Ireland - Guidance note on anonymisation and pseudonymisation

Ireland - Guidance note on anonymisation and pseudonymisation's Tags

Tags related to this article

Ireland - Guidance note on anonymisation and pseudonymisation

Published 13 September 2016

The Office of the Data Protection Commissioner ("ODPC") recently released a guidance note in relation to the anonymisation and pseudonymisation of personal data and the application of the Data Protection Acts 1988 – 2003 ("DPA") to such data.

In its guidance note, the ODPC specifically states that "irreversibly and effectively anonymised data" is not personal data for the purposes of the DPA and as such the related data protection rules and principles do not apply. Conversely, pseudonymised data (also known as coded data) remains personal data for the purposes of the DPA.

What is pseudonymised data?

Pseudonymisation occurs when the identifying characteristics of personal data are replaced by pseudonyms or codes, preventing the data subject from being directly identified. It provides a more limited form of protection as it remains possible to identify the data subject by reviewing the coded data in connection with other related data. Unlike in the case of anonymised data, data controllers are not absolved of their obligations under the DPA where data has been pseudonymised.

What is anonymised data?

The ODPC's guidance note states that anonymised personal data is not subject to the provisions of the DPA if it has been processed "with the aim of irreversibly preventing the identification of the individual to whom it relates." In other words, data will be sufficiently anonymised if it does not allow the identification of the individual to whom it relates and it is not possible to identify that individual from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.

This point is significant as anonymised personal data held by organisations is not subject to DPA provisions including provisions relating to the retention of data or transferring data. Therefore, anonymised data could conceivably be held indefinitely by organisations (although this would not be recommended) and freely transferred to other jurisdictions without having to consider onerous data transfer legislative provisions.

Effectively anonymising data

The process of anonymising personal data is considered to be "processing" for the purposes of the DPA and therefore must be done fairly and in accordance with the provisions of the DPA. Organisations should inform data subjects when initially collecting their personal data if one of the purposes for the collection is to anonymise it for future use.

The ODPC's guidance note warns that technology in relation to the anonymisation of data is constantly evolving and it is therefore impossible to say that a particular anonymisation technique will be completely effective. Therefore, the onus is on the organisation processing the data to identify and minimise the risks to data subjects when anonymising such data. In some cases, due to the nature of the personal data, it may not be possible to effectively anonymise it. However, the ODPC's guidance note states that if it can be shown that "it is unlikely that a data subject will be identified given the circumstances of the individual case and the state of technology, the data can be considered anonymous."

Anonymisation must be done on a case by case basis, having regard to all relevant risk factors and to the intended purpose of the anonymised data. However it is important to remember that if the data is simply coded and not anonymised then the DPA continues to apply. Organisations should consider the following when anonymising data:

  • satisfying itself that potential intruders will not be able to identify the data subject from the data, given the current state of technology and information available. As part of that assessment, organisations should consider any other information which may be available which would assist the intruder in identifying the data subject;
  • considering whether someone with personal knowledge of the data subject is likely to have access to the anonymised data when making an assessment of the level of anonymisation required. Individuals with personal knowledge of the data subject are far more likely to be in a position to identify data subjects from supposedly anonymised data. If an organisation is providing the anonymised data to a particular recipient or group, it should consider if there is a risk that the data might be shared beyond that intended recipient or group to someone who might potentially identify the data subject;
  • considering the value of the data to a potential intruder when assessing the level of protection to be afforded to anonymised data;
  • remembering its ongoing obligation to monitor and assess the level of protection afforded to anonymised data over time;
  • if it holds both the anonymised data and the source data, it should be careful to delete the source data at the time of anonymisation to prevent re-identification of the data subject from the anonymised data. Where re-identification of the data subject is possible, the data becomes personal data for the purposes of the DPA;
  • remaining cognisant that whilst the DPA might not apply to successfully anonymised data, other legislative provisions, such as the ePrivacy Regulations (which relate to 'information' rather than personal data) will continue to apply to such data; and
  • keeping any anonymised data under continuous review to ensure that it is being adequately protected. Although not subject to the provisions of the DPA, anonymised data which is no longer needed or being used should be deleted in order to minimise risk to the organisation.

The Article 29 Working Party's opinion on anonymisation techniques, Opinion 05/2014, provides detailed information in relation to anonymisation techniques for data controllers.

To read the ODPC's full guidance note, click here.

Authors

Rowena McCormack

Rowena McCormack

Dublin

+353 (0)1 231 9628

< Back to articles