On 7 February 2022, the Information Commissioner's Office ("ICO") announced the publication of the third chapter of its draft guidance on anonymisation, pseudoymisation and privacy enhancing technologies (the "Draft Guidance"). Following on from the first and second chapters published on 28 May 2021 and 8 October 2021, respectively, which focus on anonymisation, the new third chapter aims to clarify the much debated concept of pseudonymisation.
In addition to our previous blog post on the first chapter of the Draft Guidance, this blog post summarises some of the key concepts in the second and third chapters, focusing on pseudonymisation.
Pseudonymisation in a nutshell
In the context of data protection law, pseudonymisation refers to the process of replacing, removing or transforming data, so that it is unidentifiable without additional information (e.g. replacing names or other identifiers with codes or reference numbers), but re-identifiable to the extent that a party has access to such additional information, allowing them to reconstruct the original personal data and identify the relevant individuals. As such, pseudonymised data is only treated as being 'effectively anonymised' if the recipient of such data does not have the additional information to 'decode' it.
Identifiability: the 'whose hands' question
The second chapter of the Draft Guidance honed in on the concept of identifiability and its key indicators (i.e. singling out, linkability, and inferences), noting that an individual may be identifiable even without personal information (e.g. names) if other information that is unique to them remains.
The ICO therefore explained that data which undergoes anonymisation or pseudonymisation techniques should only be treated as 'effectively anonymised' where the likelihood of identifiability is sufficiently remote. The resulting status of the data will depend on the context and respective 'hands' of those who process it, namely:
- whether the person holding the data is able to access and use additional information to identify the data subject (either information in their possession or in the public domain);
- whether it is reasonably likely that this person will actually identify the data subject (e.g. considering broad factors such as the cost of and time required for identification and the state of technology at the time of processing); and
- the techniques and controls placed around the data when it is in this person's hands.
When considering whether it is reasonably likely that the person will identify the data subject, the ICO suggested applying a motivated intruder test, considering whether a reasonably competent intruder would succeed in identifying the data subject if they were motivated to attempt it.
Is it personal data?
Anonymised data (or more accurately 'effectively anonymised' data) is not personal data. In contrast, as clarified in the new third chapter of the Draft Guidance which cites Recital 26 of the UK GDPR, there is no change in status of data that has undergone pseudonymisation. Pseudonymised data is therefore still personal data, to the extent that it is not 'effectively anonymised'.
In line with this clarification and the 'whose hands' test described above:
- pseudonymised data held by organisations which have the means and additional information to 'decode' it and therefore re-identify data subjects, will classified as personal data; but
- pseudonymised data held by organisations without such means or additional information will be not be personal data as it is 'effectively anonymised'.
In respect of data sharing, this means pseudonymised data, in the hands of the disclosing party will be personal data, but may change in status and cease to be personal data in the hands of the receiving party, depending on who this is (and their means and access to additional information).
Is it a disclosure of personal data?
While the new chapter makes the status of pseudonymised data itself clear, the ICO has yet to confirm whether disclosing pseudonymised data to another organisation amounts to a disclosing personal data. This distinction has an impact on the obligations of the disclosing party prior to making the disclosure.
In 2012, the ICO stated in its Anonymisation Code of Practice that the disclosure of anonymised or pseudonymised data would not amount to a disclosure of personal data, even if "the organisation disclosing the data still holds the other data that would allow re-identification". This meant that an organisation disclosing any pseudonymised data would not be subject to obligations under the data protection legislation arising out of the sharing of this data, including in relation to transparency. The rationale behind this position appeared to have been the ICO's keenness to incentivise organisations to anonymise or pseudonymise data if they were going to share data, in order to protect data subjects.
However, since the introduction of the GDPR, the question of whether disclosing pseudonymised data should be treated in the same way as disclosing personal data has become less clear, especially in light of Recital 26 of the GDPR and all ICO guidance issued since 2018 stressing that pseudonymised data is personal data and should be treated as such.
This has resulted in organisations adopting differing approaches in relation to data protection compliance when seeking to share pseudonymised personal data, with some organisations taking the view that this can be carried out without needing to comply with data protection obligations that would arise if they were disclosing personal data and other organisations taking a more conservative view and treating such disclosures as instances of regular sharing of personal data. An example of the latter approach can be seen in recent policy documents published by NHS trusts (such as this one) which state that "pseudonymisation is not a method of anonymisation. Pseudonymised data should be treated as [Personal Identifiable Data] and be secured appropriately [.] A data sharing agreement should be in place when pseudonymised information is to be transferred to a third party."
The publication of the third chapter has not settled this debate and remains silent on whether disclosing pseudonymised data should attract the same data protection obligations as sharing personal data. Having said this, the ICO does mention in the introduction to the third chapter that organisations "may be able to disclose a pseudonymised dataset (without the separate identifiers) on the basis that it is effectively anonymised from the recipient's perspective". Whilst this statement is not entirely conclusive, it does suggest that the ICO may be comfortable with organisations sharing pseudonymised data which is 'effectively anonymised' in the receiving party's hands without needing to adhere to the data protection obligations that would otherwise apply when disclosing personal data, including in relation to transparency and the considerations set out in the ICO's Data Sharing Code (see our blog post on the Code here).
The third chapter also provides further guidance for data controllers including an explanation of why a party might wish to pseudonymise personal data, criminal offences relating to the re-identification of anonymised or pseudonymised data without consent, and practical considerations when pseudonymising data (including outsourcing pseudonymisation activities).
The ICO will continue to publish additional chapters of the Draft Guidance over the next year, as announced in their blog post, and the call for views on the new chapter(s) of the Draft Guidance remains open until 16 September 2022, after which the ICO plans to consult on the full draft.
The next chapters are likely to focus on the following issues:
- accountability and governance requirements in the context of anonymisation and pseudonymisation (e.g. in relation to data protection by design and Data Protection Impact Assessments);
- anonymisation and pseudonymisation in the context of research;
- privacy enhancing technologies (PETs) and their effect on data sharing; and
- technological solutions, data sharing options and case studies to demonstrate best practice as well as how the guidance should be implemented.
Since topics are explored iteratively, it remains to be seen as to whether the ICO will revisit the above issues relating to pseudonymised data in the context of data sharing - we will be keeping an eye on this issue in the coming months.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.