The Information Commissioner’s Office ("ICO") has recently published guidance on anonymisation and pseudonymisation to help organisations navigate the complexities of data protection compliance. This guidance is a response to previous consultations and aims to clarify the risks and benefits of using privacy-enhancing techniques and ensuring a privacy-friendly approach to data sharing. Although relevant to all sectors, it provides especially helpful guidance to the research community, including those within the health and social care sector.
Anonymisation: A powerful privacy tool
Anonymisation refers to the process of transforming personal data in such a way that the risk of individuals being identified is considered remote. The principal advantage of anonymisation is that data protection law does not apply to information that has been effectively anonymised. This is of obvious benefit to researchers and healthcare providers.
The guidance provides an overview of different anonymisation methods, addressing their respective strengths and weaknesses. These techniques offer organisations the ability to use data without compromising individuals’ privacy, enabling the safe sharing of information while mitigating the risks that can arise from misusing personal data.
Key benefits of anonymisation include:
- Enhanced privacy protection: By ensuring that personal data cannot be traced back to an individual, anonymisation offers a robust solution for organisations that need to share or use data without breaching privacy laws.
- Increased security: Anonymised data cannot be linked to a specific individual, making it less vulnerable to cyber threats.
- Reduced risk of data breaches: With anonymised data, the impact of a potential data breach is significantly reduced, as the information is no longer considered personal data.
Anonymised data can be used, for example, in research projects involving large-scale data sets which make use of artificial intelligence, thereby enabling the rapid analysis of treatment outcomes without revealing the identities of individual patients.
The ICO’s guidance offers practical case studies to illustrate how anonymisation can be effectively applied in different scenarios and considers factors such as identifiability and the means reasonably likely to be used to enable identification. This includes assessing the potential for unauthorised access to data by applying a "motivated intruder" test – i.e. whether someone who wishes to identify a person from anonymous information derived from their personal information is likely to be successful.
Pseudonymisation: A step towards enhanced security
Pseudonymisation, another technique discussed in the guidance, involves replacing identifiable information, such as names or contact details with a pseudonym or code. While pseudonymisation improves security by making data less identifiable, pseudonymous information is still personal data and should not be confused with anonymisation.
The key benefits of pseudonymisation include:
- Risk reduction: Pseudonymisation reduces the risk of exposure in the event of a data breach by replacing sensitive identifiers.
- Improved security: Pseudonymisation adds an extra layer of security when handling personal data, particularly for organisations processing large volumes of sensitive information.
However, the ICO reminds organisations that pseudonymisation does not excuse them from their obligations under data protection laws. Data that is pseudonymised is still considered personal data and remains subject to the same legal requirements as identifiable data.
Accountability and governance
The ICO’s guidance addresses the importance of accountability and governance when using anonymisation and pseudonymisation. Organisations are encouraged to implement appropriate governance measures to ensure that these techniques are used correctly and in compliance with data protection laws.
By adhering to the ICO’s recommendations, organisations can demonstrate their commitment to data protection and reduce the likelihood of non-compliance.
Anonymisation and data sharing
The ICO’s new guidance is particularly important in the context of data sharing. It complements the ICO’s existing Data Sharing Code of Practice, which provides practical advice for organisations on how to share personal data responsibly and in line with the law. The ICO notes that anonymisation offers a valuable alternative to sharing identifiable data, allowing organisations to use and share data without compromising individuals’ privacy.
While the guidance is not statutory and there are no direct penalties for not following the ICO’s recommendations, it plays an important role in the ICO’s assessment of data protection compliance. Organisations that fail to apply these techniques appropriately may face scrutiny if personal data is mishandled.
Key takeaways
Organisations should carefully consider the use of anonymisation and pseudonymisation in their data practices and ensure that they have the necessary governance measures in place to comply with legal obligations. The guidance is a valuable resource for organisations seeking to demonstrate accountability and transparency in their data handling processes.
Should you have any queries regarding the anonymisation and pseudonymisation of data, please contact David Gourlay.
This article was co-authored by Sasha Fothergill, Trainee Solicitor in MFMac's Manufacturing, Media and Technology team.
