The UK’s Information Commissioner’s Office (ICO) released a Draft Anonymisation Code of Practice yesterday. The draft is open for consultation until August 23 2012. The document, which considers both legal and technical aspects of anonymisation, “is intended to demonstrate that the effective anonymisation of personal data is possible, desirable and can help society to ensure the availability of rich data resources whilst protecting individuals’ privacy.”
The Code of Practice describes the application of the EU’s Data Protection Directive (DPD), the UK’s Freedom of Information Act (FOIA), and UK’s the Data Protection Act (DPA) to the world of data anonymisation. In doing so, the Code aims to clarify certain principles of data-disclosure in this complicated legal field. For example, the Code explains that if anonymised correctly, the disclosure of previously identifiable data falls outside the scope of the DPA. Further, The Code clarifies some of the circumstances under which data can be anonymised; “it is generally acceptable to anonymise personal data and to disclose it without the data subject’s consent [if certain criteria of anonymisation are met].” Finally, the code provides considerable ‘practical advice’ about various anonymisation techniques.
The code, which does not in itself have the force of law, endeavors to promote the uses of anonymisation and establishes the responsibilities and good practices that “any data controller who is involved in the production or publication of anonymised information” should adopt.
Future of Privacy Forum is currently working to frame the levels of technical de-identification with the legal and policy commitments that may be needed to ensure good data anonymisation practices. For more information about our project please contact Julian Flamant.