In a recent case of interest, a university was ordered to disclose anonymised clinical trial data following a request under the Freedom of Information Act 2000 (“FOIA”).
The case is an important reminder for public authorities who hold medical data, and their commercial partners, that the commonly-cited exemptions (such as, breach of confidence or disclosure of personal data) may not always assist when trying to prevent disclosures of clinical trial data. It also confirms some of the principles in relation to anonymisation and when data is no longer considered to be “personal data” for the purposes of the Data Protection Act 1998 (“DPA”).
Background
Queen Mary University (“QMU”) conducted a clinical trial involving 640 people which tested various forms of treatment for chronic fatigue syndrome in patients, the results of which were published. The trial resulted in some public debate and questioning of the treatment methods used. In March 2014, a member of the public, Mr Matthees submitted an FOIA request for a selection of anonymised patient-level data (including various patient scores and outcomes) from the trial. Mr Matthees requested the information in the form of a spreadsheet, with each row setting out the values for one trial participant.
QMU refused the request claiming that the information was exempt from disclosure under FOIA. The Information Commissioner rejected QMU’s reasoning and ordered disclosure, so QMU appealed.
Key arguments
QMU raised the following key arguments:
- QMU sought to rely on a new exemption which allows information obtained in the course of a programme of research, which is continuing with a view to publication of a research report, to be withheld where disclosure would cause prejudice (“Research Exemption”). The Research Exemption had only taken effect after the initial request, but QMU argued that it should apply retrospectively;
- the information amounted to personal data and to disclose it would be a breach of the DPA data protection principles, so it was exempt (“Personal Data Exemption”). The information could not be satisfactorily anonymised, such that it ceased to be personal data, as it was possible that participants would still be able to identify their own results or that “motivated intruders” (e.g., activists who were critical of the study) could identify individuals from it;
- the information had been imparted in a confidential doctor-patient circumstance. Therefore, disclosure would constitute a breach of confidence (“Confidentiality Exemption”);
- disclosure would be likely to prejudice QMU’s commercial interests, for example, by deterring future participants and affecting QMU’s ability to attract funding for further research (“Commercial Interests Exemption”).
Decision
QMU was required to disclose the information. The Tribunal concluded the following in respect of the above four arguments.
- The Research Exemption should not apply retrospectively.
- The Personal Data Exemption did not apply. The Tribunal (by a majority) found that the information could be properly anonymised considering:
- the nature of the information, which did not contain any fixed or direct identifiers;
- the evidence from QMU’s expert witness, who had accepted that the requested information alone could not identify participants. The Tribunal rejected the witness’ suggestion that activists could combine it with NHS data to identify individuals (which, in practice, would involve an NHS employee both having breached their professional, legal and ethical obligations and also having the skill and inclination to do so) as being “implausible”;
- whether there was “more than a remote risk” that disclosure would lead to identification of an individual. The majority were satisfied from the evidence that the risk was remote;
- the Information Commissioner’s Office Code of Practice on Anonymisation and the “motivated intruder” test, which involves considering whether an intruder (a reasonably competent person with access to resources, using investigative techniques) would be able to achieve re-identification of individuals from the anonymised data. A motivated intruder is not assumed to have any specialist knowledge or to resort to criminality to access data that is kept securely. The Tribunal stated that the proposition that one should assume the absolute worst about data disclosure in every case was “neither sensible nor realistic”;
- the fact that QMU had already released anonymised data from the trial to various independent scientists on request as part of “normal research collaboration”. It had therefore tacitly acknowledged that anonymisation was effective to prevent identification.
3. On the basis of (2) above, the Confidentiality Exemption did not apply. So long as no anonymised information was released, there was no breach of confidence.
4. The Commercial Interests Exemption did not apply. There was insufficient evidence to persuade the Tribunal that disclosure of the information would cause sufficient prejudice to QMU’s research programmes, reputation and funding streams (any minimum risk would, in any event, have been outweighed by the public interest in disclosure).
Comment
The case highlights that public authorities will not be able to withhold anonymised information without good reason, particularly where such information has already been disclosed to other researchers, and that the public interest in disclosure may well outweigh any commercial interest argument. However, where the information forms part of an ongoing research programme, public authorities may be able to rely on the Research Exemption.
For more information please contact Head of Data Protection, Beverley Flynn, on +44 (0) 1483 734264 or beverley.flynn@stevens-bolton.com.