Insights Information Commissioner’s Office publishes blog post on plans to update its anonymisation guidance

In the blog post Ali Shah, Head of Technology Policy, notes that the recent ICO Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. However, there are other dimensions to data sharing and the Code is “not a conclusion, but a milestone in this ongoing work”. Accordingly, the ICO plans to continue providing clarity and advice on how data can be shared in line with the law.

The ICO is now outlining its plans to update its guidance on anonymisation and pseudonymisation and to explore the role that privacy-enhancing technologies might play in enabling safe and lawful data sharing. The ICO recognises that questions about when data is personal data or anonymous information are some of the most challenging issues organisations face.

The ICO says that its updated guidance will “assist organisations in meeting these challenges”. It will set out the ICO’s views on approaches like the spectrum of identifiability and how these can be practically applied. There will be advice on how to assess the appropriate controls that need to be in place and the ICO will be grounding its guidance in practical steps organisations can take.

The key topics the ICO will be exploring include:

  • anonymisation and the legal framework: legal, policy and governance issues around the application of anonymisation in the context of data protection law;
  • identifiability: outlining approaches such as the spectrum of identifiability and their application in data sharing scenarios, including guidance on managing re-identification risk, covering concepts such as the “reasonably likely” and “motivated intruder” tests;
  • guidance on pseudonymisation: outlining techniques and best practices;
  • accountability and governance: setting out requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs;
  • anonymisation and research: how anonymisation and pseudonymisation apply in the context of research;
  • guidance on privacy enhancing technologies (PETs): their role in safe data sharing;
  • technological solutions: exploring possible options and best practices for implementation; and
  • data sharing options and case studies: supporting organisations to choose the right data sharing measures in a number of contexts, including sharing between different organisations and open data release. Developed with key stakeholders, the case studies will demonstrate best practice.

Mr Shah says that over the coming months the ICO will be exploring these topics iteratively, and will be sharing [its] thinking ahead of issuing formal guidance”. The approach will include gathering insight and feedback from industry, academia and other key stakeholders to better understand the real world challenges and where the guidance can be most effectively targeted. Accordingly, the ICO will publish each chapter of its guidance and call for views before the main public consultation. To read the blog post in full and for further information on providing feedback, click here.

Expertise