The Information Commissioner's Office (ICO) has recently published its latest data protection code of practice, providing guidance for organisations on managing the risks associated with the anonymisation of personal data.
Anonymised data is a set of data which cannot be used to identify the individuals listed within it, even if it is cross referenced with other information which is already in the public domain. If used properly, it means that a great deal of useful information can be made publicly available without threatening the privacy of the individuals involved. The use of anonymised data has become increasingly common in recent years and anonymised data has many different applications – for example, it can be used in medical and statistical research and as a way of providing public access to information held by the government.
However, there are risks involved in anonymisation. Although a set of data may appear to have been anonymised, this may not be the case if it is possible to compare the data with other information available in the public domain to discover the identity of individuals listed within the database. The ICO recognises that no anonymisation technique will be 100% effective, but has published the code with the intention of encouraging organisations to use best practice to minimise the risks involved. Organisations which have made individuals' personal information available through poor anonymisation procedures may find themselves subject to enforcement action by the ICO.
The code of practice provides a wealth of information for organisations which are planning to anonymise a set of data. The code:
- sets out the legal framework to the anonymisation process;
- suggests methods which organisations should use to ensure good practice in anonymising data;
- provides information about whether the consent of the individuals concerned is necessary to produce or disclose anonymised data;
- includes guidance for organisations on how location data should be used;
- states when it is appropriate for organisations to withhold anonymised data;
- provides information on the structures which should be put into place by organisations intending to anonymise data to ensure effective governance. This should include staff training procedures, management of the anonymisation process, assessment of the impact of privacy of the individuals concerned and an effective disaster recovery procedure.
As well as publishing the code, the ICO has announced that it will be funding the development of a new UK Anonymisation Network (UKAN). This network will be comprised of a number of experts in the field, who will be working to provide information to organisations (both within the public and private sectors) about good practice in anonymisation.