Case commentary: anonymisation is not exoneration.

This case commentary analyses a ruling that any use of information given in confidence for unconsented purposes is a breach of confidence capable of supporting a legal action (even if the information has previously been anonymised and aggregated). The ruling is being appealed. It is argued that, while it is reasonable to delineate a narrower duty of confidentiality (not to disclose personal information, against breach of which anonymisation protects), this must be within a broad duty of confidence (not to use private information, which using anonymous information can still breach). Thus, the ruling is fundamentally correct in holding that anonymisation does not permit information obtained in confidence to be used for unconsented purposes. This, however, implies that information obtained for a patient's treatment may not be used lawfully for medical research or NHS management purposes without consent, even if it is anonymised. Such a consequence is unacceptable as a matter of public policy. However, it is equally unacceptable to seek an exemption through the idea that patients give "implied consent" for medical research and NHS management purposes. It is also unacceptable to maintain that the public interest in medical research (regardless of its aims) justifies unconsented use of information obtained in confidence, even if the information is anonymised. The way in which Section 33 of the Data Protection Act 1998 creates an exemption to its Second Data Protection Principle provides a ready-made model for a public interest based exemption for medical research and statistical NHS purposes.