On May 28, the ICO published a draft consultation of the first chapter of its guidelines on anonymization, pseudonymization and privacy enhancing technologies. Here is our summary of the key points.
The first chapter of the draft guidelines is a Introduction to anonymization which answers the questions:
• What is anonymous information? This is a link to the UK GDPR definition: “Information That” does not relate to a identified or identifiable natural person or personal data that has been anonymized in such a way that the person concerned Not or no longer identifiable‘.
• What is anonymization? this is that path in which you convert personal data into anonymous information.
• Is anonymization always necessary? No – sometimes it is necessary and legitimate to process personal data.
• Is anonymization always possible? No – in some cases, anonymization is effective because of the nature or context the data or the Purpose (s) for which you collect, use and keep them.
• What are the advantages of anonymization? Possible benefits are:
- it limits your privacy risks;
- it may enable you to share information with other organizations or the public;
- it supports the principle of Data minimization; and
• If we anonymize personal data, does it count as processing? Yes – processing includes all operations that are performed on information. • What is pseudonymization? It is a technique that replaces or removes information that identifies a person. You need to make sure that you keep the identifying information separately and place it appropriately technical and organizational controls in place. • What about “anonymized” personal data? This draft guidance states that the meaning of this term may vary depending on the circumstances and will be updated as future sections of the guidance are published. In the meantime, please note that the Data Protection Act 2018 is a Offense of Identify information again This is anonymized personal data without the consent of the person responsible. • What is the difference between anonymization and pseudonymization?
- Anonymization means that individuals are not identifiable and unrecognizable by any means quite likely to be used. Information is anonymous no personal data and data protection law does not apply.
- Pseudonymization means that persons cannot be identified from the data set itself, but can be identified with reference to other information is kept separately. Pseudonymous data are therefore still personal data and Data protection law applies.
• What are the advantages of pseudonymization? The guide explains that pseudonymization can simplify your privacy compliance in a number of areas, including:
- the principle of achieving Data protection through design; and
- Provision of a “suitable technical and organizational measure” that can bring about an improvement security.