The Information Commissioner’s Office has now published the final version of its ground-breaking Anonymisation Code of Practice. Sue Gold analyses and identifies the key points for marketers.
Who: The Information Commissioner (ICO)
When: 20 November 2012
Where: Wilmslow, Cheshire
Law stated as at: 5 December 2012
Anonymisation is of particular relevance now, given the increased amount of information being made publicly available through open data initiatives and through individuals posting their own personal data online.
Removing personally identifiable information from individual's digital profiles so that information can then be used in aggregate is now widely used. The debate has grown over whether or not in practice such information can really be truly anonymised. This concern has been highlighted with the developing technical capabilities allowing identification from supposedly "anonymous" information leading to questioning on how to safely handle such information.
On 20 November 2012, the UK's Information Commissioner's Office (ICO) issued its Code of Practice on data anonymisation, entitled "Anonymisation: Managing Data Protection Risk" (the Code), following an earlier consultation on a draft code in May 2012.
The Code explains the implications of anonymising personal data, and of disclosing data which has been anonymised. It provides good practice advice for all organisations that need to convert personal data into a form in which the individuals are no longer identifiable. If an organisation converts personal data into an anonymised form, the resulting data will not constitute personal information.
Additional points for consideration
Re-identification. The ICO has introduced the "motivated intruder" test which considers whether a person who starts without any prior knowledge of identity, would be able to identify an individual by accessing resources and investigative techniques to de-anonymise the data. The motivated intruder is not, however, assumed to resort to criminality or have specialist equipment or skills. Examples are given of the types of resource which may be accessed. ICO recommends that a risk assessment of future identification should be carried out.
Consent. Personal data could be anonymised without the individual's consent if that anonymisation is necessary for the purposes of the legitimate interests pursued by the organisation in question. This "legitimate interests" justification must be weighed against the impact such anonymisation would have on the interests of the data subject. Where however, the risk of re-identification is significant then organisations should seriously consider getting consent.
Spatial information – such as post codes, GPS data, map references and data collected via smartphones. The ICO considers scenarios where such data may be considered to be personal data. Where an organisation has data on a small number of individuals in a small area, there will be increased risk of identification. Organisations are encouraged to consider using 'replacement' post codes for real ones so that researchers can retain the granularity and accuracy of data whilst minimising re-identification risk when publishing data on a postcode basis. Privacy policies should state whether spatial data is processed as personal data or in an anonymised form. Furthermore, an organisation could initially process spatial data as personal data, but once the need for precise data has passed it can be incrementally replaced by other information e.g. exact GPS coordinates can be replaced by a street name and then just a city. This is known as 'degrading' or 'fading' personal data.
Research exemption. The ICO gives further guidance on when this exemption may apply including in relation to health data and market research.
Why this matters:
The interpretation of what qualifies as "personal data" has become wider over recent years as seen with the debate concerning IP addresses. Enhanced technology facilitating the identification of individuals from aggregated data has also brought into question whether personal data can ever be truly anonymised.
This is an important area to keep under review and is of growing importance when looking at the ability to carry out analytics and the aggregation of information including through the use of web analytics and the use of spatial information such as post codes.
The Code is helpful in recognising that anonymisation is possible but the question remains open as to whether other European Regulators will take a similar approach.