As businesses and society become ever more data-rich, data minimisation techniques become increasingly more important. In August 2016, the Data Protection Commissioner (“DPC”) published guidance on the use of data anonymisation and pseudonymisation. This follows similar guidance published by EU regulators in 2014.
The DPC’s guidance focuses on the effectiveness of anonymisation techniques and provides recommendations for organisations wishing to use these techniques. Given that the Data Protection Acts 1988 and 2003 (the “Acts”) are silent on this point, each organisation must ensure that the techniques it uses are sufficiently robust to avoid the identification of individuals.
The new guidance acts as a useful resource for organisations that already use anonymisation and pseudonymisation techniques. Similarly, it is also instructive for organisations wishing to make use of those techniques, especially given the incentives for organisations to use pseudonymisation techniques under the General Data Protection Regulation (“GDPR”).
We take a look at some key points from the DPC’s guidance note.
What are anonymisation and pseudonymisation?
Anonymisation of data is a technique used to irreversibly prevent an individual being identified from that data. Pseudonymisation, on the other hand, is not a method of anonymisation. Instead, it is a method of replacing one attribute in a record,such as a name, with another, such as a unique number Given this, pseudonymisation still allows an individual to be identified, but indirectly.
Importantly, the DPC warns that while pseudonymisation is a useful security measure, pseudonymised data remains ‘personal data’.as defined in the Acts. Despite this, the DPC recognises that effectively anonymised data identified is not personal data and therefore falls outside the scope of the Acts.
The scope of ‘personal data’
In the DPC’s view, the threshold for truly anonymised data is extremely high. To meet this threshold, organisations must take appropriate steps to ensure that individuals are not identified by or identifiable from the data in question. In other words, organisations must ensure that the information can no longer be considered personal data.
In order to determine whether an individual is identified or identifiable, the DPC suggests that organisations should consider whether a person can be distinguished from other members of a group. According to the DPC, a person is identifiable even if identification is merely a possibility (in other words, even if the person has not actually been identified).
As seen in our recent blog on the Breyer case, the Data Protection Directive contains a broad test for determining whether an individual is identifiable. With this mind, organisations should consider all conceivable means and data sets in their possession, or of a connected third party, that could be used to identify an individual.
Re-identification risks and deletion of source data
The effectiveness and strength of any anonymisation technique is primarily based on the likelihood of re-identifying an individual. According to the DPC, there are a number of ways in which data can be re-identified, such as ‘singling out’, ‘data linking’, ‘inference’ and ‘personal knowledge’. The DPC accepts that it is impossible to state with any certainty that an individual will never be identified from an anonymised data set. This is because more advanced data de-identification technologies may be developed and additional data sets may be released into the public domain allowing for cross-comparison of data. This, again, sets the bar very high for true anonymisation.
In assessing the risk of re-identification, the DPC suggests that organisations should consider whether the data can be re-identified with reasonable effort by someone within the organisation or by a potential “intruder”. In carrying out this analysis, organisations should take into account technological capabilities along with the information that is available for re-identification.
If organisations intend to make anonymised data available to the public, the DPC warns that there is a much higher burden on ensuring that the information is effectively anonymised so that individuals cannot be identified.
Importantly, the DPC advises that if an organisation retains the underlying source data following anonymisation, the “anonymised” data will still be considered to be personal data.
Impact of the GDPR
The GDPR, which comes into force in May 2018, explicitly recognises the concept of pseudonymisation. It is characterised as a privacy enhancing and data minimising technique, aimed at protecting and reducing the risk to individuals and enabling greater data utility. Like the DPC’s guidance, the GDPR still counts pseudonymised data as “personal data”.
Given that the GPDR imposes greater obligations on organisations, anonymisation and pseudonymisation techniques may offer the chance to ease the compliance burden. Under the GDPR, pseudonymisation should allow organisations greater scope to process data beyond the original collection purposes.
Pseudonymisation is also a central feature of privacy by design, a concept which is introduced by the GDPR. Similarly, pseudonymisation can assist data controllers in meeting their security requirements under the GDPR.
The main takeaway from the DPC’s guidance is the considerable threshold for rendering data truly anonymous. Pseudonymisation alone is not sufficient to render personal data anonymous and the DPC recommends using a combination of anonymisation techniques. In our next post, we will take a look at some of the anonymisation techniques examined by the DPC. We will also consider what obligations arise for organisations that want to employ anonymisation techniques.