The UK Information Commissioner's Office (ICO) has released a draft Code of Practice on Data Anonymisation. The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data. Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act. This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO's interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected. The exemption from the need to obtain consent is subject to a number of provisos:

  • the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
  • the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
  • there are no detrimental effects on particular individuals;
  • the organization's privacy policy or some other form of notification explains the anonymization process; and
  • there is a system for collecting individuals' objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set. An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual. If so, then this would be a disclosure of personal information. The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk "in the round". In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess. In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.

About Fraser Milner Casgrain LLP (FMC)

FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.