Implications of the General Data Protection Regulation (GDPR) for administrative data research in the UK: Are 'pseudonymised' data always personal data?
In April 2016, the European Union published the final text of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The General Data Protection Regulation (GDPR) takes effect in 2018, after a two-year implementation period. It replaces EU Directive 95/46/EC, which has been repealed.
The GDPR regulates the use of personal data and the free movement of such data across a wide range of sectors. As a regulation, the GDPR is a directly binding legislative act that must be applied in its entirety across the EU. (A directive is a legislative act that sets out a goal that all EU countries much achieve but leaves it to individual countries to devise their own laws on how to reach and implement them.)
However, under the GDPR individual member states may maintain or introduce further conditions, including limitations, relating to certain issues, such as the processing of genetic or health data.
The GDPR includes:
- higher fines, based on global turnover, for firms contravening the new regulation
- requirements to appoint a data protection officer if the institution handles significant amounts of sensitive or personal data
- direct obligations on data processors in defined circumstances
- data protection ‘by design’ (data protection safeguards to be built into firms’ products and services from the earliest stages of development)
The UK’s Data Protection Act 1998 implemented the previous directive, and will continue to govern data use in the UK until the new regulation comes into force. The GDPR will replace any incompatible provisions in this piece of national law, which may be amended or repealed in the future.
The ADRN legal team have recently published research into the legal implications of the GDPR for administrative data research in the UK. The below abstract outlines their work.
There has naturally been a good deal of discussion of the forthcoming General Data Protection Regulation. One issue of interest to all data controllers, and of particular concern for researchers, is whether the GDPR expands the scope of personal data through the introduction of the term ‘pseudonymisation’ in Article 4(5). If all data which have been ‘pseudonymised’ in the conventional sense of the word (e.g. key-coded) are to be treated as personal data, this would have serious implications for research. Administrative data research, which is carried out on data routinely collected and held by public authorities, would be particularly affected as the sharing of de-identified data could constitute the unconsented disclosure of identifiable information.
Instead, however, we argue that the definition of pseudonymisation in Article 4(5) GDPR will not expand the category of personal data, and that there is no intention that it should do so. The definition of pseudonymisation under the GDPR is not intended to determine whether data are personal data; indeed it is clear that all data falling within this definition are personal data. Rather, it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal. This leaves open the possibility that data which have been ‘pseudonymised’ in the conventional sense of key-coding can still be rendered anonymous. There may also be circumstances in which data which have undergone pseudonymisation within one organisation could be anonymous for a third party. We explain how, with reference to the data environment factors as set out in the UK Anonymisation Network's Anonymisation Decision-Making Framework.