The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here.
The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit alongside the ICO’s data sharing code of practice, which provides guidance on how to lawfully share personal data, and offers organisations an alternative way of using or sharing data through anonymisation.
The first chapter introduces and defines anonymisation and pseudonymisation, and places the concepts within the framework of data protection law in the UK.
Anonymisation is the process of turning personal data into anonymous information, in such a way that the data no longer relates to an identifiable individual. Following the principle of data minimisation, where an organisation doesn’t need to use personal data to achieve its objectives, it should seek to use anonymous information instead.
The anonymisation technique used must reduce the risk of identifying individuals to a sufficiently remote level so that the information is “effectively anonymised”. Whether the information has been anonymised depends on the circumstances of each individual case. If there are reasonably available means which could be used to identify individuals, then the data has not been effectively anonymised. This is what the ICO refers to as the “reasonably likely” test, which will be dealt with in a later chapter.
The benefits of anonymisation
Where information is anonymous, data protection law does not apply. This means the information can be made available more widely to other organisations or to the public. There is also more opportunity to use anonymous information in innovative ways, since the data protection rules on purpose limitation do not apply. The guidance includes other benefits of implementing effective anonymisation such as reducing reputational risks and questions arising from any inappropriate disclosure of personal data, and helping to navigate potentially complex issues such as when handling Freedom of Information requests.
The guidance confirms that applying anonymisation techniques to personal data does count as processing under the UK GDPR. The processing therefore must have a lawful basis, the purpose must be clearly defined, and the technical and organisational measures used should be outlined.
Pseudonymisation is a technique which replaces or removes information that identifies an individual with some other unidentifiable information, for example replacing names with a reference number. The replaced or removed information should be kept separately and must be protected using appropriate technical and organisational controls.
The benefits of pseudonymisation
The ICO describes pseudonymisation as a “security and risk mitigation measure”. The guidance lists various other benefits of pseudonymisation, including that it can reduce the risk of harm to individuals in the event of a personal data breach and will assist controllers in complying with its obligation to adopt data protection by design.
Pseudonymisation reduces data protection risk, but does not eliminate it, as individuals can still be re-identified using the information that is held separately. Pseudonymous data is still personal data and data protection law still applies to its processing.
What will future chapters of the guidance cover?
The ICO intends to publish further draft chapters for comment throughout the summer and autumn of this year, with future topics to include:
- Identifiability – covering concepts such as the “reasonably likely” and “motivated intruder” tests
- Guidance on pseudonymisation techniques and best practices
- Accountability and governance requirements, including data protection by design and data protection impact assessments
- Anonymisation and research
- Guidance on privacy enhancing technologies (PETs)
- Technological solutions
- Data sharing options and case studies demonstrating best practice
The consultation closes on 28 November 2021 and feedback can be submitted via email@example.com. We will provide further updates on future chapters of the guidance as and when they are published.