Worth noting that:
- ‘Anonymised’ data is not ‘anonymous’. Additional technical and organisational measures are typically used in addition to ‘anonymisation’ of the data to ensure measures are adequate to protect privacy. For example, contracts and information security assurances
- No ‘personally identifiable information’ does not mean no risk. Given the nature of the data items that are likely to be included in the data, it may be feasible for individuals or organisations with the willingness and ability to re-identify individuals. For example, using additional data to which they may have access
- UK Biobank data involved in the incident is now potentially ‘in the wild’; simply removing from the listing(s) from a website does not mitigate the continuing risks posed by the potential existence of one or more copies of the ‘anonymised’ data outside of additional technical and organisational measures
UK Biobank update available at: https://www.ukbiobank.ac.uk/news/a-message-to-our-participants-uk-biobank-data-security-update/
Read the BBC article at: https://www.bbc.co.uk/news/articles/cpvxgl3n138o