It’s fairly common these days to run across mentions of “anonymized data” while at medical facilities, which is to assure you that your privacy won’t be violated if they’re permitted to use your bodily fluids and parts for research. But is this right? Chelsea Whyte in NewScientist (2 March 2019, paywall) reports not:
Stripping records of information like names, addresses and social security numbers was once enough to keep it from being identifiable, but that changed about 20 years ago.
“There was this notion that was useful for decades, that if you redact certain types of information, it becomes quite hard to trace back records. And it actually worked quite well,” says Erlich. “But as we got into the era of big data and large-scale internet resources, it became true that it’s hard to anonymise any big data.”
The myth of genetic anonymity persists, however, because it is useful. It gives researchers access to a wealth of information without having to seek informed consent.
Research of human subjects in the US is governed by the Common Rule, which applies to all federally funded research. This rule is rewritten periodically to bring it in line with current ethical standards and take into account new technology. This happened in January, but the rulebook still doesn’t count DNA as identifiable information. “Many people wrote opinions saying that DNA is identifiable and that we should treat it this way,” says Erlich. Instead, the new language explicitly says DNA isn’t identifiable.
There are clear benefits to allowing this, because it is a good way of sampling the entire population. For example, if you have blood drawn at the doctor’s office and there is a bit left over after your tests are done, it could be stripped of identifiers and put into a repository where it can be used for research without you ever knowing about it. But increasingly, people want control over the use of their data.
I feel guilty that I don’t get worked up over this sort of thing. Maybe it’s because it didn’t occur to me that this is all true, and I’m a little put out. Certainly, corporations want to avoid health liability issues, and this might allow them to do so.
But, in the end, it’s really about the medical profession asserting something that has become a profound falsehood. The bit about the Common Rule was particularly disappointing, especially in the light of a number of recent prosecutions for crimes that were considered cold cases, but solved through DNA studies and using commercial sites to trace relatives.
I’d advise that the next time you’re reading some sort of statement about your data being anonymized, even if it’s not medical data, beware. Anonymization seems to be going the way of the unicorn, at least so long as we live in a data-rich society.