Abstract
The Data Protection Directive and the Data Protection Act The protection of privacy of data is regulated in all member states of the European Union by national legislation drawn up in response to the Data Protection Directive (Directive 95/46/EC), which seeks to harmonise the rules of data protection throughout the Union (all current national data protection legislation can be found at http://europa.eu.int/comm/internal_market/privacy/index_en.htm). The Directive provides that the use of anonymised data falls outside its remit: “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable” (Recital 26). Thus, Donnan et al correctly state that the anonymised data in their study were not subject to the Data Protection Act 1998. This point was further clarified for England and Wales in a judgment of the Court of Appeal.1 However, neither the directive nor national law explain how the process of anonymisation of nominative data is to occur. In the United Kingdom the Office of the Information Commissioner, the regulatory authority established under the Data Protection Act 1998, has issued a guidance note on the concept of “personal data,” which states that, although anonymous data may fall outside the remit of English law, the act of anonymisation does not: “In anonymising personal data the data controller will be processing such data and, in respect of such processing, will still need to comply with the provisions of the Act.”2 It seems then that a rather peculiar situation exists where, in order to anonymise data, one needs the consent of the data subjects. In the case of medical research, two ways around this issue exist. Firstly, researchers may use (and anonymise) data without prior notification of the data subjects only if they can comply with the special provisions in the data protection legislation, which provide for sensitive data to be processed for the purposes of medical research only by a health professional or a person who owes a duty of confidentiality that is equivalent to that which would arise if that person were a health professional.3 Secondly, personal data may be used for research purposes without prior consent of the data subjects if a list of rigorous requirements are followed.4 Given the lack of clarity and the complexity of legally anonymising data, the time is ripe for regulators to address the role of anonymisation of data in medical research again. Anonymisation facilitates research and protects confidentiality, and every effort should be made to support its practice. Recent research shows that most European citizens generally trust healthcare providers to treat their data with due respect for confidentiality: in a recent Eurobarometer survey 84% of EU citizens reported that they trusted the medical profession in this way, although only 42% knew of the need to provide agreement for someone to use their personal information and their right to oppose some uses.5 Let us build on this trust by, on the one hand, providing good information on the use of data in medical research and, on the other, providing the proper legal framework for the use of anonymisation techniques as demonstrated by MEMO. Both at European and national level every effort should be made to make the best possible use of modern anonymisation technologies so that patients' privacy can be simply and effectively protected while vital medical research based on individual records continues.

This publication has 1 reference indexed in Scilit: