New Code of Practice on anonymisation

The Information Commissioner has published a new code of practice on “Anonymisation: managing data protection risk“.

Under the Data Protection Act 1998, the definition of personal data does not include information relating to an individual if that individual cannot be identified from that information together with all other information which is in the possession of, or is likely to come into the possession of, the data controller. It follows that where an organisation holds data relating to individuals which is anonymised, or where it is deciding whether or not to anonymise its data, it will need to consider carefully whether the anonymisation method means that the information falls outside the scope of the DPA or not.  The 100+ page code includes guidance and practical examples to assist organisations in assessing their options in relation to anonymisation. This guidance will not only be useful in relation to DPA obligations, but also where an organisation is considering anonymising data in order to respond to a Freedom of Information request. Note that whilst the code gives advice on good practice, it is not mandatory to comply with its recommendations where they go beyond the obligations under the DPA; it  is issued under section 51 of the DPA, but it is not legally enforceable.

In addition to the new Code of Practice, the ICO has announced that “a consortium led by the University of Manchester, with the University of Southampton, Office for National Statistics and the government’s new Open Data Institute (ODI), will run a new UK Anonymisation Network (UKAN). The Network will receive £15,000 worth of funding from the ICO over the next two years to enable sharing of good practice related to anonymisation, across the public and private sector. The network will include a website, case studies, clinics and seminars“.

Rachel Kamm