On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
Chapter 3 ‘pseudonymisation’ explains what pseudonymisation is, the key differences between pseudonymisation and anonymization, and the benefits of pseudonymisation. The Chapter also explores how pseudonymisation can help to reduce risk and allow personal data to be processed for other purposes.
Below we look at some of the key takeaways:
- Difference between pseudonymisation and anonymisation
Data protection law says that anonymous information is information that does not relate to an identified or identifiable individual (and the law does not apply to it) and data that has undergone pseudonymisation remains personal data. The ICO highlights that with pseudonymisation, the processing reduces the links between individuals and the data that relates to them, but does not remove them entirely. While individuals may not be identifiable from the pseudonymous data itself, they can be identified by referring to other information held separately. Both, the dataset and the additional information are therefore still personal data.
The ICO ultimately considers that pseudonymisation is a security and privacy risk management measure. Organisations cannot automatically assume that the pseudonymised data becomes anonymous information in another party’s hands. In practice, this depends on:
- the ability of the recipient to use other information to enable identification;
- the likelihood of identifiability (considering cost, time and state of technology); and
- the techniques and controls placed around data once in the receipt’s hands.
- Benefits of pseudonymisation
When properly applied, pseudonymisation can help to:
- reduce the risk your processing poses to individual rights;
- enhance the security of the personal data you process;
- support re-use of personal data for new purposes;
- support your overall compliance with the data protection principles; and
- build individuals’ trust and confidence in how you process their data.
The ICO acknowledges that pseudonymisation can enable greater utility of the data than anonymisation but reminds organisations that they are responsible for deciding whether and how to effectively implement pseudonymisation.
- How pseudonymisation can help you process data for other purposes
The ICO notes that data protection law may allow repurposing of personal data for some types of processing, if appropriate safeguards such as pseudonymisation are in place. For example, for research, further analysis or compatible purposes. This means that pseudonymisation can be a useful tool to enable further processing of personal data beyond its original purpose. This does not mean pseudonymisation automatically allows further processing in all cases. However, it can be an important way to demonstrate protection of personal data.
- Offences relating to pseudonymisation
The Chapter discusses Section 171 of the Data Protection Act 2018, which specifies two criminal offences relating to the re-identification of de-identified personal data. The first is about the act of re-identification and the second is about the processing of the personal data after the act of re-identification takes place. These are known as the “re-identification offences” and include data that has undergone pseudonymisation. When discussing the defences to such offences, the ICO emphasises that no defence will legitimise unlawful or harmful practices.
- Approaches to pseudonymisation
Chapter 3 also provides advice for controllers with respect to decisions around whether and how to implement pseudonymisation, detailing considerations such as:
- defining the goals of your use of pseudonymisation;
- detailing the risks;
- deciding on the most appropriate technique;
- deciding who does the pseudonymisation; and
- documenting your decisions and risk assessments.
You can provide your feedback on Chapter 3 by emailing firstname.lastname@example.org. The consultation closes on 16 September 2022. In the meantime, the ICO will continue to publish draft chapters for comment at regular intervals. Chapters to follow include, amongst others, accountability and governance requirements in the context of anonymisation and pseudonymisation, anonymisation and research and data sharing options and case studies.