Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Evolving the Category of Identifiers: Iceland in 1997-1998 (20070807)
In an earlier post I mentioned the attempt by deCODE Genetics to build databases of genetic data of Icelanders, which is discussed in "An analysis of the Icelandic Supreme Court judgement on the Health Sector Database Act" by Dr. Renate Gertz, Research Fellow, ahrc Centre, School of Law, University of Edinburgh. Sections 4.3.1 and 4.3.2 of that document discuss how interpretations of European personal data protection issues affected the drafting of legislation.
The resulting Iceland Ministry of Health and Social Security Act on a Health Sector Database of 1998 defines in the context of personal data that
An individual shall be counted as personally identifiable if he can be identified, directly or indirectly, especially by reference to an identity number, or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
And Ross Anderson of Cambridge University wrote in his analysis of "the DeCODE Proposal for an Icelandic Health Database" that pseudonyms in themselves did not give adequate protection:
Firstly, although it is not too difficult to de-identify data that provide only a time-limited snapshot of a population's health - such as the data which health services use to compile monthly management statistics of numbers of operations, consumption of drugs and the like - it is effectively impossible to de-identify longitudonal records, that is, records which link together all (or even many) of the health care encounters in a patient's life. Someone wishing to abuse the database to investigate a business or political rival, for example, is likely to know some facts about the target of investigation (that he broke his ankle playing football on the 14th October 1974, that he was absent from Iceland for 1978-1982 doing postgraduate work, and so on) and wish to know other facts (such as whether he has ever been treated for alcoholism or for psychiatric disorders). In many cases, the known facts will enable the target patient to be identified despite the use of a pseudonym in the database itself...