Does de-identification require consent under the GDPR and English common law?
Data de-identification has many benefits in the context of the General Data Protection Regulation (GDPR). One of the recurring questions is whether consent is required to anonymise or de-identify data. In this paper, the authors make the case that no consent is required for anonymisation or other forms of de-identification under the GDPR, although additional conditions have to be met where special category data is anonymised. Further, under the English equitable duty of confidentiality, consent is generally not required if the de-identification is performed by the direct care team or on behalf of the direct care team; it is arguable that de-identification can also be performed by others outside of the direct care team, but less clear. The alternative would be special authorisation under section 251 of the National Health Service (NHS) Act.
No Supplementary Data
No Article Media
Document Type: Research Article
Affiliations: 1: CHEO Research Institute 2: Partner, Hintze Law PLLC, and Senior Fellow, Future of Privacy Forum 3: Partner, Bird & Bird
Publication date: June 1, 2020
More about this publication?
- Journal of Data Protection & Privacy publishes in-depth, peer-reviewed articles, case studies and applied research on all aspects of data protection, information security and privacy issues across the European Union and other jurisdictions, in the wake of the new EU General Data Protection Regulation (GDPR) and the biggest change in data protection and privacy for two decades.
- Editorial Board
- Information for Authors
- Submit a Paper
- Subscribe to this Title
- Terms & Conditions
- Ingenta Connect is not responsible for the content or availability of external websites