Wherever possible data should be collected, stored or handled in anonymous form. Where linkage between datasets is required (e.g. in longitudinal studies) record numbers should be used as far as possible, with special measures used to protect the key that would link a number to personal identifiers.
Name and address are not the only way of identifying an individual. There are other forms of information that can be used to identify an individual (e.g. date of birth or clinical diagnosis for rare diseases), especially if the area covered by a dataset is small. Similarly the keys for some record numbers (e.g. NHS number) are easily accessible. Thus while removing name and address provides a ‘firstline’ protection of privacy, identification of the data subject may still be possible.
Considerable confusion exists about the effect that anonymising personal information/data has on the legitimacy of processing information that it contains. Recital 26 of the Data Protection Directive (95/46/EC), which the UK Data Protection Act 1998 implements, states that the principles of protection do not apply to data that has been rendered anonymous. However, data is only rendered anonymous for these purposes if it is no longer possible to identify the data subject from it directly or indirectly (Article 2(a) of the Directive).
Hence, data that is coded or that is still held in personally identifying form, to which the depersonalised data can be linked, remains personal data for the purposes of UK data protection and cannot be considered rendered anonymous in the terms of Recital 26 of the Directive. One of the most important consequences of this relates to the duties of data controllers to inform research participants of the uses that will be made of personal data they provide. Bearing in mind that anonymisation is itself a process performed on personal data, it seems to follow from the Directive and the Data Protection Act 1998, that those who obtain personal data from the data subject must inform the data subject of what they intend to do with the information contained in the data after it has been rendered anonymous, and indeed of the intention to anonymise it and the consequences thereof.
Those who have received information in depersonalised form, other than from the data subject, so that they cannot identify the data subject obviously cannot discharge their duties to inform the data subject under the Data Protection Act (Schedule I Part II paragraph 2) or the Directive (Article 11). However, those from whom they obtain this information have a duty to inform them of any restrictions on the use of this information that has been placed on it by the data subject, with which they must comply (refer to Section 55 of the Data Protection Act 1998).