The UK Information Commissioner’s Office (ICO) has published a code of good practice on managing the risks related to anonymisation. Christopher Graham, UK Information Commissioner, believes this to be the first code of practice on anonymisation to be published by any European data protection authority, but Liechtenstein published a guide on anonymisation and pseudonymisation earlier this year.
With publicly available data increasing rapidly and the rise of “big-data,” anonymisation is an important tool in “helping society to make rich data resources available whilst protecting individuals’ privacy.” It is considered to be of particular value for organisations that want to publish data for research purposes.
The Code was issued pursuant to Recital 26 of the European Data Protection Directive (Directive 95/46/EC), which provides that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.” Data that is properly anonymised ensures that an individual can no longer be identified, resulting in such data falling outside the European data protection laws. Anonymisation is not, however, always straightforward since individuals may be identified in a number of ways which can lead to the possibility of re-identifying individuals from a combination of anonymised data and data aggregated from other sources. The ICO recognises the difficulty in determining whether anonymised data is still classified as personal data and believes a sensible judgment should be made in the circumstances.
The Code recommends that data controllers perform regular risk assessments on the likely occurrence of re-identification since that risk may change over time. It further warns that even if anonymisation is carried out effectively, it does not necessarily protect personal data from being re-identified in the future. In borderline cases where there is uncertainty about whether re-identification can occur, organisations are urged to seek the individual’s consent for disclosure and to adopt a more rigorous form of risk analysis and anonymisation.
Disclosure of anonymised data does not require consent, according to the ICO, “provided there is no likelihood of anonymisation causing unwarranted damage or distress then there will be no need to obtain consent as a means of legitimising the processing.” The ICO also acknowledged that consent can be not only onerous but potentially impossible to obtain, and even if obtained, the ICO generally considers it safer to use or disclose anonymised data.
The Information Commissioner does suggest an added layer of bureaucracy and cost of organisations, however, by suggesting that risk assessment strategies form part of an organisation’s wider governance structure with the appointment of a “Senior Information Risk Owner” who would be responsible for authorising and overseeing the anonymisation process.