This new ICO draft guidance (available here) is an update of the 2012 ICO guidance (available here). For the time being, the ICO has published a draft update of the first chapter of the 2012 guidance, which focusses on the concepts of anonymisation and pseudonymisation. This blog will take you through the main take-aways of the updated guidance (the "Guidance") and its practical implications.
Achieving successful anonymisation of a data set will determine whether its use is subject to data protection law or not. It is common that pseudonymised data sets are wrongly described as "anonymous". However, the difference is that in anonymous data sets individuals cannot be re-identified by any means reasonably likely to be used, whereas individuals in pseudonymised data sets can be identified by referring to another data set held separately.
A question we need to consider is whether the legal test for anonymisation under UK data protection law post-Brexit sets a lower threshold than under the EU GDPR. We will only understand this when the Guidance is published in full. EU regulatory guidance on this topic dates back to 2014 (here). Misalignment between EU/UK data protection regimes will carry challenges to organisations operating on both sides of the English channel.
In more detail:
Who is the Guidance for?
Those wishing to anonymise personal data, for example, in order to improve services or design new products or collect large volumes of data to train AI models. Another example may be where an organisation wishes to process anonymous information for research purposes, or to share it for wider societal benefits.
What will the Guidance cover?
The new ICO Guidance on anonymisation will cover the areas below. For the time being, the ICO has published draft guidance on Part 1.
Part 1 – Introduction to the concept of anonymisation and pseudonymisation.
Part 2 - Identifiability. Managing the risk of re-identification and concepts like the 'reasonably likely' and 'motivated intruder' tests.
Part 3 – Accountability and governance requirements.
Part 4 – The role of anonymisation in the context of research.
Part 5 – Anonymisation techniques, technological solutions, case studies and practical examples.
When is data anonymised or pseudonymised?
- Anynomised data is data which does not relate to an identified or identifiable individual (so, the reverse of personal data). Data protection law generally does not apply to anonymised data (although it may sometimes, e.g. cookies rules apply even if personal data not processed!).
- Data will be anonymised when you have reduced the risk of identifying individuals to a sufficiently remote level so that the information is effectively anonymised.
- The ICO highlights that the same dataset may be anonymous to one organisation but not another one, depending on the circumstances. This is because whether data is anonymous or not will depend on the means likely to be used in order to identify an individual (the so called 'reasonably likely test'). This follows the test set out by the EU Court of Justice in Breyer which concluded that dynamic IP addresses as personal data (C-582/2014).
- Pseudonymisation is not the same than anonymisation. Anonymisation is the process of turning personal data into anonymous information. Pseudonymisation is the process whereby organisations will reduce the data protection risk but not eliminate it. Pseudonymised data is still personal data.
- You must consider the circumstances in order to decide on which anonymisation technique you will use. 100% anonymisation is the most desirable position BUT it is not always necessary in order to comply with data protection law. For information to be 'effectively anonymised' you must be able to mitigate the risk of re-identification until it is sufficiently remote.
- Do anonymise your personal data if you don't need to process personal data for the purposes you are trying to achieve. However, anonymisation is not always possible.
- The act of anonymising personal data is an act of 'processing' in itself so you will need to ensure that you have legal basis for processing and that you apply the relevant technical and organisational security measures etc. However, one may argue that this is a very technical application of the law and it may potentially create barriers to anonymisation without any obvious benefit to data subjects.
- Pseudonymisation is a technique that replaces or removes information that identifies the individual. The 'additional information' that allows re-identification should be held separately and protected. Pseudonymisation will not remove the restrictions under the law but it will act as a security measure and reduce the risks to individuals' data privacy.
Why is this important to you?
Below is a summary of the benefits of pseudonymisation and anonymisation in the eyes of the ICO.
|Benefits of pseudonymisation||Benefits of anonymisation|
|It allows controllers to carry out 'general analysis' of the pseudonymised datasets that you hold so long as you have put appropriate security measures in place (Recital 29 UK GDPR).||It will allow to limit data protection risks. It will reduce the risks of questions, complaints and disputes regarding personal data disclosure.|
|It will influence your 'compatible processing assessment' (so, effectively, it may help process the data for further purposes).||It will allow you to comply with the data minimisation principle.|
|It will help you comply with the data protection by design requirement.||It will allow you to use anonymous information in new and different ways (as the purpose limitation principles will not apply).|
|t will count as 'appropriate technical and organisational security measures' for the purposes of data protection law compliance.||It will allow you to use anonymous information in new and different ways (as the purpose limitation principles will not apply).|
|It may reduce the risk of harm to individuals arising from a personal data breach. This will have an impact in your assessment as to whether notification is required.||It will allow you to protect personal data and individuals' identities.|
|It may reduce the amount of data within scope when responding to a data subject rights request (so long as individuals do not provide you with the additional information that will allow you to identify them).||It will encourage organisations such as researchers and others to use anonymous information.|
What next?Pseudonymising or anonymising your data sets is likely to have commercial benefits and to help you comply with data protection law. Whether a data set has been "effectively anonymised" or not will depend on the circumstances. Further guidance on "identifiability" (Part 2 – see above) should address the question of how to effectively anonymise a data set.
If you don't need personal data: anonymise the data set. This will allow you to do more with the data and it will remove GDPR compliance 'headaches'. If you still need to identify individuals, consider pseudonymisation as this will allow you to achieve a higher level of compliance and it may facilitate compliance down the line (e.g. when assessing the risks of harm arising from personal data breaches).
We will continue to report on the update of the anonymisation guidance and its likely implications to UK / EU organisations.
Sign up to our email digest