New guidance on anonymisation great for businesses, says expert

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, was commenting after a new anonymisation decision-making framework (171-page / 2.06MB PDF) was published by the UK Anonymisation Network (UKAN). It has been endorsed by the UK's Information Commissioner's Office (ICO).

The UKAN said that the new framework is "gives more operational advice than the ICO’s anonymisation code of practice, whilst being less technical and forbidding than the statistics and computer science literature".

The UK Data Protection Act (DPA) applies strict conditions on the collection, processing and sharing of personal data. Those conditions do not apply, however, to anonymised data.

The ICO's anonymisation code, published in 2012, confirmed that data anonymisation measures do not have to be 100% fool-proof for personal data to be considered as anonymised for the purposes of the DPA.

"Further guidance on anonymising personal data is excellent news for businesses," Wynn said. "Personal data is a valuable asset that allows businesses to personalise services, but, as Dame Fiona Caldicott explained recently in her review of privacy issues in the NHS, in many cases organisations do not need access to personal data to gain insights because the quality of information they desire can be gleaned from anonymised data."

"In the era of big data, where there is the potential for merger of data sets and powerful analytics tools are in use, true anonymisation is very difficult to achieve. Many organisations often think they have anonymised data when they haven't really. This is an issue because they might wrongly believe that the Data Protection Act does not apply to the data. With huge fines possible under the forthcoming General Data Protection Regulation, true anonymisation will become even more critical in future," Wynn said.

"If organisations are in as to whether data is anonymised then they should treat it as if it is personal data and apply appropriate protections even if those do not amount to truly anonymise the data," she said. "Those measures will still be relevant in the context of ensuring companies meet their obligations on data security and data minimisation."

According to the ICO's code, organisations that anonymise personal data can disclose that information so long as there is no more than a "remote" chance that the data can be matched with other information and lead to individuals being identified.

In "borderline" cases, organisations have to assess the individual "circumstances of the case" to determine whether there is too great a risk that disclosing anonymised data would lead to individuals being identified, according to the ICO's code.

The new anonymisation decision-making framework sets out a 10-point checklist for organisations to follow to manage anonymisation.

Among its recommendations is that businesses carry out a "data situation audit". This will help them understand "the context" of their data and "help scope the anonymisation process appropriately" to facilitate safe data sharing, it said.

Businesses seeking to anonymise their data are also encouraged to understand their legal responsibilities and the "use case" for information, as well as account for their ethical obligations too. Companies should further "identify the processes [they] will need to assess disclosure risk" and the "disclosure control processes that are relevant to [their] data situation", and plan what they will do if "things go wrong", amongst other things. This contingency planning should involve "a robust audit trail" of "anonymisation activities and processes", adopting a "crisis management policy" and ensuring staff are adequately trained in "relevant anonymisation issues".

Kuan Hon of Pinsent Masons, who contributed to the original ICO code of practice on anonymisation, said: "Although anonymisation is not always easy to achieve, organisations that follow the new systematic framework, and document their steps and assessments, should hopefully be in a better compliance position, should issues later arise, than organisations which have not done so."

In a foreword to the new framework new UK information commissioner Elizabeth Denham said that while "effective anonymisation is possible … it is also possible to do anonymisation ineffectively". She warned that "it isn’t always possible to draw the definitive personal / non-personal data distinction that legal certainty in the field of data protection depends on".

"Given the development of increasingly powerful data sharing, matching and mining techniques – and a backdrop of strong political and commercial pressure to make more data available – it can seem inevitable that re-identification risk will increase exponentially," Denham said. "However, this framework demonstrates that the science of privacy enhancement and our understanding of privacy risk are also developing apace. It is essential that we continue to develop anonymisation and other privacy enhancing techniques as an antidote to the potential excesses of the big data era."