Anonymisation of data – could you still be in breach of data protection rules?
So, the courts (Efifiom Edem v Data Protection Commissioner and Financial Services Authority,  EWCA Civ 92) recently decided that a name could be personal data for the purposes of data protection legislation, if it was combined with other information that enabled the individual to be identified. Meaning of course that processing that data (essentially, storing or using the name in any way) would be subject to requirements of the Data Protection Act.
Logically then, one might think anonymising data would be the answer to all the issues. Certainly, anonymising data can help, but there are a number of things to be aware of with anonymising data (as identified by the European Article 29 Working Part in their opinion 05/2014 on anonymisation techniques, which gives a detailed review of the relative advantages and weaknesses of most of the currently available anonymisation techniques), which arise whether you’re using randomisation or generalisation (the two main families of anonymisation techniques). (Note that pseudonymisation is not a way of anonymising data, but rather a potentially useful security measure.):
- the standard for anonymisation is high – it needs to be irreversible, as near as possible to permanent as erasure;
- the risk is not only of re-idenitification of names and or addresses, but also of singling out, linkability and inference;
Dangers lurk in particular where a lot of the underlying information is retained because if it is then combined with another dataset individuals may be then be identifiable.
The advice is:
- anonymise on a case-by-case basis, factoring in the particularities of each data set and what is being done with it;
- use a variety of techniques, not just one, as each technique has its own limitations;
- conduct regular risk assessments on your techniques to check their effectiveness, particularly as new ways of “re-personalising” data, and therefore identifying individuals from data, are being researched all the time;
- remember, anonymisation of the data in itself is an act of processing, so the correct procedures need to be followed;
- data controllers need to balance potentially legitimate interests in anonymising data against data subjects’ access rights; and
- even if truly anoymised data doesn’t come within the ambit of data protection rules, it may still be subject to controls on confidentiality of communications and privacy laws.