On May 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a draft anonymization code of practice (the “Code”) which will be open to public consultation until August 23, 2012. The purpose of the Code is to provide organizations with guidance on how personal data can be anonymized successfully, and how to assess the risk of individuals being identified using data that has been anonymized. The ICO also has launched a £15,000 invitation to tender to establish a network of experts to share best practices regarding anonymization.
The ICO has taken the view that a formal Code would be beneficial because organizations often are uncertain of their data protection obligations with respect to anonymization. In particular, questions frequently arise regarding the legal basis for the anonymization process itself, and whether anonymized data might constitute personal data. In issuing the draft Code, UK Information Commissioner Christopher Graham noted that “[t]he risks of anonymisation can sometimes be underestimated and in other cases overstated.” The Code will provide a standardized method for assessing these risks. Although the Code will not be legally binding, compliance with the Code will be considered a “best practice.”
The Code supports the Information Commissioner’s view that data protection legislation should not be used as a barrier to prevent the anonymization of personal data, given that ultimately anonymization is intended to safeguard individuals’ privacy. Once personal data has been properly anonymized, the legal restrictions that would have applied (including the restrictions on disclosing that data to third parties) will no longer apply. The publication of properly anonymized data will not amount to an unlawful disclosure of persona data, even if the disclosing organization still holds other information that would allow individuals to be identified, provided that third parties cannot identify individuals from the anonymized data.
The Code suggests that, under the UK’s data protection legislation, personal data could be anonymized without the individual’s consent if that anonymization is necessary for the purposes of the legitimate interests pursued by the organization in question. This “legitimate interests” justification must be weighed against the impact such anonymization would have on the interests of the data subject.
A key difficulty for organizations in this area is ensuring that the relevant data has, in fact, been properly anonymized. The Code recommends that organizations assess whether any other person could identify any individual from the anonymized information, either by itself or in combination with other available information. In considering the scope of any “other available information,” the Code recommends adopting a “motivated intruder” test – that is, asking whether individuals could be re-identified from the anonymized data by someone who is “reasonably competent, has access to resources such as the internet, libraries and all public documents, and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward.” The “motivated intruder” test sets the bar for re-identification higher than that of a “’relatively inexpert’ member of the public,” but lower than someone with “specialist expertise, analytical power or prior knowledge.” In borderline cases, where the organization is unsure whether the anonymized data could be used to identify individuals, the Code urges caution against disclosure of such anonymized data, particularly where the relevant data includes sensitive data or where the disclosure could significantly impact the individual’s privacy.