible to identify individuals from the anonymised data is a question of fact based on the circumstances of the specific case.


Further Information

For the Commissioner’s view on the recent D0H (abortion stats) case - SEE IT SUMMARY. Please also note that the DoH has appealed the Tribunal's decision to the High Court.


The Commissioner’s approach

The Commissioner considers that truly anonymised data is not personal data and thus there is no need to consider the application of any Data Protection Act principles when considering whether or not to disclose truly anonymised data.


The alternative view

However, some data controllers point to the wording of s1(1) of the Data Protection Act which states that “...personal data means data which relate to a living individual who can be identified — (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of the data controller...” (emphasis added) to argue that although no living individual could be identified from the requested information on its own, that as the data controllers hold other information which would allow individuals to be identified, this must necessarily make the information, personal data.

The Commissioner does not accept this approach because it has the potential to restrict the amount that can be disclosed in, broadly speaking, two scenarios.

The most obvious is where it is not possible to identify any individual from any of the information falling within the scope of the request, but the data controller holds additional, unrequested, information which would allow the data controller to identify individuals from that which has been requested. A good example of this is where the information that has been requested consists of a table of statistics. Although it may not be possible to identify anyone from the statistics alone, the data controller that produced those statistics will have the raw data from which those statistics were compiled and so will be able to identify those individuals that the statistics refer to. By adopting the alternative view outlined above, even though the statistics themselves were anonymised they would still be considered personal data since the data controller held additional, identifying, information. Therefore it would be necessary to consider the application of the data protection principles before disclosing the statistics. This could be problematic for example, where the statistics related to criminal offences or health issues and would therefore have to be treated as sensitive personal data.

The second situation is where individuals can be identified from the information that has been requested when considered in its entirety. For example, an applicant requests a report into a major overspend at a local authority involving allegations of corruption. The report deals with the actions, responsibilities and competences of the officials involved. It may be possible to redact information from that report that identifies the individuals concerned. However under the approach outlined above the disclosure of the residual, redacted, anonymised information would still require consideration of the data protection principles.


The Commissioner's approach in more detail

Therefore the Commissioner considers that even where the data controller holds that additional ‘identifying’ information, that this does not prevent them from anonymising that information to the extent that it would not be possible to identify any living individual from that information alone and thus would no longer be personal data.

This would accommodate the disclosure of information in both the scenarios discussed above without having to consider the data protection principles. The table of statistics could be disclosed because no one could be identified from the statistics alone. And similarly the redacted version of report could be disclosed because, again, at the point of disclosure, no one could be identified from it.


Truly anonymised data

However before deciding whether the information is anonymised and so can be disclosed without reference to the data protection principles it is also necessary to go on to consider the information which is available to the public. The test of whether the information is truly anonymised is whether a (or any) member of the public could identify individuals by cross-referencing the anonymised data with information or knowledge already available to the public. Whether this ‘cross-referencing’ is possible is a question of fact based on the circumstances of the specific case.

Returning to the two scenarios above, with the table of statistics it would still be necessary to consider whether, for example, a low cell count revealing that only one person in a small geographical area had a particular illness would allow people from that area to use their local knowledge to identify that person. Similarly with the report into the treatment of patient it would be necessary to consider whether information gleaned from any news reports of the allegations would enable someone to identify who the references in the report related to. In practice the onus would be on the public authority to explain how such identification may occur.

Policy Delivery is currently considering whether it is possible to provide any additional guidance on this issue.

If identification is possible the information is still personal data and the data protection principles do need to be considered when deciding whether disclosure is appropriate. However, where the anonymised data cannot be linked to an individual using the additional available information (i.e. the information had been truly anonymised) then, the information can be considered for disclosure without any reference to DPA principles.

This approach is supported by paragraphs 24 & 25 of Lord Hope’s judgment in the House of Lords’ case of the Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, where it was said:

...Rendering data anonymous in such a way that the individual to whom the in formation from which they are derived refers is no longer identifiable would enable the information to be released without having to apply the principles of [data] protection ... ” (para 25).


Department of Health — Abortion Statistics Case

The Decision Notice (FS50122432)

The complainant made a request to the Department of Health (the “DoH”) for a full statistical breakdown of the number of abortions carried out in 2003 under ground (e) — abortions where there is a substantial risk that if the child were born it would suffer from serious physical or mental abnormalities. This information is supplied to the Chief Medical Officer on Abortion Notification Forms which also include details of abortions of foetuses over 24 weeks gestation.

The complainant made the request because when the DoH took over responsibility for publishing this information in 2002, they reduced the level of detail from very detailed (including showing counts of 0, 1 or 2 cases) to redacting the numbers where the occurrences were less than 10.

The DoH withheld disclosure on the grounds of sections 40 and 44. In relation to s40, the public authority raised the argument outlined above based on the wording of s1 DPA.

At paragraphs 45 & 46, the Commissioner confirmed that he was not persuaded by this argument and said that “...the statistical information is so far removed from the information on the Abortion Notification forms that it no longer retains the attributes of personal data. In reaching this view the Commissioner has noted that the DoH accepts that an individual cannot be identified by the requested information alone...

Thus it was the Commissioners conclusion that anonymous information is not personal data and provided the data subject is not identifiable upon disclosure to a third party, it is not personal data. The Commissioner sought to rely upon the House of Lords decision in the CSA v Scottish Agency case referred to above.

The Commissioner accepts that this approach has not been adopted in previous cases, for example, FS50133250 (Caerphilly County Borough Council — pupils excluded from schools as a result of drugs finds).


The Tribunal's Decision (EA/2008/0074)

On appeal to the Tribunal, the Commissioner maintained the position taken in the decision notice. The DOH argued that the statistical information is not anonymous in the hands of the data controller.

The Tribunal concluded that the question of fact for the Scottish Commissioner (in the CSA case) was whether the process of barnardisation would mean that the data could not be reconstituted to its original form by the agency, in which case it could be released without further reference to the DPA. Consequently the Tribunal is satisfied that for the purposes of section 40(2)(a) FOIA, the statistics derived from the HSA4 forms "constitute personal data" pursuant to section 1(1)(b) DPA "in the hands of the DOH, because the data relates to individuals who may be identified from those data and other information held in the HSA4 forms." (para 43).

Thus, the Tribunal found that the disputed information was personal data in the hands of the DoH. However the Tribunal also concluded that the likelihood of identifying any of the individuals was so remote as to make any disclosure fair. This lack of identifiability also meant that Schedule 2, condition 6 was satisfied given that the disclosure would serve the legitimate interest in publishing abortion statistics but would not cause any unwarranted interference with the rights of the data subjects.

Therefore, the Tribunal arrived at the same conclusion as the Commissioner but on the alternative premise that the statistical information was personal data in the hands of the data controller.

The DoH has now appealed the decision of the Tribunal to the High Court (it has been listed for early Feb 2011, however the actual decision may not be promulgated until later in 2011). However pending any High Court judgment, the Commissioner will maintain his position that anonymous information is not personal data and that as long as the data subject is not identifiable upon disclosure to a third party, it is not personal data.