ICO publishes draft anonymisation and pseudonymisation guidance
The Information Commissioner’s Office has published the first draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, and has launched a consultation seeking feedback on the draft guidance. This first chapter, Introduction to Anonymisation, defines anonymisation and pseudonymisation, and explores the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law.
The Information Commissioner’s Office (ICO) has published this first draft chapter of guidance to sit alongside the existing data sharing code of practice. The guidance is intended to provide information on anonymisation and pseudonymisation as methods of using and sharing personal data while making sure that individuals are not identifiable. The ICO believes that anonymisation strikes a balance between allowing for the availability of rich data resources while protecting individuals’ privacy.
Anonymisation is the process of turning personal data into anonymous information, such that individual to whom the data relates is no longer identifiable. Once information is anonymous, data protection legislation no longer applies to it, meaning that you will not be required to comply with the principles of data protection law when processing the now anonymous information.
The term “anonymisation” is used to refer to the broad range of techniques and processes that can be used to prevent the identification of individuals to whom data relates. Regardless of the technique used, data protection legislation will only become inapplicable if the data is effectively anonymised. While 100% or absolute anonymisation is the most desirable outcome, this will not always be possible in the context of the data in question and the technology available. Similarly, even when anonymisation techniques are used, there may still be a risk of the relevant individual being identified. This risk does not mean that the anonymisation technique is ineffective, nor that the data is not effectively anonymised for the purposes of data protection law.
Anonymisation limits your data protection risks. It is far easier to disclose anonymous information than personal data, as fewer legal restrictions apply. Additionally, anonymous information can be used in new and different ways, as the data protection rules on purpose limitation are not applicable.
The ICO’s draft guidance sets out some of the wider benefits of implementing anonymisation, including:
- Developing public trust and confidence by protecting privacy.
- Greater transparency, as you can make anonymous information more widely available.
- Incentivising researchers and others to use anonymous information instead of personal data.
- Economic and societal benefits from the availability of rich data sources.
- Improved public authority accountability through better availability of information about service outcomes and improvements.
It is important to note that the anonymisation of personal data does count as processing for the purposes of data protection law. This means that you will need to comply with data protection requirements for processing when applying anonymisation techniques to personal data. While it is highly unlikely that anonymisation would ever be found to be unlawful, it will still be necessary to clearly define the purpose of the anonymisation, and to detail the technical and organisational measures you intend to implement to achieve it.
Anonymisation means that individuals are not identifiable, such that the newly anonymised information is not subject to data protection law. By contrast, pseudonymisation means that, while individuals are not identifiable from the dataset itself, they can be identified by referring to other information held separately. As such, pseudonymous data is still personal data, and data protection law applies. Pseudonymisation involves replacing or removing information that identifies an individual; for example, replacing a name with a reference number.
Because data protection law still applies to pseudonymous data, there is a risk that data that has been broadly referred to as anonymised may in fact contain pseudonymous data, meaning that the data protection legislation may be mistakenly disregarded in the belief that no personal data is being processed.
However, there are benefits of pseudonymisation, as addressed in the ICO’s draft guidance.
- General Analysis: pseudonymisation enables you to undertake general analysis of pseudonymised datasets that you hold, provided that you put in place appropriate technical and organisational measures.
- Purpose Limitation: pseudonymisation is a factor when deciding if further processing for a new purpose is compatible with its original purpose, while providing an important safeguard in the processing of personal data for scientific, historical, and statistical purposes.
- Data Protection by Design: pseudonymisation allows you to implement appropriate safeguards for personal data being processed, at both the design stage and throughout a project lifecycle.
- Security: pseudonymisation is referenced as an appropriate technical and organisational measure in the UK GDPR’s provisions on security of data processing.
- Personal Data Breach Notifications: pseudonymisation techniques can reduce the risk of harm to individuals that may arise from personal data breaches and can help you in assessing when you need to notify individuals of such breaches.
- Individual Rights: pseudonymisation may reduce the amount of data you have to consider when responding to requests from individuals, where your purposes of processing do not or no longer require identification of individuals. For example, where you can demonstrate that you are not in a position to identify individuals, the individual’s rights of access, rectification, erasure and data portability do not apply. However, you must be able to respond to such requests if individuals provide you with additional information enabling their identification.
The ICO is set to continue publishing draft chapters of the guidance throughout the Summer and Autumn, covering identifiability, pseudonymisation techniques, guidance on privacy enhancing technologies, and more. The consultation on the guidance opened on 28 May 2021 and is set to continue until 28 November 2021. The ICO has said that input at this early stage can make a significant difference, as they will be using the feedback from the consultation to inform their work in developing the guidance.
If you have any questions arising from this article or would like to discuss how you might make improvements to your data protection policies, please contact Cathrine Ripley or one of the other members of FSP’s Commercial & Technology team.