In the February 2022 issue of DWF Data Protection Insights we reported on the publication of chapter 3 (Pseudonymisation) of this draft guidance. The ICO has now published chapter 4, which focuses on accountability and governance, in particular:
- the governance approach you should take when you anonymise personal data;
- the factors you need to consider for ensuring transparency, such as using DPIAs (data protection impact assessments) to identify and mitigate risks, and keeping up to date with technical and legal developments to ensure anonymisation remains effective; and
- guidance on other relevant legislation you should consider when disclosing anonymous information.
The issues addressed in the draft guidance include:
- What governance approach should you take? This covers:
- planning and documenting your anonymisation process;
- identifying and mitigating anonymisation risks, e.g. using DPIAs, working with third parties and ensuring transparency;
- ensuring anonymisation remains effective, e.g. updating and staff training, including re-identification training; and
- identifying legal considerations.
- Who should be responsible for your anonymisation process? This must be someone of sufficient seniority with an appropriate understanding of your process, any intended disclosures and the relevant technical and legal considerations.
- Should you do a Data Protection Impact Assessment (DPIA)? While this is always a useful tool to help you to assess the impact of anonymisation on your overall risk, it is compulsory for processing that is likely to result in a high risk to individuals, uses innovative technology, for example to render personal data as anonymous information, or matches data or combines datasets from different sources.
- Are you clear about why you want to anonymise personal data?
- How should you work with other organisations, where necessary? If you are planning to disclose any anonymous information you should work with other organisations likely to be processing, and possibly disclosing, other information that could allow the individual to whom the data relates to be identified.
- What type of disclosure is it? Limited access is less risky than open release, but you should still put robust safeguards in place.
- How should you identify potentially difficult cases? Your governance approach should cater for cases where it is difficult to assess identifiability risk, where that risk may be significant, and where effective anonymisation may be difficult to achieve.
- How should we ensure transparency? Individuals have the right to know how and why you are processing their data. Your organisation’s privacy policy/notice should be easily accessible and clearly explain your approach to anonymisation, including any consequences.
- How should we ensure appropriate staff training? You need to ensure that members of staff who are involved in decisions about creating and disclosing anonymous information have a clear understanding of anonymisation techniques, any risks and how to mitigate those risks.
- How should we keep updated with legal and technical developments?
- How should we mitigate re-identification risk due to a security incident? Your governance procedures should address what you will do if you are concerned that the risk of re-identification has increased, e.g., due to technological developments or increased availability of additional information that when linked to the anonymised data may facilitate re-identification. You should consider introducing measures to mitigate these risks.
- What other legal considerations apply? Other legal considerations include FOIA (the Freedom of Information Act 2000), the Human Rights Act, the common law of confidence, and any relevant industry or professional codes.
The ICO is continuing to publish draft chapters of this guidance for consultation, so we'll provide updates in future issues of DWF Data Protection Insights.