The Data Protection Act 2018 (which implements the General Data Protection Regulation 2016) (“UK GDPR”), applies to the ‘processing’ of ‘personal data’.
The term ‘processing’ is very broadly defined and covers almost anything that can be done with or to personal data, including accessing, transferring and storing that data (in hard copy or electronically). ‘Personal data’ are data (e.g. name, address, telephone number and email address) relating to a living person (known as the data subject) who can be identified from that data alone or in conjunction with other information in or likely to come into the possession of the controller (e.g. a company) of that data (known as the controller).
The UK GDPR recognises two other types of personal data:
- Anonymous data is data which doesn’t identify living individuals – so it is not personal data, and therefore not subject to the UK GDPR.
- Pseudonymised data is data that can’t be attributed to a specific individual without the use of additional information which is kept separate from it.
The UK GDPR states that “the principles of data protection should … not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” However, despite this statement many view anonymised data as unsafe because even the most sophisticated techniques can be reversed or bypassed with the right data sets. Re-identification is therefore a key, and realistic, threat to anonymised data.
Pseudonymised data is referred to in much greater detail in the UK GDPR. ‘Pseudonymisation’ is defined as the ‘processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’. Thus personal data which has undergone pseudonymisation is still personal data and subject to the UK GDPR. As with anonymised data, re-identification is a key, and realistic, threat for pseudonymised data – but, unlike anonymised data, re-identification could happen in two ways:
- a data breach might enable an attacker to acquire the key or otherwise connect the pseudonymised data to individual identities; or
- even if the key is not acquired, an attacker may be able to identify individuals by linking (e.g. gender and date of birth) in the pseudonymous database with other available information.
If done correctly, the process of pseudonymisation can help businesses comply with the UK GDPR because it:
- can reduce the risks to data subjects and help controllers and data processors meet their data protection obligations (it is not alone a sufficient technique to exempt data from the UK GDPR);
- is a central feature to the concept of privacy by design and default – pseudonymisation is a way of implementing appropriate technical and organisational measures to ensure appropriate data security;
- allows personal data to be processed for purposes other than that for which it was originally collected;
- could allow for relaxed data breach notification rules because pseudonymisation reduces the risks of harm to data subjects (notification of data breaches only need to made to the ICO and data subjects if the breach is likely to create a risk (high risk in the case of notification to data subjects) for the rights and freedoms of the data subject);
- could require less strict data subject access, rectification, erasure or data portability obligations if they can no longer identify a data subject; and
- allows greater flexibility to conduct data profiling (defined in the UK GDPR as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’).
Before the UK GDPR came into force the ICO has produced a “code of practice” on anonymisation. It has not updated this code of practice for the purposes of the UK GDPR but its content is still relevant today and the ICO still recommends it as a good starting point. The ICO has yet to publish such extensive guidance on pseudonymous data. The European Data Protection Board has also not yet issued any guidance on anonymous or pseudonymous data.
What do businesses need to do now?
Neither anonymised data nor pseudonymised data are entirely risk free. Re-identification is possible with both and businesses need to consider which is better for it. Effective and fully documented policies and procedures will need to be developed for both and staff trained.
If you would like any further information or advice on anonymisation and pseudonymisation, or the UK GDPR generally, please contact us.
Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.