On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published “Anonymisation: Managing Data Protection Risk Code of Practice” (the “Code”). The purpose of the Code is to provide organizations with a framework for assessing the risks of anonymization. It also sets forth good practice recommendations that may be adopted by organizations to provide a “reasonable degree of confidence” that the publication and sharing of anonymized data will not lead to an “inappropriate disclosure of personal data.” The published Code follows a consultation on the same topic earlier this year. The ICO also announced the creation of the UK Anonymisation Network, which will promote the sharing of good practices related to anonymization across the public and private sectors.
The most significant benefit of anonymization is that anonymized data are not considered “personal data,” and therefore are outside the scope of the UK Data Protection Act 1998 (“DPA”). A key challenge for organizations wishing to anonymize data is ensuring that personal data cannot be re-identified. The Code emphasizes that the risk of re-identification through data linkage is “essentially unpredictable because it can never be predicted with certainty what data is already available or what data may be released in the future.” Whether anonymized data will still be personal data is a difficult question, and the answer will vary based on the circumstances.
To assess the risk of re-identification, the ICO recommends that organizations evaluate whether any other person could identify an individual from the anonymized information, either by itself or in combination with other available information. In considering “other available information,” the Code recommends adopting a “motivated intruder” test – that is, asking whether individuals could be re-identified from the anonymized data by someone who is “reasonably competent, has access to resources…and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject.” The Code also states that where anonymized data is re-identified to create personal data, the person conducting the re-identification will be considered the data controller and will be subject to the usual obligations of a controller under the DPA.
In borderline cases, where the consequences of re-identification may be significant (e.g., where re-identification may leave an individual open to damage or distress), the Code urges organizations to seek consent from data subjects for the disclosure of data (explaining its possible consequences) and adopt a more rigorous form of risk analysis and a stronger anonymization technique.
UK Information Commissioner Christopher Graham said: “We have published our code of practice on managing the data protection risks related to anonymisation to provide a framework for practitioners to use when considering whether to produce anonymised information. The code also aims to bring a greater consistency of approach and to show what we expect of organisations using this data.” He also stated that the ICO recognizes “that anonymised data can have important benefits, increasing the transparency of government and aiding the UK’s widely regarded research community.”
In relation to the creation of anonymized data, the Code states that consent generally is not required in order to legitimize anonymization. The Code states that consent is just one of the legal bases available for legitimizing the processing of personal data under the DPA. The Code notes that, under the DPA, an individual only has the right to prevent the processing of personal data where it causes unwarranted damage or distress; to the extent the anonymization process does not cause unwarranted damage or distress to individuals, the Code states that consent is not required. This position diverges from that of other European data protection authorities.
The Code also includes examples of various anonymization and re-identification techniques and illustrations of how anonymized data can be used for various purposes.
ICO Head of Policy Delivery Steve Wood also posted a blog on the opportunities and risks of anonymization on the ICO’s website.