The ICO is consulting on the first draft chapter of its Anonymisation, pseudonymisation and privacy enhancing technologies draft guidance. The guidance will sit alongside its data sharing guidance.
The first draft chapter defines anonymisation and pseudonymisation. It explores the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law. As part of this the ICO explores when personal data can be considered anonymised, if it is possible to anonymise data adequately to reduce risks, and what the benefits of anonymisation and pseudonymisation might be. Anonymisation is a privacy-friendly way to harness the potential of data, including when developing new and innovative products and services.
Effective anonymisation of personal data is possible in many circumstances. It depends on the techniques organisations use. Organisations need to reduce the risks of identifying individuals to a sufficiently remote level so that the information is effectively anonymised.
The guidance:
· explains what is meant by anonymisation and pseudonymisation;
· details how this affects an organisation’s data protection obligations and responsibilities;
· discusses what organisations should consider when anonymising personal data;
· provides good practice advice for when organisations seek to anonymise this data; and
· discusses technical and organisational measures to mitigate the risks to individuals when an organisation does so.
The ICO plans to continue to publish draft chapters for comment at regular intervals, throughout the summer and autumn. The planned chapters are:
· Identifiability – outlining approaches such as the spectrum of identifiability and their application in data sharing scenarios, including guidance on managing re-identification risk, covering concepts such as the ‘reasonably likely’ and ‘motivated intruder’ tests;
· Guidance on pseudonymisation techniques and best practices;
· Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and data protection impact assessments;
· Anonymisation and research – how anonymisation and pseudonymisation apply in the context of research;
· Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing;
· Technological solutions – exploring possible options and best practices for implementation; and
· Data sharing options and case studies – supporting organisations to choose the right data sharing measures in a number of contexts including sharing between different organisations and open data release.
The consultation ends on 28 November 2021. The ICO then plans to consult on the final version.