Several clients have asked us whether they can avoid the full spectrum of GDPR compliance by anonymising employee personal data. In the latest GDPR Bitesize we share our views on this issue and suggest that while it might seem tempting to go down this route, clients should be aware that the bar to achieving this standard is set very high.
Why is anonymous personal data exempt from the GDPR?
Personal data that is anonymised is exempt from the requirements of the GDPR, on the basis that the data is no longer identifiable to the individual and therefore carries no risk to their rights and freedoms.
Properly anonymised data can in theory therefore be disclosed without breaching the GDPR. For example, health sector organisations may want to publish statistics about outcomes in an anonymised manner, without seeking permission from individuals.
In many cases in an HR context, an initial challenge will be whether anonymised data is of any use. Outside of statistical analysis, most HR activities will require that the employees/workers can be identified, and where this is no longer necessary there is likely to be a question as to whether the information is required at all i.e., the appropriate step may be secure destruction of the data, as opposed to keeping it in anonymised form.
What is anonymised data?
Recital 26 of the GDPR explains that anonymous information means that the data subject is no longer identifiable. The process however must be irreversible.
In a transaction situation e.g. the sale or purchase of a business, even though it is common to remove employee names from information shared, a seller is always going to retain information about their employees, which is then passed to the buyer. As described below this means that this could more accurately be described as being ‘pseudonomised’ rather than anonymised. It is difficult to see how pure anonymisation could ever be achievable in a transactional context, given the ability and intention to piece data back together with the identity of the individuals it concerns.
Anonymous or pseudonymous data?
Article 4(5) of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” This is a security measure involving a re-identification process, normally using codes where a set of information has a separate key or identifier. Use of pseudonymised data can help manage data protection risk.
How can you anonymise data?
There are different ways of genuinely anonymising data. The two most commonly used are randomisation and generalisation. Randomisation involves the alteration of the data, to remove the link between the individual and the data, without losing the value of the data. Generalisation involves a modification of the level of detail in the data, for example using age ranges from 18-25 rather than a specific age.
Legal basis for processing
Employers should also bear in mind that the act of anonymising personal data is in itself a processing activity. A legal basis for doing this is therefore required, and the processing should not be done in a manner incompatible with the purpose for which it was collected.
Guidance on steps to consider when anonymising data
The issue of identifiability and the risk of re-identification is a central issue to ensuring that personal data is genuinely anonymised. A person does not need to be named to be identified, there are many ways in which a person can be identified and distinguished from a group. Part of the testing process for determining whether personal data has been anonymised is to also consider the approach by a hypothertical intruder who might hack the system.
Therefore in order to validly say that the identification process is irreversible the organisation needs to consider the various different ways that an intruder applying technology and combining this information from different sources could identify an individual. For this reason specialist organisations are often used to ensure that the process is genuinely irreversible. If this all seems rather implausible, consider this: A study in the US reported that only three types of information about an individual, which were all publicly available: their date of birth, their postcode and gender – the researchers could uniquely identify 87% of the US population. https://dataprivacylab.org/projects/identifiability/paper1.pdf
Before considering whether to proceed with anonymisation employers should consider the following:
- Whether anonymisation is appropriate for the requirement in question.
- Whether an alternative and more appropriate method of secure processing for employee personal data might be more suitable, given the strict conditions that must be met in order to achieve a genuinely anonymous standard.
- Genuine anonymisation must be permanent and irreversible – if the data can be re-identified even by convoluted and secure means this is not anonymisation. Remember that getting it wrong in terms of a personal data breach can pose very serious risks financially and reputationally.
- Tests should be carried out to ascertain whether there are ways in which an intruder infiltrating the system could identify the data either internally or with external data.
- Consider the lawful basis of the anonymisation process as an additional layer of processing and identify whether it is compatible with the original lawful basis for processing.
- The re-identification testing should be monitored and updated as the technology improves and the risks evolve.