Out-Law / Your Daily Need-To-Know

Consent not required for disclosure of fully anonymised personal data, ICO says

Out-Law News | 31 May 2012 | 2:22 pm | 4 min. read

Organisations that properly anonymise personally identifying information do not have to comply with data protection laws in order to disclose the altered information, the Information Commissioner's Office (ICO) has said.

The data protection watchdog said that in order to fall outside of the scope of the Data Protection Act, organisations that anonymise personal data must ensure that it is not "reasonably likely" that the anonymised information will lead to the identification of individuals when matched with data available elsewhere.

The ICO has published a draft code of practice on anonymisation (59-page / 643KB PDF) which it said will help organisations release information, such as NHS patient statistics, without requiring individuals' consent to do so.

"There is clear legal authority for the view that, where a data controller converts personal data into an anonymised form and publishes it, this will not amount to a disclosure of personal data - even though the disclosing organisation still holds the ‘key’ that would allow re-identification to take place," it said. "This means that the DPA no longer applies to the disclosed information."

"This provides an obvious rationale for organisations that want to publish information to do so in an anonymised form - and for researchers and others to use anonymised information as an alternative to personal data wherever this is possible."

"When assessing whether information has been anonymised effectively it is necessary to consider whether other information is available that – in combination with the anonymised information – would result in a disclosure of personal data. This can be an issue for the initial organisation – which may well want to keep certain information in an anonymised form – and for third party organisations which may wish to avoid the problems and liabilities that can result from re-identification," the watchdog said

Under the Data Protection Act personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only. Organisations must have a lawful basis for processing individuals' personal data, such as having obtained individuals' consent to do so or if they can show that it is "necessary for the purposes of the legitimate interests" they are pursuing, as long as those interests are not "overridden by the interests for fundamental rights and freedoms of the data subject".

However, organisations that properly anonymise personal data do not have to abide by the DPA's "strict requirements" in order to process that anonymised information, the ICO said. The watchdog did admit though that "the risk of re-identification through data-linkage is essentially unpredictable" and that therefore organisations must "carry out as thorough a risk analysis as is possible - at the initial stage of producing and disclosing anonymised data."

The ICO said that organisations may need to obtain the consent of 'data subjects' in order to conduct anonymisation of their personal data in order to later disclose the anonymised information, because the activity constitutes "processing" of those individuals' information in the first place.

However, it said consent is not required if "the anonymisation will be done effectively, with due regard to any privacy risk posed to individuals – a privacy impact assessment can be used here; the purpose for which the anonymisation takes place is legitimate and has received any necessary ethical approval; neither the anonymisation process - nor the use of the anonymised information - will have any direct detrimental effect on any particular individual; the data controller’s privacy policy – or some other form of notification - explains the anonymisation process and its consequences for individuals; and there is a system for taking individuals’ objections to the anonymisation process or to the release of their anonymised information into account."

Public authorities should not assume that information that is not "sensitive, risky or consequential" to individuals is not personal data when anonymising information in order to make a disclosure under freedom of information laws, the ICO said.

In "genuinely borderline" cases those bodies should be cautious about disclosure and, if there is a chance individuals could suffer "damage, distress or financial loss" as a result of "re-identification" following disclosure of anonymised information, then organisations should seek consent to disclosure from the individuals' concerned. They should also be more "rigorous" in their "risk analysis and anonymisation" procedures and "only disclose within a properly constituted closed community and with specific safeguards in place" in some cases.

Organisations should assess whether a "'motivated intruder' would be able to achieve re-identification if minded to do so" as this is a "useful test" of how resolute anonymisation of personal data has been, the ICO said. A 'motivated intruder' is said to be someone who would take "all reasonable steps" to try and identify someone through anonymised data but has no "prior knowledge" to help them do that.

It is also "good practice" for organisations to try and identify whether individuals that do have "prior personal knowledge" about individuals could identify those people from anonymised datasets, before disclosing that information.

"While the public wants to see openness, they want to see their privacy rights respected too," Information Commissioner Christopher Graham said in a statement. "The risks of anonymisation can sometimes be underestimated and in other cases overstated; organisations need to be aware of what those risks are and take a structured approach to assessing them, particularly in light of other personal information in the public domain."

"Anonymisation can allow organisations to publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. Our code will aim to provide clear, practical advice on how data can be anonymised. We are now inviting individuals and organisations to submit their views on how this can best be achieved."

The ICO's consultation is open until 23 August with a finalised 'Anonymisation Code of Practice' due to be published in September.