The Information Commissioner’s Office (“ICO”) continues to update its codes of practice and guidance documents. The latest to get the update treatment is its anonymisation guidance, last published in 2012 as a code of practice.
Unusually, the ICO has decided to release the updated guidance for consultation on a chapter-by-chapter basis. As such, the full guidance is not available but, in this blog, the ICO states that the full document will, when complete, cover topics including:
- Anonymisation and the legal framework – legal, policy and governance issues around the application of anonymisation in the context of data protection law;
- Identifiability – outlining approaches such as the spectrum of identifiability and their application in data sharing scenarios, including guidance on managing re-identification risk, covering concepts such as the ‘reasonably likely’ and ‘motivated intruder’ tests;
- Guidance on pseudonymisation techniques and best practices;
- Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs;
- Anonymisation and research – how anonymisation and pseudonymisation apply in the context of research;
- Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing;
- Technological solutions – exploring possible options and best practices for implementation; and
- Data sharing options and case studies – supporting organisations to choose the right data sharing measures in a number of contexts including sharing between different organisations and open data release. Developed with key stakeholders, our case studies will demonstrate best practice.
In a sign of how the world has moved forward since 2012, the guidance is now “anonymisation, pseudonymisation and privacy enhancing technology guidance” rather than just anonymisation.
Anonymisation and pseudonymisation remain hot topics but are often misunderstood or, at least, conflated. Guidance on the topic, especially around techniques to use, is mixed at best.
The Article 29 Working Party (the predecessor to the European Data Protection Board) issued opinion WP219 on Anonymisation Techniques back in 2014. More recent publications have come from the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the French data protection regulator: The Commission Nationale de l’informatique et des Libertés (CNIL).
The BfDI document is a positioning paper and focuses on the telecoms sector but, together with the CNIL and WP29 guidance, is worth a read if you have the time. An updated anonymisation guidance document from the ICO is to be welcomed though, given the last one dates back nearly 10 years.
The new guidance
At present we only have the first chapter available for review. This covers an introduction to anonymisation and goes some way to clarifying the difference between anonymisation and pseudonymisation, and clarifies the meaning of related terminology, including ‘de-identified personal data’ (spoiler: it’s the same as pseudonymised personal data).
As such, there’s not too much more to say other than to provide an overview of the difference between anonymisation and pseudonymisation, and to remind you to keep an eye on the forthcoming chapters as they become available. We will, of course, be reviewing them and providing updates.
What is data anonymisation and pseudonymisation?
As covered above, there is a common misconception that personal data is anonymised when it is, in fact, pseudonymised. The guidance, once complete, will hopefully make the difference clearer. In overview:
|Data anonymisation: As outlined in Recital 26 of the UK GDPR, it is “the way in which you turn personal data into anonymous information, so that it then falls outside the scope of data protection law. You can consider data to be effectively anonymised when it: does not relate to an identified or identifiable individual; or is rendered anonymous in such a way that individuals are not (or are no longer) identifiable.” |
|Data pseudonymisation: Article 4 of the UK GDPR defines it as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”|
In short, data is anonymised if all personal identifiers are irretrievably removed. If individuals can be identified from the data by reference to other data available to the controller/recipient, then is it pseudonymised.
When considering whether data is anonymous or pseudonymous (because it can sometimes be a grey area) consideration needs to be given to the means that are reasonably likely to be used to identify an individual.
This means, for example, that data that is pseudonymous to one organisation (because of other data they hold) may be anonymous to another organisation because they don’t hold the other data, so the means and likelihood of them otherwise linking the data to identifiable individuals is low.
What next for the guidance?
Because of the complexities surrounding data anonymisation and pseudonymisation, and to make the updated guidance as useful as possible, the ICO has stated that it will be seeking engagement on the guide before formalising it. The body will be “gathering insight and feedback from industry, academia and other key stakeholders to better understand the real-world challenges and where our guidance can be most effectively targeted.”
As a specialist data protection consultancy, Evalian is well placed to assist you with navigating the complexities of the uncertainty and constantly changing data protection landscape. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.