In April, the EU’s Article 29 Working Party (Working Party) adopted an opinion on Anonymisation Techniques (Opinion). The Opinion is designed to provide guidance for organisations on the use of common anonymisation techniques, and the risks that can be presented by them.
When data is truly anonymised – so that the original data subject cannot be identified – it falls outside of EU data protection law. The Opinion notes that the re-use of data can be beneficial, providing “clear benefits for society, individuals and organisations”. However, achieving true anonymisation is not easy, and can diminish the usefulness of the data in some circumstances.
The EU regime does not prescribe any particular technique that should be used to anonymise personal data. To guide organisations in designing their own policy on anonymisation, the Opinion examines the two principle forms: (a) randomization and (b) generalization.
In particular, the Opinion looks at the relative strengths and weaknesses of each technique, and the common mistakes and failures that arise in relation to them. Each technique is analysed using three risk criteria, which include:
- The risk that data identifying an individual could be singled out
- The ‘linkability’ of two records that relate to an individual
- Inferences that can be drawn about one set of data based on a second set of data
The Working Party stated that by considering these strengths and weaknesses, organisations will be able to take a risk-based approach to the anonymisation technique used and tailor it to the dataset in question. The Opinion emphasizes that no technique will achieve anonymisation with certainty, and that since the fields of anonymisation and re-identification are actively researched, data controllers should regularly review their policies and the techniques employed.
In addition, the Opinion makes clear that pseudonymisation is not a method of anonymisation in itself. Therefore, organisations that use this technique should be aware that the data they process does not fall outside of the EU data protection regime. These comments are significant because the draft EU General Data Protection Regulation contains specific references to pseudonymisation and the circumstances in which the technique can be used.
At the recent IAPP Europe Data Protection Intensive 2014 held in London, Security Engineering Professor Ross Anderson of the University of Cambridge put to the conference audience that anonymisation will never be a completely infallible tool for the security of personal data – a discussion set in the context of secondary uses of medical records. Despite these wider questions on anonymisation being posed by many, the Working Party’s Opinion will at least provide some useful guidance for organisations that have a need to anonymise data.
Tom C. Evans