How do we ensure anonymisation is effective?
The ICO is calling for views on its updated draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies. We are sharing our thinking in stages to ensure we gather as much feedback as possible to help refine and improve the final guidance, on which we will carry out a formal consultation.
In our first chapter ‘Introduction to Anonymisation’ we outlined the legal, policy and governance issues around the application of anonymisation in the context of data protection law. We are grateful for the feedback we have received from many organisations across different sectors.
Our second chapter ‘Identifiability’ focuses on how to assess anonymisation in the context of identifiability. We explore the concept of a spectrum of identifiability, data sharing scenarios, the motivated intruder and reasonably likely tests as well as guidance on managing re-identification risk. These key principles set out our views on effective anonymisation and we welcome your feedback.
Our third chapter ‘pseudonymisation’ explains the key differences between pseudonymisation and anonymisation. We also explore how pseudonymisation can help to reduce risk and allow personal data to be processed for other purposes. The chapter also provides guidance on how to approach pseudonymisation and the DPA 2018 re-identification offence. These key topics set out our views on how pseudonymisation can be used effectively and we welcome your feedback.
Our fourth chapter ‘Accountability and governance’ explains the governance approach you should take when you anonymise personal data. We explore the factors you need to consider for ensuring transparency such as using DPIAs to identify and mitigate risks and keeping up to date with technical and legal developments to ensure anonymisation remains effective. The chapter also provides guidance on other relevant legislation you should consider when disclosing anonymous information. These key topics set out our views on how you should approach your accountability and governance obligations when anonymising personal data and we welcome your feedback.
We will continue to publish draft chapters for comment at regular intervals. As outlined in Building on the data sharing code – our plans for anonymisation guidance, chapters to follow include:
- Anonymisation and research - how anonymisation and pseudonymisation apply in the context of research;
- Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing;
- Technological solutions – exploring possible options and best practices for implementation; and
- Data sharing options and case studies – supporting organisations to choose the right data sharing measures in a number of contexts including sharing between different organisations and open data release. Developed with key stakeholders, our case studies will demonstrate best practice.
Input at this early stage can make a significant difference as we will use the responses we receive to inform our work in developing the guidance.
This call for views is the first stage in the process and we will consult on the full draft guidance in the autumn. You can provide your feedback by emailing [email protected].
When submitting your views, please specify to which chapter you are referring.