Category Archives: anonymisation

What’s in a name?

For reasons which will become obvious I have replaced the names of two people referred to in this post to “John Doe” and “Jane Doe”: I’ve no wish to perpetuate a possible wrong.

Last night I was reading a recent judgment of the High Court in the matter of an appeal by a barrister from a decision of sanction by the Bar Tribunals and Adjudication Service. The judge, Mr Justice Warby, is one of the most senior media law judges in the country. Indeed, as judge in charge of the Media and Communications List, he is arguably the most senior such judge.

Mr Justice Warby knows a lot, then, about privacy, and data protection, and harm to reputation. As the judge who decided the landmark NT1 and NT2 cases, he also knows a lot about the concept of the “right to be forgotten” and how historic, outdated or inaccurate information on the internet has the potential to cause unwarranted harm in the future.

Yet in the case I will discuss here, I think he adopts a course of action in writing his judgment (one which he implies he may well repeat in future) which has the potential to cause great harm to wholly innocent individuals.

The facts of the case are not particularly relevant. Suffice to say that the barrister in question (named Khan) was suspended because it was found that he had engaged in serious misconduct in inter alia discussing in a robing room serious allegations of sexual offences made by a former client of his against another practising barrister.

In reading the description of the agreed facts I was perturbed, to say the least, to note that the names of the former client and the alleged offender were apparently given in full:

What Mr Khan did, in summary, was this. On two occasions, in the robing rooms of two Courts in the Midlands, he spoke words that suggested to those who were present and heard him that a fellow barrister, [John Doe], had (a) stalked and then (b) raped another, female, lawyer who had been Mr Khan’s client and, (c) when she complained of this, caused serious threats to her life to be made, in an attempt to cover up what had taken place. All the information that Mr Khan had about these matters came from his former client, [Jane Doe], who was the complainant.

The explanation for using apparent full names was given by Warby J in the following paragraph:

I have…changed the name of the complainant because, as someone who has alleged rape, she is entitled to lifetime anonymity (Sexual Offences (Amendment) Act 1992, s 1). To make anonymity effective in her case, I have also changed the name of the barrister she accused. [John Doe] is not his real name. I have used this method of anonymisation, in preference to the use of initials, as it is at least as effective, less artificial, and reduces the potential for confusion

This strikes me as, with respect to the learned judge, profoundly misguided. The use of initials (obviously not the person’s actual initials) does not just anonymise the person to whom they relate, but also avoids the risk of someone else inadvertently being associated.

Because – here’s the rub – there does appear (unsurprisingly) to be a former barrister (now solicitor) called “[John Doe]”. He is clearly not the [John Doe] Warby J refers to (not least because [John Doe] in the judgment is of course a pseudonym. But, as is all too obvious in the modern world, snippets of information can sometimes become separated from their context, and used, inadvertently, or even maliciously, to harmful effect.

It is by no means unlikely that the first paragraph I quote above could be later quoted, or extracted, and read in isolation, and that the practising barrister who is really called [John Doe], but who has no connection whatsoever to the events in the judgment, could be defamed or otherwise harmed as a result.

Put it this way – if I were the practising barrister who is really called [John Doe] I would be horrified, and greatly aggrieved, by paragraph 5 of Warby J’s judgment.

A while ago, my enjoyment of a silly internet game, whereby one Googles the phrase “X was convicted of” (where X is one’s own name), was swiftly replaced by abject dismay, when I found that someone sharing my name had been convicted of a horrific offence. This was pure, if unfortunate, coincidence. What Mr Justice Warby appears to have done in this judgment, and is – I fear – proposing to do in future judgments, is deliberately try to develop (for the best of reasons) a judicial naming convention which risks great harm to wholly innocent and unwitting individuals. I hope he rethinks.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under anonymisation, defamation, Open Justice, sexual offences amendment act

The wrong test for anonymisation?

UPDATE: 23.01.15 The ICO has responded [.doc file] to my request for a review of their decision. I drew their attention to the arguments on this page but they don’t even mention them, let alone provide a counter-analysis, in dismissing my complaints (“Having reviewed the matter, I agree with the explanations provided”). I am invited by the ICO to consider taking my own legal action. I understand that the ICO and I might have differing views on a DPA matter, but what I find difficult to accept is the refusal even to enter into a discussion with me about the detailed arguments I’ve made. END UPDATE

In February this year I asked the Information Commissioner’s Office (ICO) to investigate reports that Hospital Episode Statistics (HES) data had apparently been sold to an actuarial society by the NHS Information Centre (NHSIC), the predecessor to the Health and Social Care Information Centre (HSCIC). Specifically I requested, as a data subject can under s42 of the Data Protection Act 1998 (DPA), that the ICO assess whether it was likely or not that the processing of my personal data by NHSIC and others had been in compliance with the DPA.

Nine months later, I was still awaiting the outcome. But a clue to how the assessment would turn out was contained in the text of Sir Nick Partridge’s six month review of various data releases by NHSIC (his original report in June seemed to me to point to multiple potential DPA contraventions). In the review document he says

Six investigations have been separately instigated by the HSCIC or Information Commissioner’s Office (ICO)and shared with both parties as these focussed on whether individuals were at risk of being identified. In the cases it has investigated, the ICO has upheld the HSCIC approach and informed us that it has “seen no evidence to suggest that re-identification has occurred or is reasonably likely to occur.”
And sure enough, after chasing the ICO for the outcome of my nine-month wait, I received this (in oddly formatted text, which rather whiffed of a lot of cutting-and-pasting)
Following the recent issue regarding HSCIC, PA Consulting, and Google we investigated the issue of whether HES data could be considered personal data. This detailed work involved contacting HSCIC, PA Consulting, and Google and included the analysis of the processes for the extraction and disclosure of HES data both generally and in that case in particular. We concluded that we did not consider that the HES dataset constitutes personal data.Furthermore we also investigated whether this information had been linked to other data to produce “personal data” which was subject to the provisions of the Act. We have no evidence that there has been any re-identification either on the part of PA Consulting or Google. We also noted that HSCIC have stated that the HES dataset does not include individual level patient data even at a pseudonymised level. Our view is that the data extracted and provided to PA Consulting did not identify any individuals and there was no reasonable likelihood that re-identification would be possible.
I have added the emphasis to the words “reasonable likelihood” above. They appear in similar terms in the Partridge Review, and they struck me as rather odd. An awful lot of analysis has taken and continues to take place on the subject of when can personal data be “rendered fully anonymous in the sense that it is information from which the data subject is no longer identifiable” (Lord Hope’s dicta in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47). Some of that analysis has been academic, some takes the form of “soft law” guidance, for instance Opinion 05/2014 of the Article 29 Working Party, and the ICO Anonymisation Code of Practice. The former draws on the Data Protection Directive 95/46/EC, and notes that

Recital 26 signifies that to anonymise any data, the data must be stripped of sufficient elements such that the data subject can no longer be identified. More precisely, that data must be processed in such a way that it can no longer be used to identify a natural person by using “all the means likely reasonably to be used”

Anonymisation has also been subject to judicial analysis, notably in the Common Services Agency case, but, even more key, in the judgment of Mr Justice Cranston in Department of Health v Information Commissioner ([2011] EWHC 1430). The latter case, involving the question of disclosure of late-term abortion statistics, is by no means an easy judgment to parse (ironically so, given that it makes roughly the same observation of the Common Services Agency case). The judge held that the First-tier Tribunal had been wrong to say that the statistics in question were personal data, but that it had on the evidence been entitled to say that “the possibility of identification by a third party from these statistics was extremely remote”. The fact that the possibility of identification by a third party was extremely remote meant that “the requested statistics were fully anonymised” (¶55). I draw from this that for personal data to be anonymised in statistical format the possibility of identification of individuals by a third party must be extremely remote. The ICO’s Anonymisation Code, however, says of the case:

The High Court in the Department of Health case above stated that the risk of identification must be greater than remote and reasonably likely for information to be classed as personal data under the DPA [emphasis added]

But this seems to me to be an impermissible description of the case – the High Court did not state what the ICO says it stated – the phrases “greater than remote” and “reasonably likely” do not appear in the judgment. And that phrase “reasonably likely” is one that, as I say, makes it way into the Partridge Review, and the ICO’s assessment of the lawfulness of HES data “sale”.

I being to wonder if the ICO has taken the phrase from recital 26 of the Directive, which talks about the need to consider “all the means likely reasonably to be used” to identify an individual, and transformed it into a position from which, if identification is not reasonably likely, it will accept that data are anonymised. This cannot be right: there is a world of difference between a test which considers whether possibility of identification is “extremely remote” and whether it is “reasonably likely”.

I do not have a specific right to a review of the section 42 assessment decision that the processing of my personal data was likely in compliance with NHSIC’s obligations under the DPA, but I have asked for one. I am aware of course that others complained (après moi, la deluge) notably, in March, FIPR, MedConfidential and Big Brother Watch . I suspect they will also be pursuing this.

In October this year I attended an event at which the ICO’s Iain Bourne spoke. Iain was a key figure in the drawing up of the ICO’s Anonymisation Code, and I took the rather cheeky opportunity to ask about the HES investigations. He said that his initial view was that NHSIC had been performing good anonymisation practice. This reassured me at the time, but now, after considering this question of whether the Anonymisation Code (and the ICO) adopts the wrong test on the risks of identification, I am less reassured. Maybe “reasonably likely that an individual can be identified” is an appropriate test for determining when data is no longer anonymised, and becomes personal data, but it does not seem to me that the authorities support it.

Postscript Back in August of this year I alerted the ICO to the fact that a local authority had published open data sets which enabled individuals to be identified (for instance, social care and housing clients). More than four months later the data is still up (despite the ICO saying they would raise the issue with the council): is this perhaps because the council has argued that the risk of identification is not “reasonably likely”?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under anonymisation, care.data, Data Protection, Directive 95/46/EC, Information Commissioner, NHS