Guidance - Anonymisation / Pseudonymisation

The Data Protection Act 2018/GDPR controls how the University can use ‘personal data’ – that is, information which allows individuals to be identified.

It follows then that if we can 'de-identify' the data (i.e. make it anonymous) then the GDPR/DPA18 will have less to say on how we deal with that anonymised data. So Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.

The ICO has produced a code of practice which explains the issues surrounding the anonymisation of personal data, and the disclosure of data once it has been anonymised. The code describes the steps an organisation can take to ensure that anonymisation is conducted effectively, while retaining useful data.

For further guidance/information on anonymisation, please refer to the ICO Code of Practice at:

https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf

[Note - the ICO code still refers to the now obsolete Data Protection Act 1998 - however the concepts discussed are still entirley relevant to the GDPR/DPA18]

The GDPR also encourages the use of the concept of Pseudonymisation. This is a process which does not make the data totally anonymous (i.e it would still be relatively easy to re-identify the data subject) but equally it does make the data not directly identifiable. The data will still be classed as Personal Data (and therefore subject to data protection legislation) but it will significantly improve the security of processing the data.

Is the data Anonymous?

In order to assess whether the data you are processing is 'Personal Data' consider:

  • Is it reasonably likely that an individual can be identified from those data and from other data?
  • what other data are available, either to the public or to researchers or other organisations?
  • how and why could your data be linked to other datasets?

If you are proposing to treat the data as anonymous data then you should properly document how you have come to that decision - probably through completing a Data Protection Impact Assessment (DPIA)

How to Anonymise data

In order to attempt to make the data you intend to process anonymous, the following factors should be taken into account:

  • the likelihood of re-identification being attempted;
  • the likelihood the reidentification would be successful;
  • the anonymisation techniques which are available to use; and
  • the quality of the data after anonymisation has taken place and whether this will meet the needs of the organisations using the anonymised information.

This process should be documented as part of a Data Protection Impact Assessment (DPIA)