I was recently approached by a member of a medical research team which has
links with another institution. Teams from both institutions wished to carry
out research on anonymised medical records (images, etc, but not facial photos).
In answering a telephone query I saw no problem in the actual transfer of
material because it is in no (DP) sense of the word personal data - that is,
all individual identifiers have been stripped. Or rather, the only issue is
whether patients had first to be told that their "data" may be passed on *even
if thus anonymised*.
It was the use of third party collaborators which first of all worried me, and
I suggested that the researchers might like to draw up an agreement (or
"contract") specifying the narrow purposes of use and the security
considerations, etc. This has now been done, and I today received a rather
nice-looking contract.
Only when reading it did I consider that if the above logic is true, and the
anonymised data are no longer personal data, then maybe no such contract is
necessary. Desirable and even useful, maybe - but not necessary in DPA terms.
We often hear that it is better to err on the safe side in these matters. Does
this sound like a case where such caution is wise? Or have I over-reacted?
----------------------
Dr Trevor Field
Senior Assistant Secretary
University of Aberdeen
++44 (0)1224 272077
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|