ICO PUBLISHES CALL FOR VIEWS ON ANONYMISATION GUIDANCE

Background

On 28 May 2021, the Information Commissioner's Office ("ICO") published a call for views on the first draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies draft guidance). This first chapter is part of a series of chapters of guidance that the ICO will be publishing on anonymisation and pseudonymisation and their role in enabling safe and lawful data sharing. Addressed to organisations seeking to anonymise personal data, it seeks to define anonymisation and pseudonymisation and provides some practical advice to such organisations on how to manage their obligations.

The guidance supplements the ICO's Data Sharing Code of Practice (the "Code"), which we discussed in our blog post here. The Code contained guidance on the aspects organisations need to consider while sharing personal data. While the Code briefly touched upon anonymisation and pseudonymisation, it did not address some of the key issues that arise time and again when organisations seek to anonymise and pseudonymise data. This new series of guidance, with its specific focus on anonymisation and pseudonymisation, will hopefully address these issues.

In this blog post, we discuss our key takeaways from the first chapter of the guidance and the impact that it is likely to have.

What is Anonymisation?

The first chapter of the guidance explains that anonymous information is data which does not relate to an identified or identifiable individual. Data protection law does not apply to truly anonymous information. According to the guidance, anonymisation is the way in which personal data is turned into anonymous information, and includes the techniques and approaches which can be used to this end.

The guidance also clarifies that it is not necessary that anonymisation be free of risks, and emphasises that the risk of re-identification should be mitigated to the extent that it becomes sufficiently remote and that information becomes 'effectively anonymised'. In this respect, guidance states that anonymisation is 'effective' when: (a) it does not relate to an identified or identifiable individual; or (b) is rendered anonymous in such a way that individuals are not (or are no longer) identifiable.

Importantly, the guidance makes the important clarification that applying anonymisation techniques to render personal data anonymous is considered a processing activity in of itself, and data protection requirements have to be adhered to while undertaking such processing, which includes informing data subjects that this is to take place.

What is Pseudonymisation?

The first chapter of the guidance confirms that pseudonymisation is a method used to remove or replace information that identifies an individual, for example, by replacing names or other identifiers with codes or numbers. However, the guidance cautions that organisations must take care to maintain the additional information (i.e. the identifiers) separately and protect it using appropriate technical and organisational measures, as individuals can be identified by reference to this additional information.

Crucially, the guidance seeks to address one of the long-debated questions surrounding pseudonymised data – can pseudonymised data be considered anonymised data in the hands of a third party who has no means to re-identify that data?

In this respect, the guidance clarifies that when transferring the pseudonymous data to a third party, an organisation needs to consider the context and circumstances of the transfer – if the third party has no means which are reasonably likely to re-identify the individuals in the transferred dataset, the dataset may be considered 'anonymous information' in the hands of the third party. However, should the transferring organisation still have access to the additional information which can identify individuals, the dataset will continue to be personal data in that organisation's hands. Whilst many organisations have been operating under the assumption that pseudonymised data can be considered anonymised data in the hands of a recipient without the means re-identify that data, this is a welcome and important clarification.

Accordingly, both disclosing and recipient organisations will need to carefully consider whether the data is anonymous or pseudonymous in their hands, to consider their data protection obligations.

The guidance also sets out that pseudonymous data is still personal data and data protection law applies to such data. However, it does not specify if there is any degree of difference in how data protection law will apply to conventional personal data and pseudonymous data. We expect that the ICO will address this issue in the remaining chapters of its anonymisation and pseudonymisation guidance. It remains to be seen what the obligations of a recipient third party will be in context of a pseudonymised dataset it receives, when it does not have the additional information which can re-identify individuals from that dataset.

The Way Forward

The ICO will be publishing further chapters of its anonymisation and psuedonymisation guidance on identifiability, pseudonymisation techniques, accountability and governance requirements, amongst other topics. These upcoming chapters will hopefully provide further guidance and clarity on the obligations of organisations while sharing pseudonymised data and best practice to be followed in order to ensure compliance with data protection requirements.