The ICO has recently published guidance on anonymisation and pseudonymisation to help organisations reduce the risks that come with sharing personal data. We take a closer look.
Anonymisation and Pseudonymisation – what are they?
These are both techniques that can be used in data processing to minimise the use of personal data – that is, information relating to living individuals (data subjects) – making it less burdensome to store and share as fewer legal restrictions apply. This is an obvious advantage to businesses who aren’t very reliant on personal data to conduct their business activities and wish to lower their risk profile and increase their processing transparency.
Anonymisation refers to the way that personal data is turned into anonymous information, meaning that the information does not relate to an identified or identifiable natural person, i.e. any personal identifiers are removed. While organisations processing personal data must comply with data protection law, anonymised information falls outside the scope of data protection law although it may be caught by other legislation, for example, the Privacy and Electronic Communications Regulations 2003 (PECR) applies to the storage of ‘information’.
Data needs to be ‘effectively anonymised’ to ensure that the status of the data meets the legal threshold for anonymisation under UK GDPR. Any information that does not meet the threshold cannot be said to be anonymous and must therefore be treated as personal data. Effective anonymisation can be made more difficult where an organisation holds large datasets. In these situations, specialist advice may need to be sought to ensure that this is done correctly.
Pseudonymisation is not the same as anonymisation and is important to distinguish from anonymisation as they are treated differently in law. Pseudonymisation is a technique that replaces information that directly identifies people, or that ‘decouples’ information from a dataset. For example, names of people are replaced by a number. In this way, the people within the dataset can’t be identified, unless information from another dataset is used. For this reason, pseudonymisation is still personal data and is subject to data protection law. The risk of identification is reduced but not removed and organisations should be mindful not to get the two concepts confused and risk falling foul of the compliance requirements. While pseudonymisation reduces the links between people and the personal data that relates to them, it does not remove them entirely. Anonymisation, by contrast, prevents there being a link between the information and the person concerned.
How can anonymisation and pseudonymisation be used?
Anonymisation is not always necessary or desirable. However, if an organisation does not particularly need to use personal data to carry out its business, then anonymous information can be used instead. The actual process of anonymisation will still count as processing personal data, and so the usual rules applicable to the protection of this data must be complied with, for example ensuring you have a lawful basis for holding the data and providing people with clear information about what you will do with their information and why. However, the end result (i.e. the anonymised information) will not be subject to data protection law and is a good way of reducing risk, in line with the privacy by design approach of the GDPR.
The ICO’s guidance illustrates the use of anonymisation and pseudonymisation with the example of a retail company collecting customer transaction data to analyse shopping patterns for use in marketing strategies:
- An anonymised dataset contains only statistical information on customers’ shopping patterns without any link to specific individuals. The anonymised data can then be shared with external marketing consultants because they only need information about patterns, not information about the behaviour of individuals.
- The retail company also needs to use the customer data for its loyalty card scheme. It needs to keep the customer data secure but also maintain the identity of customers so that it can track customer purchase history. Using tokenisation, each customer is assigned a unique pseudonym. The direct and indirect identifiers are stored separately in a secure database. The pseudonymised dataset includes information such as total spend, product preferences, and loyalty points, however this data cannot be re-identified without linking it to the separately held identity data. The company can use the pseudonymised data to understand shopping patterns (e.g. which products are popular and peak shopping times) without needing to directly identify people. It would only need to link the two datasets together if, for example, it wanted to send tailored marketing to customers based on their individual shopping habits.
Guidance for organisations
In order to assist organisations in navigating their data sharing processes, the ICO has published its Data Sharing Code. This is a statutory code under the Data Protection Act 2018 (DPA 2018) and aims to provide businesses with practical resources to assist them with meeting their accountability obligations under the GDPR and DPA 2018. The ICO Commissioner will take the Code into account when considering whether a business has complied with its obligations when sharing data. As a starting point, businesses should consider whether the data sharing achieves a benefit and is necessary. They should also carry out a Data Protection Impact Assessment (DPIA), as best practice, even if they are not legally required to do so. This aids in risk assessment and demonstrates transparency.
Other useful resources include a data sharing checklist and points to consider when trying to decide whether sharing data is justified, such as considering:
- what the sharing is meant to achieve;
- the potential benefits and risks to individuals and wider society;
- whether it is fair to share the data;
- whether it is necessary and proportionate to share the data;
- the minimum amount of data that can be shared; and
- what safeguards can be put in place to minimise the risk of adverse effects of sharing.
If you have any queries on any of the points raised in this article, or need help with your data protection compliance more generally, please contact [email protected]
