I suppose what I'm getting at is that there are some parts of the data that should never be passed. There is always going to be a risk no matter what you do but you can limit those risks. Examples of this are, like I said location being first letters of postcode, only ever supplying year of birth and only when required, no names of course, if there is a subset location (for example a health provider location) then that is removed and replaced by an identifier. These are just some ideas but at a top level you could make it harder. I agree with the amendment because there will be mistakes that is guaranteed and you want these highlighting so they can be fixed, I do think it's a case of shutting the stable door once the horse has bolted though. The better way would be to not pass data around like a bag of sweets.