The Information Commissioner’s Office (“ICO”) has published guidance on anonymisation and pseudonymisation, intended to assist organisations that employ such techniques to ensure that they do so effectively and in compliance with data protection law.

Before anything else, the Guidance stresses the need to understand the difference between the two concepts. As the ICO explains, this matters because organisations may mistakenly believe that a database has been anonymised and therefore that data protection laws will not apply, whereas, in fact, it has merely been pseudonymised such that it still contains personal data.

According to the Guidance, pseudonymisation is “a technique that replaces information with that directly identifies people, or de-couples that information from the resulting dataset”. As such it “reduces the link between people and the personal data that related to them, but does not remove them entirely”. On the other hand, anonymisation “prevents there being a link between the information and the person concerned”.

How to ensure anonymisation and pseudonymisation are effective

The Guidance contains detailed advice on how to ensure that attempts to anonymise and pseudonymise data are effective.

In the case of anonymisation, organisations are advised to ensure that the risk of identification is sufficiently remote to minimise the risks to people arising from the use of their information. When assessing if someone is identifiable, the Guidance points to the fact that people can be identified from factors other than their names, and advises that the risks of identifiability should be assessed according to the “means reasonably likely to be used to enable identification”, employing the “motivated intruder” test as a starting point.  Guidance is also provided on the two main anonymisation techniques: (a) generalisation, which reduces the specificity of the data; and (b) randomisation, which is used to reduce the certainty that a record relates to a particular person.

As for pseudonymisation, the ICO recommends that before employing it, organisations should clearly outline what they want to achieve, the risks, the technique they want to use, who will perform it, and document these outcomes. Otherwise, the Guidance warns of the risk that “an inadequate level of pseudonymisation does not meet the legal definition of pseudonymisation in data protection law, even if the technique you use may fit under existing technical meanings of the term”.

Accountability Measures

Finally, the Guidance outlines the accountability measures that organisations should have in place, stressing that they must document key decisions and the rationale for them as part of their accountability obligations. This includes matters such as who is responsible for the anonymisation process; whether a DPIA has been completed; and how the organisation will ensure that the anonymisation remains effective.

To read the Guidance in full, click here