The UK’s Information Commissioner’s Office (ICO) and Germany’s Independent Centre for Privacy Protection (more specifically, of the Schleswig-Holstein region) have agreed that anonymized (or, as American’s generally spell it, “anonymized”) personal data need guarantee full privacy. In a sense, this makes sense when you consider that the use of encryption software like AlertBoot is seen as complying with data security laws, even if it cannot provide 100% protection either (for example, there’s always the risk of someone Post-It’ing the username and password to a laptop’s bottom).
Compliance with DPA, German Privacy Laws
The ICO, according to out-law.com, has released a new code of practice that deals with the anonymization of personal data. In short, the ICO has come to the conclusion that perfect anonymity is not possible, and compliance with the Data Protection Act will be considered if certain guidelines are followed. The fears of “re-identification” — where anonymized data can be traced back to a particular individual by combining it with a different data set — are acknowledged but also deemed “acceptable” (for the lack of a better description):
“There is clear legal authority for the view that where an organisation converts personal data into an anonymised form and discloses it, this will not amount to a disclosure of personal data,” the ICO said. “This is the case even though the organisation disclosing the data still holds the other data that would allow re-identification to take place.”
Germany’s counterpart to the ICO, the ICPP (or in German, Unabhängigen Landeszentrums für Datenschutz), noted the same:
“The [German] legal commentary argues that in some cases (similar to the ICO) 100% anonymity is not possible to achieve, but that the risk has to be minimal,” Marit Hansen, deputy Privacy & Information Commissioner in Schleswig-Holstein said.
The ICO was further quoted as stating:
It can be difficult for organisations to know whether data they have anonymised can still be classed as ‘personal data’. It said, though, that a High Court ruling had made clear that “the risk of identification must be greater than remote and reasonably likely for information to be classed as personal data under the DPA”.
In other words, you don’t get carte blanche to spread personal via anonymized data: a real effort must have been made to ensure the protection of personal data. This is not so surprising when you consider the level of importance that the ICO attaches to the protection of personal data. This is especially so once you’ve read how the rate at which biscuits are made could be considered personal data under the Data Protection Act.
Among other things of interest that were mentioned:
Care must be taken that attempts to re-identify information does not lead “to the misidentification of an individual”
Safeguards must be placed to limit the number of people who can access the anonymized data
Attempts to re-identify the data should be conducted (in order to see how well the anonymization is working)
That last part was actually developed more by Marit Hansen:
A later assessment [of anaonymized data] may reveal that the protection may not be regarded adequate anymore. But then harm may already be done, and it would not be sufficient to delete the data (copies may be available, the re-identification may have been conducted already)…. anonymisation does not only mean to assess the risk once, but also to think of future risks, act accordingly (e.g. to refrain from publishing these data on the internet) and assess the risk again if the conditions may have changed.”