• DE
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance

11 June 2021
On 28 May the ICO published a consultation draft of the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance.  Here is our summary of the key points.

The first chapter of the draft guidance is an Introduction to Anonymisation which addresses the questions:

What is anonymous information?  This links to the UK GDPR definition: 'information which does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable'.
What is anonymisation?  This is the way in which you turn personal data into anonymous information.
Is anonymisation always necessary?  No – sometimes it is necessary and legitimate to process personal data.
Is anonymisation always possible?  No - in some instances effective anonymisation may not be possible due to the nature or context of the data, or the purpose(s) for which you collect, use and retain it.
What are the benefits of anonymisation?  Potential benefits include:

  • it limits your data protection risks;
  • it can enable you to share information with other organisations or the public;
  • it supports the principle of data minimisation; and
  • it is easier to use anonymous information in new and different ways, as the data protection rules on purpose limitation do not apply.

If we anonymise personal data, does this count as processing?  Yes – processing includes any operation performed on information.
What is pseudonymisation?  It is a technique that replaces or removes information that identifies an individual. You must ensure that you keep the identifying information separately and put appropriate technical and organisational controls in place.
What about ‘de-identified’ personal data?  This draft guidance states that the meaning of this expression will vary depending on the circumstances, and this will be updated when future sections of the guidance are published.  In the meantime, note that the Data Protection Act 2018 created a criminal offence of re-identifying information that is de-identified personal data without the controller's consent.
What is the difference between anonymisation and pseudonymisation?

  • Anonymisation means that individuals are not identifiable and cannot be reidentified by any means reasonably likely to be used. Anonymous information is not personal data and data protection law does not apply. 
  • Pseudonymisation means that individuals are not identifiable from the dataset itself, but can be identified by referring to other information held separately. Pseudonymous data is therefore still personal data and data protection law applies.

What are the benefits of pseudonymisation?  The guidance explains that pseudonymisation can make your data protection compliance simpler in a number of areas, including:

  • achieving the principle of data protection by design; and
  • providing an 'appropriate technical and organisational measure' which can improve security.

In our experience, organisations sometimes find it difficult to differentiate anonymous data from pseudonymous data, which can make it harder to draft and negotiate appropriate contractual obligations. Our specialist data protection lawyers can help you to use anonymisation and pseudonymisation to maximise the benefits of data to your business and document their use correctly.

Further Reading

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set when you accept.

For more detailed information about the cookies we use, see our Cookies page.

Manage your cookies

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set when you accept.

For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

(Required)

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing

Diese Cookies werden verwendet, um Ihre Erfahrung auf unserer Website zu verbessern und zu personalisieren. Sie können verwendet werden, um Ihre Anzeigen unserer Produkte zu zeigen, oder um die Leistung unserer Anzeigen zu messen.