This post was written by Nick Tyler.
In a case involving the “extraordinary rendition and related issues” of individuals detained or captured by UK soldiers in Iraq and Afghanistan, the Upper Tribunal (Administrative Appeals Chamber) has taken what many will view as a practical and realistic approach to when personal data can be anonymised effectively and thereby fall outside the scope of the UK Data Protection Act 1998 (DPA), so enabling disclosure without constraint.
The Tribunal dismissed the concerns of both the data controller, the Ministry of Defence (MoD) and the UK’s data protection regulator, the Information Commissioner, about the extent to which the information requested could be appropriately redacted to ensure anonymisation while the MoD continued to hold the original source personal data, including identifying information.
The long-held view among European data protection regulators has been that anonymisation cannot be achieved unless the key to identification – almost always held by a data controller – is permanently destroyed. This ruling challenges that prevailing view.
The Tribunal took the view that careful redaction of the key information that would enable identification of any individual, can mean that data is not personal data and so falls outside the scope of the DPA.
The ruling is open to criticism from privacy regulators and other advocates in light of the possibility that the disclosure of so-called ‘anonymised’ information could result in the identification of individuals, especially taking account of the sophistication and capabilities of search engines and other technological developments and techniques to find and link a multitude of information from a plethora of publicly available sources.
Applying such an approach to anonymisation outside the rarefied circumstances of the Tribunal case could offer significant comfort in terms of data protection compliance risk to a wide range of organisations able to use data de-identified or anonymised to the level approved by the Tribunal.
However, if that is the end result we had better watch this space as the decision is bound to get the attention of the European data protection regulators and the European Commission.
Some form of legal challenge seems likely and in that case we are looking at a “Rocky Road” rather than a “Plain Vanilla” path to a practical compliance solution.