On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
Continue Reading ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here.

The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit alongside the ICO’s data sharing code of practice, which provides guidance on how to lawfully share personal data, and offers organisations an alternative way of using or sharing data through anonymisation.

The first chapter introduces and defines anonymisation and pseudonymisation, and places the concepts within the framework of data protection law in the UK.
Continue Reading The ICO publishes first chapter of its new draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies

The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here.

The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on an on-going basis. As part of this, the ICO outlined its plans to update its guidance on anonymisation and pseudonymisation and on exploring privacy enhancing technologies. The refreshed guidance will assist in some of the challenges that organisations may face such as determining whether data is personal data or anonymous information and providing appropriate controls that should be adopted.
Continue Reading The ICO unveils its plans for updating anonymisation guidance

In April, the EU’s Article 29 Working Party (Working Party) adopted an opinion on Anonymisation Techniques (Opinion). The Opinion is designed to provide guidance for organisations on the use of common anonymisation techniques, and the risks that can be presented by them.

When data is truly anonymised – so that the original data subject cannot

The UK Information Commissioner’s Office (ICO) has published a code of good practice on managing the risks related to anonymisation. Christopher Graham, UK Information Commissioner, believes this to be the first code of practice on anonymisation to be published by any European data protection authority, but Liechtenstein published a guide on anonymisation and pseudonymisation earlier

This post was written by Nick Tyler.

In a case involving the “extraordinary rendition and related issues” of individuals detained or captured by UK soldiers in Iraq and Afghanistan, the Upper Tribunal (Administrative Appeals Chamber) has taken what many will view as a practical and realistic approach to when personal data can be anonymised effectively and thereby fall outside the scope of the UK Data Protection Act 1998 (DPA), so enabling disclosure without constraint.

The Tribunal dismissed the concerns of both the data controller, the Ministry of Defence (MoD) and the UK’s data protection regulator, the Information Commissioner, about the extent to which the information requested could be appropriately redacted to ensure anonymisation while the MoD continued to hold the original source personal data, including identifying information.

The long-held view among European data protection regulators has been that anonymisation cannot be achieved unless the key to identification – almost always held by a data controller – is permanently destroyed. This ruling challenges that prevailing view.

The Tribunal took the view that careful redaction of the key information that would enable identification of any individual, can mean that data is not personal data and so falls outside the scope of the DPA.Continue Reading Plain Vanilla or Rocky Road? – UK Tribunal ruling on release of anonymised data sure to court controversy