Re: Anonymisation of data
Anonymisation of data is not sufficient. Pseudo-anonymised data (i.e. anywhere there is a 1:1 mapping) must be considered personal data, as if it were not masked at all, because of the proven ease of reconstructing an identity from metadata.
This is one of the key reasons both the ICO and Caldicott condemned the programme - just anonymising the data is not enough. It can be a positive step, but in isolation is never enough to treat the data as if it weren't personal information. Consent *plus* anonymisation, with the anonymisation process being explained to patients to obtain their positive consent, may have been sufficient.
The approach taken by Genomics England is probably the way forward. Data never leaves your system. You buy in services and software, you don't give away the data. Ever. This is also the approach taken by the ONS for their new "data campus", enabling much broader research access to government data sets.