The first chapter of the draft guidance is an Introduction to Anonymisation which addresses the questions:
• What is anonymous information? This links to the UK GDPR definition: 'information which does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable'.
• What is anonymisation? This is the way in which you turn personal data into anonymous information.
• Is anonymisation always necessary? No – sometimes it is necessary and legitimate to process personal data.
• Is anonymisation always possible? No - in some instances effective anonymisation may not be possible due to the nature or context of the data, or the purpose(s) for which you collect, use and retain it.
• What are the benefits of anonymisation? Potential benefits include:
- it limits your data protection risks;
- it can enable you to share information with other organisations or the public;
- it supports the principle of data minimisation; and
- it is easier to use anonymous information in new and different ways, as the data protection rules on purpose limitation do not apply.
• If we anonymise personal data, does this count as processing? Yes – processing includes any operation performed on information.
• What is pseudonymisation? It is a technique that replaces or removes information that identifies an individual. You must ensure that you keep the identifying information separately and put appropriate technical and organisational controls in place.
• What about ‘de-identified’ personal data? This draft guidance states that the meaning of this expression will vary depending on the circumstances, and this will be updated when future sections of the guidance are published. In the meantime, note that the Data Protection Act 2018 created a criminal offence of re-identifying information that is de-identified personal data without the controller's consent.
• What is the difference between anonymisation and pseudonymisation?
- Anonymisation means that individuals are not identifiable and cannot be reidentified by any means reasonably likely to be used. Anonymous information is not personal data and data protection law does not apply.
- Pseudonymisation means that individuals are not identifiable from the dataset itself, but can be identified by referring to other information held separately. Pseudonymous data is therefore still personal data and data protection law applies.
• What are the benefits of pseudonymisation? The guidance explains that pseudonymisation can make your data protection compliance simpler in a number of areas, including:
- achieving the principle of data protection by design; and
- providing an 'appropriate technical and organisational measure' which can improve security.
In our experience, organisations sometimes find it difficult to differentiate anonymous data from pseudonymous data, which can make it harder to draft and negotiate appropriate contractual obligations. Our specialist data protection lawyers can help you to use anonymisation and pseudonymisation to maximise the benefits of data to your business and document their use correctly.