Understanding and monitoring the data assets your organisation holds is crucial since knowing whether data is personal or not determines the application of EU Data Protection Law. Whereas the processing of personal data may be vital for providing your services and products, processing personal data comes with great responsibilities under Regulation (EU) 2016/679 (General Data Protection Regulation – GDRP) and the national laws of your jurisdiction.
Personal data is information that relates to an identified or identifiable individual and data utility relies on the concept of identifiability. In September 2019 the Medical Research Council (MRC) updated and finalised its guidance on Identifiability, anonymisation and pseudonymisation with the participation of the Information Commissioner’s Office (ICO). In this article, we look at the key considerations of this guidance and also provide recommendations in dealing with anonymous and personal data. As the MRC emphatically put it, “identifiability is a continuum, but the law is binary” pointing out that the GDPR distinguishes between personal and anonymous data but the reality is more complicated and contextual.
Key message
The MRC has provided the following take-away message:
In order to robustly anonymise, both content and context need to be controlled so that it is not reasonably likely that individuals would be identified, even by someone who may be more motivated than most, using all means that might reasonably be available to them. When this standard is met, the information is classed as anonymous.
Best practice
Organisations process personal data either where this information directly identifies individuals or individuals can be identified when the information is combined with other information. Minimising the risk of re-identifiability enables organisations to minimise the risks of data processing to data subjects and their organisation. To this end, organisations are advised to take into account the following when considering their anonymisation policies:
- Have an accurate data asset and records of processing activities in place to monitor the data kept and data flows.
- Conduct a first assessment of the anonymity or identifiability of the data held and implement processes for constantly reviewing the identifiability risk. It is good practice to use re-identification testing to monitor and deal with re-identification vulnerabilities. This should also cover open data and aggregate statistics.
- The MRC guidance draws on the criteria of Recital 26, Article 29 Working Party and ICO Code on anonymisation. It emphasises that organisations should consider who has access to the information, the content and nature of this information, the context of use,all the means and additional information that might be reasonably likely to be used to identify individuals and the applied controls. This is not a simple task.
- Consider the best anonymisation and pseudonymisation practices based on your business needs, risk-appetite and data processing operations. Adopting a specific technique is not required and organisations should refer to the guidance issued by the Article 29 Working Party and national authorities. Document the logic behind your choice of approach.
- Remove all direct real-world identifiers from the information. Bear in mind that mere removal of direct identifiers, i.e., de-identification, does not equal anonymisation.
- Where it is hard to achieve full and irreversible anonymisation in accordance with the anonymisation threshold suggested by the Article 29 Working Party, organisations should adopt preventive, responsive and repressive measures to minimise the risk or re-identification.
- If you apply pseudonymisation ensure that the pseudonymised dataset and the cipher or code are held by different entities.
- Where direct identifiers, such as the NHS number, Community Health Index in Scotland, the Irish Personal Public Service Numberand other unique identifies, provide critical and several pieces of personal information, the focus should be on security and governance measures rather on attempting anonymisation.
- Not one-size-fits-all approach: Consider the nature of personal data and context of use. For example, genetic data may be more vulnerable to the risk of re-identification. Therefore, stricter controls are required. In assessing the risk of re-identification and the affected data subjects, other individuals should be also considered on a case-by-case basis, namely family members.
- Restrict access to other information on a need-to-know basis.
- Limit the risk of re-identification outside your organisation. For example, before sharing personal data with third parties, organisations should sign data sharing agreements providing that data recipients should not attempt re-identification and the appropriate measures in place.
- Consider the data flow and whether information could be re-identified on the hands of your customers and partners. Security screening of your data processors to ensure their GDPR compliance should also be undertaken.
- Adherence to codes of practice and official guidance, such as the Anonymisation Decision-Making Framework by the UK Anonymisation Network.
- Raise Awareness and provide data protection training within your organisation.
- For example, UK organisations should update their policies to reflect Section 171 of the UK Data Protection Act 2018, which criminalises the re-identification of personal data under certain conditions. Similarly, the Irish organisations should refer to the Irish Data Protection Act 2018 and the guidance issued by the Data Protection Commission.
As indicated above, although there is not a golden rule in effectively anonymising personal data or assessing the level and likelihood of identifiability of data, organisations are provided with a tool-box to do so. Due diligence, objective assessments and reasonable tests should apply to monitor and minimize the risk of organisations. If you need help to apply these tools please contact our Data Protection Advisors who can provide an external perspective to assist in undertaking the required risk assessments.
