Data Anonymization Consultation in the UK: Facilitating Big Data


[author:  ]

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation. The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data. Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act. This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected. The exemption from the need to obtain consent is subject to a number of provisos:

  • the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
  • the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
  • there are no detrimental effects on particular individuals;
  • the organization’s privacy policy or some other form of notification explains the anonymization process; and
  • there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set. An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual. If so, then this would be a disclosure of personal information. The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”. In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess. In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.