Table 2.
P-R anonymization matrix.
| Context of data | Data use authorized without consenta | Health care data use without consent | Very sensitive health care datab use without consent | Special circumstances without consent |
| Research in safe havensc | Anonymization not required | Level 1 | Level 1 | Level 2 |
| Research to which duty of confidentiality applies | Anonymization not required | Level 1 | Level 2 | Level 3 |
| Research to which no duty of confidentiality appliesd | Level 1 + algorithmic manipulatione | Level 1 + algorithmic manipulation | Level 2 + algorithmic manipulation | Level 3 |
| Information for public releasef | Level 3 or synthetic data or no release | Level 3 or synthetic data | Level 3 or synthetic data | Level 3 or synthetic data or no release |
aWhere authorization for data processing without consent has been provided by a specific statutory body, a body that provides appropriate safeguards, or the equivalent for research ethics. These bodies have powers to authorize data use without anonymization; however, good practice requires data minimization with justification for inclusion of all identifying data.
bVery sensitive data are not exhaustively defined in this paper because they depend heavily on particular sociocultural sensitivities; for example, alcoholic liver disease would be a sensitive diagnosis in some cultures but not necessarily in all. Sexually transmitted infections are usually considered very sensitive. Public consultation is needed on use of health care data in an ongoing process.
cRequirements for accreditation include that researchers are under contractual duties of confidentiality, including not to attempt reidentification [40].
dIt should be noted that the UK government has signaled an intention to create a new criminal offense of reidentification [72]; other jurisdictions, including New Zealand, Australia, and Canada, are also considering this [73,74]. Currently, reidentification would be merely a breach of data protection law.
eAlgorithmic manipulation means data masking, clustering, or deletion to satisfy demands of k-anonymity and other metrics such as l-diversity, t-closeness, or differential privacy.
fAs noted above, the UK Information Commissioner’s Office could compel release under the Freedom of Information Act 2000 of data only anonymized to their standard (currently, the motivated intruder). This standard is arguably deficient for public release of health data [61], and we propose statutory change to enable an appropriate level of privacy protection to be required.