On 28 Might 2021, the Data Commissioner’s Workplace (“ICO“) revealed a name for views on the first draft chapter of its anonymisation, pseudonymisation and privateness enhancing applied sciences draft steerage). This primary chapter is a part of a collection of chapters of steerage that the ICO can be publishing on anonymisation and pseudonymisation and their function in enabling protected and lawful knowledge sharing. Addressed to organisations in search of to anonymise private knowledge, it seeks to outline anonymisation and pseudonymisation and offers some sensible recommendation to such organisations on methods to handle their obligations.
The steerage dietary supplements the ICO’s Data Sharing Code of Practice (the “Code“), which we mentioned in our weblog put up here. The Code contained steerage on the facets organisations want to think about whereas sharing private knowledge. Whereas the Code briefly touched upon anonymisation and pseudonymisation, it didn’t deal with a few of the key points that come up repeatedly when organisations search to anonymise and pseudonymise knowledge. This new collection of steerage, with its particular deal with anonymisation and pseudonymisation, will hopefully deal with these points.
On this weblog put up, we focus on our key takeaways from the primary chapter of the steerage and the impression that it’s prone to have.
The primary chapter of the steerage explains that nameless info is knowledge which doesn’t relate to an recognized or identifiable particular person. Information safety regulation doesn’t apply to really nameless info. In response to the steerage, anonymisation is the way in which by which private knowledge is changed into nameless info, and consists of the methods and approaches which can be utilized to this finish.
The steerage additionally clarifies that it’s not mandatory that anonymisation be freed from dangers, and emphasises that the chance of re-identification must be mitigated to the extent that it turns into sufficiently distant and that info turns into ‘successfully anonymised’. On this respect, steerage states that anonymisation is ‘efficient’ when: (a) it doesn’t relate to an recognized or identifiable particular person; or (b) is rendered nameless in such a method that people will not be (or are not) identifiable.
Importantly, the steerage makes the necessary clarification that making use of anonymisation methods to render private knowledge nameless is taken into account a processing exercise in of itself, and knowledge safety necessities must be adhered to whereas endeavor such processing, which incorporates informing knowledge topics that that is to happen.
The primary chapter of the steerage confirms that pseudonymisation is a technique used to take away or exchange info that identifies a person, for instance, by changing names or different identifiers with codes or numbers. Nonetheless, the steerage cautions that organisations should take care to take care of the extra info (i.e. the identifiers) individually and shield it utilizing applicable technical and organisational measures, as people will be recognized by reference to this extra info.
Crucially, the steerage seeks to deal with one of many long-debated questions surrounding pseudonymised knowledge – can pseudonymised knowledge be thought-about anonymised knowledge within the arms of a 3rd get together who has no means to re-identify that knowledge?
On this respect, the steerage clarifies that when transferring the pseudonymous knowledge to a 3rd get together, an organisation wants to think about the context and circumstances of the switch – if the third get together has no means that are moderately prone to re-identify the people within the transferred dataset, the dataset could also be thought-about ‘nameless info’ within the arms of the third get together. Nonetheless, ought to the transferring organisation nonetheless have entry to the extra info which might determine people, the dataset will proceed to be private knowledge in that organisation’s arms. While many organisations have been working beneath the idea that pseudonymised knowledge be thought-about anonymised knowledge within the arms of a recipient with out the means re-identify that knowledge, this can be a welcome and necessary clarification.
Accordingly, each disclosing and recipient organisations might want to fastidiously contemplate whether or not the info is nameless or pseudonymous of their arms, to think about their knowledge safety obligations.
The steerage additionally units out that pseudonymous knowledge is nonetheless private knowledge and knowledge safety regulation applies to such knowledge. Nonetheless, it doesn’t specify if there may be any diploma of distinction in how knowledge safety regulation will apply to standard private knowledge and pseudonymous knowledge. We anticipate that the ICO will deal with this subject within the remaining chapters of its anonymisation and pseudonymisation steerage. It stays to be seen what the obligations of a recipient third get together can be in context of a pseudonymised dataset it receives, when it doesn’t have the extra info which might re-identify people from that dataset.
The Method Ahead
The ICO can be publishing additional chapters of its anonymisation and psuedonymisation steerage on identifiability, pseudonymisation methods, accountability and governance necessities, amongst different matters. These upcoming chapters will hopefully present additional steerage and readability on the obligations of organisations whereas sharing pseudonymised knowledge and finest apply to be adopted as a way to guarantee compliance with knowledge safety necessities.