The UK’s Information Commissioner’s Office (ICO) has published guidance on anonymisation and pseudonymisation techniques. Meanwhile, this follows the European Data Protection Board (EDPB) recently closing its consultation on pseudonymisation.
Both sets of guidance share common themes, however there are also significant differences in relation to when (if at all) pseudonymised data may be "upgraded" to be considered anonymous.
The ICO’s guidance places emphasis on understanding the distinction between pseudonymisation and anonymisation, a misunderstanding of which could lead to non-compliance with data protection laws. Pseudonymisation prevents personal data from being directly linked to individuals without the use of additional information, for example by using a code key to access encoded data. This reduces the link between people and their data but does not completely remove it. Anonymisation, on the other hand, ensures there is no link between the information and the individual concerned. As it is completely unidentifiable, anonymised data is not considered personal data for the purpose of data protection laws. For further details on the ICO’s guidance, click here.
The ICO clarifies that, where a data controller holds pseudonymised data but does not hold the additional information needed to identify individuals, this data can be considered effectively anonymised. This means that, from the ICO’s perspective, it does not need to be impossible to identify an individual for the data to be considered anonymous, as long as the possibility is “sufficiently remote”. By this logic, identical data sets can be considered either anonymous when held by one controller, or considered personal data when held by another controller who also holds the additional information necessary to make the data identifiable.
This differs from the EDPB’s position: anonymised and pseudonymised data are mutually exclusive, and it must be impossible to identify an individual if the corresponding data is to be considered anonymous – the same data set cannot be both personal data and anonymous depending on whether a controller holds additional identifying information or not.
Both the ICO and EDPB provide technical measures and illustrative examples, with the ICO emphasising greater accountability on controllers to demonstrate effective anonymisation and that the use of either technique alone is not sufficient – data controllers must also demonstrate compliance with legal obligations by documenting their decision-making processes. The ICO suggests appointing a senior individual – ideally one who is not the controller’s Data Protection Officer – to oversee this process, and recommends implementing separate Data Protection Impact Assessments for both anonymised and pseudonymised data processing. Organisations should also ensure that regulatory requirements are met if anonymisation or pseudonymisation is being undertaken by processors, as the responsible controller is liable for data processing on its behalf by processors.
While the ICO’s guidance does not have statutory force and is therefore not mandatory, it will nevertheless be considered when assessing an organisation’s compliance. Our data protection team would be happy to assist you with technical solutions for protecting personal data.
Daniel Fournier