ICO issues code of practice on anonymising personal data
New guidelines aim to help businesses and public bodies comply with data protection legislation, while aiding 'the open data agenda'.
The Information Commissioner’s Office (ICO) has issued a new code of practice on the anonymisation of personal data to help firms avoid breaching the Data Protection Act (DPA).
The decision to publish the guidelines was announced on 31 May 2012, when the Office undertook a consultation on the matter.
Steve Wood, head of policy at the ICO told IT Pro at the time: “There is a push to open up more datasets and some of that will be based on personal data in its raw form, so there are some issues where public bodies are concerned about how they disclose that data without identifying the people involved.”
In his prologue to the code of practice, Christopher Graham, the Information Commissioner, said his office “has been a strong supporter of the open data agenda and has played its part in ensuring that all sorts of valuable data has been made available through the Freedom of Information Act 2000.”
However, over the past 12 years, concerns over making data relating to private individuals publicly available have grown, Graham claims.
There are significant legal restrictions when it comes to dealing with data that is deemed ‘personal’
“Finding out about the performance of a public authority, for example, inevitably involves finding out about the performance of its staff.
"We want openness, but we want privacy too. That is why the subject matter of this code of practice – anonymisation – is so important,” Graham added.
Bridget Treacy, who leads the UK privacy and information management practice at law firm Hunton & Williams, welcomed the publication of the code of practice.
Organisations are seeking to use data in innovative ways … but there are significant legal restrictions when it comes to dealing with data that is deemed ‘personal’," she said.
However, Treacy added, if personal data has been rendered truly anonymous and the subject is in no way identifiable, the legal restrictions on publicly disclosing it no longer apply.
“Ensuring that data is properly anonymised, and not just masked can be very difficult to achieve in practice," said Treacy.
"Organisations often are uncertain about the legal basis for the anonymisation process itself, and whether [it] might constitute personal data. The code deals with both of these issues.”