The Information Commissioner’s Office has published guidance about anonymisation and pseudonymisation techniques, aimed at helping organisations handle personal data in compliance with data protection laws.
Anonymisation is the process of representing data in such a way that individuals are not identifiable. Once data is anonymised, it falls outside the scope of data protection laws.
Pseudonymisation involves replacing identifiable information with a pseudonym, but the data can still be linked back to an individual if additional information is available.
The ICO’s guidance aims to help organisations comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018). It also considers the implications of freedom of information legislation.
It emphasises the concept of identifiability and says that it is crucial to assess whether data can be linked to an individual, considering all means reasonably likely to be used for identification. It also considers the so-called “Motivated Intruder Test” – this assesses if a determined person with access to resources could identify individuals from anonymised data. It is a practical approach to evaluating the risk of re-identification. It also covers the “spectrum of Identifiability”: Identifiability is context-specific and can change over time due to technological advancements and the availability of additional data.
The guidance outlines two main approaches to anonymisation:
- Generalisation: Reducing the specificity of data, such as grouping ages into ranges.
- Randomisation: Adding noise to data to reduce the certainty that it relates to a specific individual.
Pseudonymisation techniques include:
- Hashing: Transforming data into a fixed-length output using a hash function.
- Encryption: Using symmetric or asymmetric encryption to protect data.
- Tokenisation: Replacing sensitive data with randomly generated tokens.
The benefits are enhancing data security and privacy; supporting compliance with data protection principles and enabling data sharing and processing for research and other purposes. The risks are that
- Ineffective anonymisation can lead to re-identification.
- Pseudonymised data remains personal data and must be protected accordingly.
The guidance stresses the importance of robust governance measures, including:
- Data Protection Impact Assessments (DPIAs): these are crucial for identifying and mitigating risks associated with anonymisation and pseudonymisation.
- Transparency: organisations must be clear about their anonymisation processes and the purposes for which data is anonymised.
- Staff Training: ensuring that staff involved in data processing understand the techniques and risks associated with anonymisation and pseudonymisation.
The guidance includes practical case studies demonstrating the application of anonymisation and pseudonymisation techniques. For example, pseudonymising employee data for recruitment analytics and using trusted third parties for market insights.
