The UK’s Information Commissioner’s Office (ICO) has issued guidance on pseudonymisation.
Here are some key points:
What is it?
At a basic level, pseudonymisation starts with a single input (the original data) and ends with two outputs (the pseudonymised dataset and the additional information). Together, these can reconstruct the original data. However, in relation to the individuals concerned, each output has meaning only in combination with the other.
Data that has undergone pseudonymisation remains personal data and is in scope of data protection law
With pseudonymisation, the processing reduces the links between individuals and the data that relates to them, but does not remove them entirely.
You should consider pseudonymisation as a security and privacy risk management measure
How can you share it?
Pseudonymisation is not anonymization, but you may be able to disclose a pseudonymised dataset (without the separate identifiers) on the basis that it is effectively anonymised from the recipient’s perspective.
You cannot automatically assume that the pseudonymised data becomes anonymous information in the other party’s hands. In practice, this depends on several factors you need to assess, including:
- the ability of the recipient to use other information to enable identification (either something in their possession, or in the public domain);
- the likelihood of identifiability, considering things like the cost of and time required for identification and the state of technology at the time of the processing; and
- the techniques and controls placed around the data once in the recipient’s hands.
Pseudonymisation can be relevant for any risk assessment you undertake. For example, detailing specific pseudonymisation techniques can help you demonstrate how you intend to mitigate particular risks that your processing may pose.
When considering pseudonymisation, for both data protection by design and security you need to take into account:
- the state of the art and costs of implementation of any measures;
- the nature, scope, context and purpose(s) of your processing; and
- the risks your processing poses to individuals’ rights and freedoms.
Crime, security and compatibility:
It may be a crime to reverse pseudonymised data or do any further processing of it, without first obtaining consent from the responsible controller.
Pseudonymization may prevent security incidents becoming personal data breaches, even if you may still need to take action to address the incident itself.
Pseudonymisation does not necessarily mean that you can decide your new purpose is compatible in all cases. It is one of several factors you must consider in this assessment.
When approaching pseudonymization you should:
- Define the goals (eg what does your use of pseudonymisation intend to achieve?)
- Detail the risks (eg, what types of attack are possible, who may attempt them, and what measures do you need to implement as a result?)
- Decide on the technique (ie, which technique (or set of techniques) is most appropriate?)
- Decide who does the pseudonymisation (eg you, a processor); and
- Document your decisions and risk assessments.