Cambridge professor questions the viability of ‘anonymization’

Anderson quotes prime minister Cameron’s comment from the end of last year. “The Prime Minister said it was ‘simply a waste’ to have a health service like the NHS and not to use the medical data it generated,” reported the BBC  at the time. “Let me be clear,” said Cameron, “this does not threaten privacy, it doesn't mean anyone can look at your health records, but it does mean using anonymous data to make new medical breakthroughs.”

Cameron was discussing plans to change the constitution of the NHS to allow anonymized patient data to be used for medical research – a process likely to go live next month “when our GP and hospital records will be made available to drug company and other researchers through the Clinical Practice Research Database,” says Anderson.

Anderson, a respected and authoritative security expert, questions this claim. He points to a report from the Royal Society in June, which states very clearly, “the security of personal records in databases cannot be guaranteed through anonymisation procedures,” and “computer science has now demonstrated that the security of personal records in databases cannot be guaranteed through anonymisation procedures where identities are actively sought.” In a message directed at the EU and the Data Protection Regulation, it says, “the Commission should recognise that anonymisation cannot currently be achieved.”

Faced with this clarity in science, Anderson is worried by obfuscation in politics. The government's privacy ‘tsar’, Tim Kelsey, promised last year that its anonymity mechanisms would be public. “But a freedom of information request asking how records will be anonymised was declined – with the system operators claiming that its security could be at risk if people learned how they manipulate data,” says Anderson.

He also pours scorn on a suggestion from the Information Commissioner (ICO – the UK’s privacy watchdog), “that GP surgeries and supermarkets could use a shared encryption key to create a common pseudonym from people's names and addresses so that patients' diabetic status could be correlated with supermarket purchases.” Really? says Anderson. “This is the sort of scheme we'd expect the commissioner to forbid, not promote. It may not surprise us that government rolls over for Big Pharma, but from an independent regulator we might have expected better.

“The one last hope,” concludes Anderson, “is that the code must be approved by the secretary of state under the Data Protection Act... Perhaps we should pray that Ken Clarke is still justice secretary when it is sent for approval in November.”

What’s Hot on Infosecurity Magazine?