In February this year, the ICO published Chapter 3 of its anonymisation, pseudonymisation and privacy enhancing technologies (PETs) draft guidance, focusing on pseudonymisation. This month, it published a further chapter, Chapter 4, focussing on accountability and governance for data controllers. The ICO is seeking feedback on both chapters (as well as Chapters 1 and 2 still), until the consultation closes on 16 September 2022.

The ICO will continue to publish further draft guidance with future chapters covering areas such as privacy-enhancing technologies and their role in safe data sharing, as well as how anonymisation and pseudonymisation apply in the context of research.

Read our summaries of Chapter 3 (Pseudonymisation) and Chapter 4 (Governance) or head to our whitepaper on anonymisation for some additional thought on the topic from our data protection experts.

Chapter 3: Pseudonymisation

Chapter 3 explains what pseudonymisation is, what sets it apart from anonymisation, the benefits it can provide and how it should be approached by data controllers.

The ICO outlines that, in contrast to anonymised data, pseudonymised data is still personal data. With pseudonymisation, the processing reduces the links between individuals and the data that relates to them, rather than removing them entirely. To this end, the ICO emphasises that pseudonymisation should be seen as a security and privacy risk management measure.

The ICO explains that when properly applied, pseudonymisation can help to reduce the risk that a data controller’s processing poses to individual rights, support the re-use of personal data for new purposes and support overall compliance with the data protection principles. The guidance recognises that pseudonymisation can enable greater utility of data than anonymisation, but reminds data controllers of the need to consider whether and how to effectively implement pseudonymisation.

The guidance illustrates that pseudonymisation can be useful to enable data controllers to further process personal data beyond its original purpose in some circumstances. For example, as per Recital 29 GDPR, a data controller can undertake “general analysis” on pseudonymised data within its organisation, provided that technical and organisational measures necessary to ensure data protection compliance are in place and that additional information for attributing the data to a specific individual is kept separately.

The ICO provides some guidance as to how a data controller might implement pseudonymisation. Things to consider include risks that pseudonymisation might pose (including internal and external threats), deciding who will undertake pseudonymisation and deciding on the most appropriate technique to use. Additionally, a data controller is told to ensure that it has appropriate processes in place for regular testing, assessing and evaluating the effectiveness of any pseudonymisation techniques used.

The guidance explains that there is no one-size-fits-all approach but data controllers should ultimately identify which entity performs the pseudonymisation and who has overall accountability for the processing. The decision-making process and any steps taken should be clearly documented.

Chapter 4: Accountability & Governance

Chapter 4 explores a data controllers’ governance approach, noting factors that should be considered to ensure transparency, as well as guidance on other relevant legislation that may be applicable when handling anonymous data (even if the GDPR no longer applies).

The ICO outlines that key decisions around anonymisation should be documented, including the rationale for them – this forms part of a data controller’s accountability obligations. A Data Protection Impact Assessment (DPIA) can help to document any decision-making process and is also compulsory for processing if, for example, the controller uses innovative technology to render personal data as anonymous information.

The guidance also adds that having an appropriate governance structure is useful to demonstrate compliance to the ICO and that enforcement action is less likely if a data controller can show that it: (1) made a serious effort to comply with data protection law; and (2) had a genuine reason to believe that the information was not personal data (i.e. by showing that identifiability risk was sufficiently remote).

The anonymisation process should be managed by someone of sufficient seniority with an appropriate understanding of the data controller’s process, any intended disclosures and the relevant technical and legal considerations. They should work closely with the Data Protection Officer to seek their advice and guidance.

As anonymising personal data involves processing, the ICO wants data controllers to consider how and why they intend to anonymise, defining their purpose and detailing their technical and organisational measures. Data controllers are told to work with other organisations with whom they plan to disclose anonymous information if it is likely that such organisations will be processing and disclosing other information that could allow the individual to whom the data relates to be identified.

Interestingly, the ICO also takes the view that a data controller’s governance approach should also cater for risks relating to the use of anonymous information (notwithstanding that it is outside the scope of the GDPR). For example, the ICO suggests that anonymous information should only be used in ways individuals would reasonably expect, that data controllers should consider whether individuals would reasonably expect them to retain the data in identifiable form and consider whether rendering personal data as anonymous information would affect related individuals (i.e. can an adverse impact be justified?).

Likewise, the ICO keenly emphasises that individuals have the right to know how and why their data is being processed. To this end, an organisation’s privacy policy/notice should be easily accessible and clearly explain its approach to anonymisation.

Finally, the guidance also covers a data controller’s responsibility to keep up-to-date with new guidance, legal considerations and case law that clarifies the legal framework surrounding anonymisation. For example, a data controller should consider how their processing may be impacted by the Freedom of Information Act 2000, how they should comply with the Human Rights Act and how the sharing of information may be affected by the common law duty of confidentiality.

Data controllers should also ensure that they keep up-to-date with technical developments and any new techniques that are available, including for anonymising data and identifying intruders that seek to unmask individuals within a dataset.