The Office of the Data Protection Commissioner (“ODPC”) has issued helpful guidance in relation to the anonymisation and pseudonymisation of personal data and how to effectively use both in order to protect a person’s right to privacy.
This guidance is welcomed, particularly as organisations prepare themselves for the General Data Protection Regulation (“GDPR”).
Anonymisation is the way in which data will be processed in order to prevent the identification of the individual becoming known. Anonymisation will be considered effective if all methods that could be used to identify a subject fail. The Data Protection Act 1988 & 2003 (“Data Protection Acts”) only govern the area of personal data. If personal data is effectively anonymised, it is no longer considered “personal data” and therefore will not be subject to the Data Protection Acts. If anonymisation of data fails and/or is not possible, then the data must be continued to be treated as personal data.
The test for determining whether data would be rendered anonymous is set out in Recital 26 of the Data Protection Directive, and holds that the organisation must examine the ways in which an individual could be identified. The organisation is required to show that the identification of an individual is unlikely, rather than impossible. In order to do so, the organisation should look at all actions that could be taken by an “intruder” in an attempt to identify a subject.
When it comes to the correct technique to use when anonymising data, there is no “one size fits all”. Each situation must be considered on a case by case basis. The use for the data in question is paramount to the technique a data processor decides to use. The ODPC advises that there are two main genres of anonymisation; “randomisation” and “generalisation”.
Randomisation consists of
Generalisation consists of
“Masking” is another form of anonymisation; however it would not be considered a strong enough method of anonymisation to be used on its own. It would only be used in conjunction with another technique.
As with anything that involves a person’s personal data, there are a couple of issues which arise with identifying anonymised data;
Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Pseudonymisation often gets confused with anonymisation; however the two must be seen as different techniques. Pseudonymisation is not considered a form of anonymisation but instead, the ODPC recommend that it should be considered a “security enhancing measure” in order to reduce “linkability in a dataset”.
Care must be given to the reuse of a pseudonym, as the reuse of a pseudonym increases the risk of linking one dataset to another and identifying an individual.
As highlighted in our previous blog, in order to minimise risk and protect your organisation, where possible reduce the amount of personal data your organisation holds. For personal data that must be retained consider the options of anonymisation and pseudonymisation, to further minimise risk and protect the personal data and privacy rights of data subjects.
We expect a heightened focus on pseudonymisation, as it is explicitly recognised in the General Data Protection Regulation (“GDPR”) and considered to be an appropriate technical and organisational measure, which can be implemented to help meet the requirements of the GDPR and protect the rights of data subjects.
The guidance issued by the ODPC should be considered alongside the guidance set out in the links below:
To read the full article of the guidelines published please click here.
Website by Open