On 28 May 2021 the ICO published the first chapter in its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies, as part of a call for views for consultation. The call for views is the first stage in the process and the ICO will consult on the full draft guidance in Autumn 2021.
The ICO has published the first draft chapter which is an introduction to anonymisation. The first chapter defines the concepts of anonymisation and pseudonymisation and the implications under UK data protection law of these concepts.
The draft chapter states that, in the ICO's view, the same information can be personal data to one organisation, but anonymised information in the hands of another organisation. Whether the data is anonymised or is personal data depends on the circumstances, including the perspective of the organisation and the context of the disclosure.
The ICO also refers to the "reasonably likely" test, which involves taking into account all the means reasonably likely to be used, by the organisation or a third party, to identify an individual that the information relates to.
The ICO intends to publish further draft chapters for comment throughout the summer and autumn. These chapters include:
- pseudonymisation techniques and best practices;
- accountability and governance, including data protection by design and DPIAs;
- anonymisation and research;
- privacy enhancing technologies and their role in data sharing;
- technological solutions;
- data sharing options and case studies.
The ICO is calling for views on the first draft chapter of its Anonymisation, pseudonymisation and privacy enhancing technologies draft guidance. We are sharing our thinking in stages to ensure we gather as much feedback as possible to help refine and improve the final guidance, which we will consult on at the end of the year.
This first draft chapter, Introduction to anonymisation, defines anonymisation and pseudonymisation. It explores the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law.