[author: Tim Banks]
On November 20, 2012, the UK’s Information Commissioner’s Office (ICO) issued the Code of Practice on data anonymization, entitled “Anonymisation: managing data protection risk.” I discussed the draft Code and consultation in a previous post.
In addition, the ICO has announced an “Anonymisation Network” (www.ukanon.net – not yet up and running) to host detailed case studies and illustrations of good practice.
The Code is developed within the framework of the Data Protection Act, 1998 (UK), and, therefore, should not be considered to be directly applicable outside the UK. However, the case studies and discussion of data anonymization techniques are useful reading for all organizations considering the conversion of data sets to an anonymized form.
Some highlights from the ICO’s discussion of data anonymization are:
If an organization converts personal data into an anonymized form, the resulting anonymized data will not constitute personal information. This will continue to be case even though the organization may be able to de-anonymize the information.
A difficult technical issue for organizations will be whether the anonymized data could be combined with information by a third party to re-identify the individual. The ICO’s position, based on judicial precedent, is that the risk of identification must be greater than remote and reasonably like in order for the data to be considered to be personal data for the purpose of data protection legislation.
In assessing the risk of re-identification, the ICO recommends using the “motivated intruder” test. In other words, would a person who starts without any prior knowledge but who wishes to identify and individual be able to access resources and investigative techniques to de-anonymize the data? The motivated intruder is not, however, assumed to resort to criminality or have specialist equipment or skills.
Data that is from low sensitivity sources with a low risk of re-identification may be published by the organization as part of a commitment to open government. However, the ICO recommends that data from highly sensitive sources with a significant risk of re-identification should be made available under limited use restrictions in order to control through contractual terms the use to be made of the data.
The ICO takes the position that in most cases anonymization does not require an individual’s consent under the Data Protection Act, 1998. However, organizations should address the possibility of anonymizing data through disclosure in privacy policies. By contrast, if an organization collects personal data through re-identification, the organization must have the individual’s knowledge and consent.
A summary document prepared by the ICO is available here.