European Legal Requirements for Use of Anonymized Health Data for Research Purposes by a Data Controller with Access to the Original (Identified) Data Sets

This paper from Privacy Analytics addresses the common scenario in which health data is anonymized and used for research purposes within a data controller that retains the original data set. In such cases, robust anonymization combined with strong safeguards to protect the anonymized data from being re-associated with the original data or otherwise re-identified, creates a strong case under the GDPR that the data should still be considered fully anonymous and therefore outside the scope data protection law. But even where that is not the case, the same strong anonymization methodology and safeguards will enable the data controller to meet key GDPR obligations. In either case, strong de-identification is an essential tool for enabling the use of sensitive health data for research purposes. (August 2017)