Data Anonymization Consultation in the UK: Facilitating Big Data

Explore:  Anonymization Big Data ICO

[author:  ]

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation. The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data. Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act. This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected. The exemption from the need to obtain consent is subject to a number of provisos:

  • the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
  • the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
  • there are no detrimental effects on particular individuals;
  • the organization’s privacy policy or some other form of notification explains the anonymization process; and
  • there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set. An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual. If so, then this would be a disclosure of personal information. The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”. In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess. In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.