You are here: Home / Data Protection / Does the Data Protection Act apply to Anonymised Data?

Does the Data Protection Act apply to Anonymised Data?

August 28, 2012 by Leave a Comment



Businesses often anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data, when linked with other information, will not lead to the identification of an individual.

Anonymisation

Under the DPA personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes. It is therefore essential that personal data is effectively anonymised so that it is no longer personal data and thus excluded from the strict requirements of the DPA. For example, organisations which anonymise data, must consider whether the anonymised data when combined with other information would result in a disclosure of personal data.

Consent

In order to anonymise personal data the data needs to be processed. Organisations may therefore need to obtain consent to the anonymisation of personal data, in order to be able to later disclose such information in an anonymised form. Such consent can be obtained by using an appropriate privacy policy, or some other form of notification, which explains the anonymisation process and its consequences for individuals. This will be particularly relevant where an organisation is required to disclose data in compliance with a request under the Freedom of Information Act.

Re-Identification

Where there is a risk that an individual could suffer “damage, distress or financial loss” as a result of “re-identification” following disclosure of anonymised information, consent to the discourse should be obtained from the individual concerned.

ICO Anonymisation Code of Practice

By following the above basic steps set out in more detail in the ICO’s draft code of practice on anonymisation, organisations can publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. The consultation period ended on the 23rd of August and the draft guide will be finalised later this year. 

 

Subscribe by Email

Related posts:

Filed Under: Data Protection, Internet Law
About Irene Bodle

Irene founded Bodle Law in 2010 after working for 8 years as corporate counsel for a global software company. Irene offers specialist legal advice on IT law in particular, Internet law, website law, cloud issues, international software contracts and SaaS agreements. Learn more about Irene Bodle
Read Irene's latest articles
Have a question? Contact Irene here

Speak Your Mind

*

Email
WP Socializer Aakash Web