FEATURE28 January 2022

Anonymising data

x All content on Research Live and in Impact magazine is editorially independent from sponsorship or other commercial arrangements.
Find out more about advertising and sponsorship.

Features Impact Legal Privacy Technology

Following the publication of the data-sharing code of practice, the Information Commissioner’s Office (ICO) is now working on guidance on anonymisation, pseudonymisation, and privacy-enhancing technologies.

IStock-913879566 Iaremenko

The guidance will explore the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law. In so doing, it will clarify when personal data can be considered anonymised, if it is possible to anonymise data adequately to reduce risks, and what the benefits of anonymisation and pseudonymisation might be.

The endeavour is commendable. The topic has been up for debate for a long time, from the ICO’s first attempt, Anonymisation: managing data protection risk code of practice of 2012, and the late Article 29 working party’s (now European Data Protection Board) Opinion on anonymisation techniques of 2014, to the Norwegian and Irish data protection authorities’ guidance on anonymisation and pseudonymisation of 2017 and 2019.

The concept is straightforward: anonymisation must be assessed against the possibility of re-identifying the data subject, while the test of re-identifiability leaves large room for discussion. On the one side, the EU Article 29 working party aimed ...