University ordered to disclose clinical trial data to a third party

United Kingdom

In Queen Mary University of London v Information Commissioner EA/2015/0269, the First-Tier Tribunal held that anonymised clinical trial data is not exempt from disclosure under The Freedom of Information Act 2000 (FOIA). The extent to which the trial data was “sufficiently anonymous” played a key role in the Tribunal’s decision.

Background

Queen Mary University of London (QMUL) conducted a long-term, publicly funded clinical trial which tested the effectiveness of various treatments for chronic fatigue syndrome. The results of the trial were widely criticised owing to concerns around the methodology used. The complainant had requested access to certain anonymised data used in the trial by way of an information request under FOIA. Each line of data requested was the data of an individual trial participant. QMUL refused to provide the requested data on the basis that it was exempt from disclosure under FOIA.

QMUL’s key arguments

1. QMUL’s decision to refuse access to the requested data rested primarily on its belief that it constituted sensitive personal data. As such, disclosure of the requested data would constitute a breach of the Data Protection Act 1998 (DPA) and was therefore exempt under section 40 of FOIA. QMUL argued that anonymization could not fully eliminate the risks of re-identification and that a “motivated intruder” could re-identify the requested data.

2. QMUL also refused to provide the requested data on the basis that it was supplied under the traditional doctor-patient relationship. As a result, its disclosure would constitute a breach of medical confidentiality and cause considerable distress to participants in the trial (section 41, FOIA).

3. Finally, QMUL argued that the requested data formed part of an ongoing research programme and that its disclosure would prejudice future publications (section 22A, FOIA). Although section 22A came into force after the complainant submitted his information request, QMUL argued that the Tribunal should exercise its discretion and apply the exemption retrospectively.

The Tribunal’s decision

1. The Tribunal rejected QMUL’s argument that the requested data constituted sensitive personal data for the following reasons:

a) The requested data had been “sufficiently anonymised”. In reaching this decision, the Tribunal noted that the requested data did not contain any fixed or direct identifiers (e.g. gender or ethnicity) and was based on variable outcomes which would be difficult to repeat precisely (e.g. walking tests).

b) Citing guidance published by the Information Commissioner’s Office (ICO), the Tribunal stated that a “motivated intruder” is not presumed to have any “specialist knowledge or equipment, nor is he expected to resort to criminality to access the data”. In this case, the Tribunal noted that re-identification would be very difficult and would likely require help by a medical professional prepared to breach his professional and legal duties. This was considered “implausible”. When weighing the risk of re-identification, it is not necessary to take into account efforts which could be considered “borderline sociopathic or psychopathic"

2. Having concluded that re-identification was realistically impossible the Tribunal dismissed QMUL’s argument that disclosure would breach medical confidentiality; as the data had been anonymised, there could be no breach of confidence

3. Finally, the Tribunal upheld the ICO’s decision that there were no exceptional circumstances in this case which would justify the retrospective application of section 22A of FOIA.

Comment

This case will be of particular interest to universities and other public bodies who maintain medical research databases. The quid pro quo for successfully anonymising your participants’ personal data may be that you are required to disclose it to third parties under FOIA. However, with section 22A of FOIA now in force, your clinical trial data may be exempt from disclosure if it forms part of an ongoing research project. Scottish public authorities can rely on a very similar exemption under section 27(2) of the Freedom of Information (Scotland) Act 2002.

In addition, this case serves as a welcome reminder that the ICO does not require data anonymization to be completely risk free; only that the risk is mitigated until it is sufficiently remote. This should be of comfort to the wider medical research community which relies heavily on inter-institutional data flows for medical research purposes.

Notwithstanding, this case does not give the green light to all activities involving anonymised data. Rather, it highlights the importance of taking care on a case by case basis to consider how well your data has been anonymised and the risks of re-identification. As noted by the Tribunal, anonymization may be less effective in trials involving rare conditions or in a small population. In those cases, consent forms may need to be redesigned to ensure participants are warned of the risk of re-identification of their data.