The UK Information Commissioner’s Office (ICO) has published a code of practice on managing data protection risks related to data anonymisation (the code). The code explains the issues surrounding the anonymisation of personal data and the disclosure of such data once it has been anonymised.
Data protection law does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. Following the publication of a draft anonymisation code of practice in 2012 and the subsequent review of feedback, the ICO has now published its final form of the code and launched its UK Anonymisation Network to promote good data practice. The code seeks to help organisations to identify the issues that should be considered to ensure the anonymisation of personal data is effective, focussing on the legal tests required in the Data Protection Act 1998 (DPA). It provides an explanation of, and practical advice on, data anonymisation methods and the related risks of publishing personal data. It also includes a range of case studies and examples to make the legal issues easier to understand.
Definition of Terms and Risk Identification
The code points out that the concept and definition of identification and anonymisation are not straightforward. Individuals can be identified in various ways, and re-identification (the process of turning anonymised data back into personal data through the use of data matching or similar techniques) by third parties is a real possibility. This makes it vital for an organisation to undertake a thorough assessment of the risks of identification if it decides to disclose anonymised data.
Ensuring Effectiveness of Anonymisation
The ICO recommends the use of the “motivated intruder” test to assess the risk of re-identification. The motivated intruder is taken to be a competent person with access to publicly available resources, but without any prior knowledge, who wishes to identify the individual relating to the anonymised data. The test is designed to assess whether the motivated intruder would be successful. In practice, the test may involve carrying out a web search to discover whether or not a combination of elements, such as date of birth and postcode, can be used to reveal a particular individual’s identity, using social networking to see if it is possible to link anonymised data to a user’s profile or using the electoral register and local library resources to attempt to associate anonymised data with an individual’s identity.
The code mentions that consent is generally not needed for lawful anonymisation because it could be logistically burdensome or downright unfeasible to obtain such consent.
The code states that organisations that anonymise personal data need an effective and comprehensive governance structure, with senior level oversight of the arrangements that are put in place. It recommends that such a structure includes the following:
- A Senior Information Risk Owner (SIRO) with the technical and legal understanding to manage the process
- Training, so staff have a clear understanding of anonymisation techniques, the risks involved and the ways of mitigating those risks
- Procedures for identifying cases where achieving anonymisation may be a challenge
- A knowledge management system to identify and disseminate new guidance or case law that clarify the legal framework surrounding anonymisation
- A procedure to facilitate the sharing of information on planned disclosures with organisations in the same sector/doing similar work to assess the risk of jigsaw identification
- A privacy impact assessment
- A transparent anonmysiation approach so the public has easy access to clear information concerning why and how personal data is anonymised and whether or not individuals have any control over the anonymisation of their personal data
- A review of the consequences of the anonymisation programme
- A disaster recovery procedure should re-identification occur and lead to a compromise of the privacy of data subjects.
Trusted Third Party
A trusted third party (TTP) is an organisation that can be used to convert personal data into anonymised data. The code highlights the value of using this kind of arrangement, particularly in the context of data anonymisation on behalf of a number of organisations working together in a collaborative project. In such situations, the use of TTP arrangements means that the organisations involved never need to access each others’ personal data, reducing greatly the risk of violating data protection law.
While the code is undoubtedly a useful tool, it is worth remembering that it does not carry the force of law. Compliance with the code’s advice on good practice and the recommendations made are therefore not compulsory where the guidance goes beyond the requirements of the DPA.