In June we reported that the ICO had published a consultation draft of the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance. It has now published its draft of chapter 2, which focuses on identifiability. The key points are:
- An effective anonymisation process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote
- It is not always possible to reduce Identifiability risk to zero, and data protection law does not require this. Effective anonymisation is about finding the right balance between managing the risk while maintaining the data's utility.
- In practice, identifiability may be viewed as a spectrum, with information that is clearly personal data at one end, anonymous information at the other, and in the middle information whose identifiability depends on the specific circumstances and risks posed, which may change over time.
- When determining whether information is personal data, it may be useful to consider three key indicators:
- singling out: can you tell one individual in a dataset from another individual?
- linkability: where data sources may seem non-identifying in isolation, but can lead to the identification of an individual if combined; and
- inferences: the potential to infer, guess or predict details about an individual.
- When assessing whether someone is identifiable, you need to take account of the means reasonably likely to be used. You should consider all objective factors, such as the costs of and the amount of time required for identification, together with the available technology at the time of processing and technological developments.
- You need to consider the information itself as well as the environment in which it is processed.
- Remember that the same information may:
- be personal data in your hands, e.g. if you hold additional information that means that individuals are identifiable; and
- not be personal data once in the hands of other parties, if they do not have access to the additional information or to means reasonably likely to be used to obtain it.
- You need to assess identifiability when deciding your release model, i.e. whether you will release the data publicly or to defined groups, etc.
- When considering releasing anonymous information to the world at large, you may need to implement more robust anonymisation techniques than when releasing to particular groups or organisations.
- There are likely to be many borderline cases which require careful judgment.
- Applying a motivated intruder test is a good starting point to assess the Identifiability risk: could a reasonably competent intruder with no prior knowledge, access to appropriate resources, and the wish to identify an individual, obtain further information that could be used for re-identification?
- You should review your risk assessments and decision-making processes at appropriate intervals.
The ICO's call for views on the draft of chapter 2 is open until 28 November.
In our experience, organisations sometimes find it difficult to differentiate anonymous data from pseudonymous data, which can make it harder to draft and negotiate appropriate contractual obligations. Our specialist data protection lawyers can help you to use anonymisation and pseudonymisation to maximise the benefits of data to your business and document their use correctly.