The UK Information Commissioner's Office (ICO) last week issued a Code of Practice on anonymisation of personal data (the “Code”). The Code's publication follows a period of consultation in which the ICO sought views on safe anonymisation in light of various commercial "Big Data" initiatives as well as government sponsored transparency projects such as "MiData".

As explained in the Code, effective anonymisation represents a powerful means of overcoming data protection issues as - provided that no living individuals can be identified from a set of data or data which might be matched with it - that information is not subject to the restrictions of the Data Protection Act (DPA).

In particular, the Code details the following:

  • anonymisation is often a better means of compliance than securing a data subject's consent to the use of personal data as consent may be difficult to obtain, is only valid if freely given, and must be able to be withdrawn; 
  • personal data must be effectively anonymised to place it outside the scope of the DPA - in particular if it can be cross-referenced or compared with other available data to identify living individuals, it would still be 'personal data'.
  • disclosure of genuinely anonymised data is not disclosure of personal data even where the data controller holds the key to allow reidentfication to take place – this may be useful, for example, in the context of cloud computing arrangements where providers may hold encrypted data on behalf of customers holding the encryption key; 
  • as a general guide, the 'motivated intruder' test should be applied to determine whether an individual is identifiable: ie would a reasonably competent individual, with the desire to identify a particular individual from anonymised data, and with access to publicly available information sources, be able to do so?;
  • spatial data, such as postcodes or mobile phone location data, may constitute personal data so the ICO recommends it could be anonymised by 'degrading' or 'fading' it, for example removing certain digits from postcodes to 'blur' the specific locations to which they refer;
  • you do not usually have to seek consent to anonymsise personal data – it is likely one of the other conditions for lawful processing will apply however, an organisation’s privacy policy should be transparent and notify data subjects of its anonmyisation activities;
  • in all cases, organisations which anonymise personal data will need a comprehensive and effective governance structure and systems of oversight.

The Code concludes with a series of case studies and examples of how various anonymisation techniques can be used by organisations in practice.

The release of the Code coincides with the creation of an ICO funded UK Anonymisation Network, which will work to facilitate good practice in relation to anonymisation across both the public and private sectors.

An ICO summary of the Code can be found here > and the full version here >