UK Information Commissioner’s Office Releases New Anonymization Guidelines for Public Comment

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The United Kingdom’s Information Commissioner’s Office has released the second chapter in its anonymization guide for public comment.

Here are some key points:

  • An effective anonymization process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote level. This level depends on a number of factors specific to the context.
  • Simply removing direct identifiers from a dataset is insufficient to ensure effective anonymization. If it is possible to link any individuals to information in the dataset that relates to them, then the data is personal data. Data that may appear to be stripped of identifiers can still be personal data in cases where it can be combined with other information and linked to an individual.
  • When assessing whether someone is identifiable, you need to take account of the “means reasonably likely to be used.” You should base this on objective factors such as the costs and time required to identify, the available technologies and the state of technological development over time.
  • However, you do not need to take into account any purely hypothetical or theoretical chance of identifiability. The key is what is reasonably likely relative to the circumstances, not what is conceivably likely in absolute.
  • Data protection law does not require you to adopt an approach that takes account of every absolute or purely hypothetical or theoretical chance of identifiability. It is not always possible to reduce identifiability risk to a level of zero, and data protection law does not require you to do so.
  • When considering releasing anonymous information to the world at large, you may have to implement more robust techniques to achieve effective anonymization than when releasing to particular groups or individual organizations.
  • There are likely to be many borderline cases where you need to use careful judgement based on the specific circumstances of the case.
  • Applying a “motivated intruder” test is a good starting point to consider identifiability risk.
  • You should review your risk assessments and decision-making processes at appropriate intervals. The appropriate time for, and frequency of, any reviews depends on the circumstances.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide