• AU
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance

11 June 2021
On 28 May the ICO published a consultation draft of the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance.  Here is our summary of the key points.

The first chapter of the draft guidance is an Introduction to Anonymisation which addresses the questions:

What is anonymous information?  This links to the UK GDPR definition: 'information which does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable'.
What is anonymisation?  This is the way in which you turn personal data into anonymous information.
Is anonymisation always necessary?  No – sometimes it is necessary and legitimate to process personal data.
Is anonymisation always possible?  No - in some instances effective anonymisation may not be possible due to the nature or context of the data, or the purpose(s) for which you collect, use and retain it.
What are the benefits of anonymisation?  Potential benefits include:

  • it limits your data protection risks;
  • it can enable you to share information with other organisations or the public;
  • it supports the principle of data minimisation; and
  • it is easier to use anonymous information in new and different ways, as the data protection rules on purpose limitation do not apply.

If we anonymise personal data, does this count as processing?  Yes – processing includes any operation performed on information.
What is pseudonymisation?  It is a technique that replaces or removes information that identifies an individual. You must ensure that you keep the identifying information separately and put appropriate technical and organisational controls in place.
What about ‘de-identified’ personal data?  This draft guidance states that the meaning of this expression will vary depending on the circumstances, and this will be updated when future sections of the guidance are published.  In the meantime, note that the Data Protection Act 2018 created a criminal offence of re-identifying information that is de-identified personal data without the controller's consent.
What is the difference between anonymisation and pseudonymisation?

  • Anonymisation means that individuals are not identifiable and cannot be reidentified by any means reasonably likely to be used. Anonymous information is not personal data and data protection law does not apply. 
  • Pseudonymisation means that individuals are not identifiable from the dataset itself, but can be identified by referring to other information held separately. Pseudonymous data is therefore still personal data and data protection law applies.

What are the benefits of pseudonymisation?  The guidance explains that pseudonymisation can make your data protection compliance simpler in a number of areas, including:

  • achieving the principle of data protection by design; and
  • providing an 'appropriate technical and organisational measure' which can improve security.

In our experience, organisations sometimes find it difficult to differentiate anonymous data from pseudonymous data, which can make it harder to draft and negotiate appropriate contractual obligations. Our specialist data protection lawyers can help you to use anonymisation and pseudonymisation to maximise the benefits of data to your business and document their use correctly.

Further Reading

We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.
Manage cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected 

Functional cookies

(Required)

These cookies let you use the website and are required for the website to function as expected.

These cookies are required

Tracking Cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing Cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.