The United Kingdom’s Information Commissioner’s Office has released the second chapter in its anonymization guide for public comment.
Here are some key points:
- An effective anonymization process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote level. This level depends on a number of factors specific to the context.
- Simply removing direct identifiers from a dataset is insufficient to ensure effective anonymization. If it is possible to link any individuals to information in the dataset that relates to them, then the data is personal data. Data that may appear to be stripped of identifiers can still be personal data in cases where it can be combined with other information and linked to an individual.
- When assessing whether someone is identifiable, you need to take account of the “means reasonably likely to be used.” You should base this on objective factors such as the costs and time required to identify, the available technologies and the state of technological development over time.
- However, you do not need to take into account any purely hypothetical or theoretical chance of identifiability. The key is what is reasonably likely relative to the circumstances, not what is conceivably likely in absolute.
- Data protection law does not require you to adopt an approach that takes account of every absolute or purely hypothetical or theoretical chance of identifiability. It is not always possible to reduce identifiability risk to a level of zero, and data protection law does not require you to do so.
- When considering releasing anonymous information to the world at large, you may have to implement more robust techniques to achieve effective anonymization than when releasing to particular groups or individual organizations.
- There are likely to be many borderline cases where you need to use careful judgement based on the specific circumstances of the case.
- Applying a “motivated intruder” test is a good starting point to consider identifiability risk.
- You should review your risk assessments and decision-making processes at appropriate intervals. The appropriate time for, and frequency of, any reviews depends on the circumstances.