Businesses often anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data, when linked with other information, will not lead to the identification of an individual.
Under the DPA personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes. It is therefore essential that personal data is effectively anonymised so that it is no longer personal data and thus excluded from the strict requirements of the DPA. For example, organisations which anonymise data, must consider whether the anonymised data when combined with other information would result in a disclosure of personal data.
Where there is a risk that an individual could suffer “damage, distress or financial loss” as a result of “re-identification” following disclosure of anonymised information, consent to the discourse should be obtained from the individual concerned.
ICO Anonymisation Code of Practice
By following the above basic steps set out in more detail in the ICO’s draft code of practice on anonymisation, organisations can publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. The consultation period ended on the 23rd of August and the draft guide will be finalised later this year.