The Office of the Data Protection Commissioner (“ODPC”) has issued helpful guidance in relation to the anonymisation and pseudonymisation of personal data and how to effectively use both in order to protect a person’s right to privacy.
This guidance is welcomed, particularly as organisations prepare themselves for the General Data Protection Regulation (“GDPR”).
What is Anonymisation?
Anonymisation is the way in which data will be processed in order to prevent the identification of the individual becoming known. Anonymisation will be considered effective if all methods that could be used to identify a subject fail. The Data Protection Act 1988 & 2003 (“Data Protection Acts”) only govern the area of personal data. If personal data is effectively anonymised, it is no longer considered “personal data” and therefore will not be subject to the Data Protection Acts. If anonymisation of data fails and/or is not possible, then the data must be continued to be treated as personal data.
The test for determining whether data would be rendered anonymous is set out in Recital 26 of the Data Protection Directive, and holds that the organisation must examine the ways in which an individual could be identified. The organisation is required to show that the identification of an individual is unlikely, rather than impossible. In order to do so, the organisation should look at all actions that could be taken by an “intruder” in an attempt to identify a subject.
When it comes to the correct technique to use when anonymising data, there is no “one size fits all”. Each situation must be considered on a case by case basis. The use for the data in question is paramount to the technique a data processor decides to use. The ODPC advises that there are two main genres of anonymisation; “randomisation” and “generalisation”.
Randomisation consists of
- Altering the data in order to eliminate any links that could be made between the data and the individual.
- “Permutation” which is moving data around between individuals in order to make the link between the two less likely to be made.
- Reducing the data to include information that is not as precise, reducing the risk of an individual being identified.
Issues to consider when Anonymising data:As with anything that involves a person’s personal data, there are a couple of issues which arise with identifying anonymised data;
- Risk – The anonymisation process will be never be 100% effective.
- Singling Out & Data Linking – In this instance, the term “identification” is not restricted to a person’s name or address. It extends to the ability to single out an individual from others by taking one or more pieces of information, which if viewed alone could relate to a number of individuals, but when linked together would narrow the scope of the individuals it would be applicable to.
- Value & Range – if the value of the anonymised information is particularly contentious or sensitive, such as medical records, then particular care must be practiced to ensure that all measure have been taken to effectively protect the data. Particular care must also be taken if information that has been processed is to be shared among a wider range of people.
What is Pseudonymisation?
Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Pseudonymisation often gets confused with anonymisation; however the two must be seen as different techniques. Pseudonymisation is not considered a form of anonymisation but instead, the ODPC recommend that it should be considered a “security enhancing measure” in order to reduce “linkability in a dataset”.
Care must be given to the reuse of a pseudonym, as the reuse of a pseudonym increases the risk of linking one dataset to another and identifying an individual.
As highlighted in our previous blog, in order to minimise risk and protect your organisation, where possible reduce the amount of personal data your organisation holds. For personal data that must be retained consider the options of anonymisation and pseudonymisation, to further minimise risk and protect the personal data and privacy rights of data subjects.
We expect a heightened focus on pseudonymisation, as it is explicitly recognised in the General Data Protection Regulation (“GDPR”) and considered to be an appropriate technical and organisational measure, which can be implemented to help meet the requirements of the GDPR and protect the rights of data subjects.
The guidance issued by the ODPC should be considered alongside the guidance set out in the links below:
- Anonymisation Techniques
- Guidance note on processing and sharing personal data
- Guidance note on data protection principles