The ICO Code of Conduct on Data Exchange, released earlier this year, was intended to provide organizations with practical guidance on data exchange under the Data Protection Act that we wrote about earlier here.
The ICO is aware that the exchange of data encompasses many other dimensions and that the guidelines are therefore continuously updated. As part of this, the ICO outlined its plans to update its guidelines on anonymization and pseudonymization, as well as research into privacy-enhancing technologies. The updated guidance will help with some of the challenges organizations may face, such as: B. in determining whether the data is personal or anonymous information and in providing appropriate controls that should be put in place.
The most important topics to be covered are:
- Anonymization and legal and governance issues in their application;
- Identifiability, including guidelines on how to manage the risk of re-identification and concepts such as “reasonably likely” and “motivated intruder testing”;
- Pseudonymization techniques and practices;
- Anonymization and pseudonymization requirements for accountability and governance, including data protection by design and data protection impact assessments;
- Anonymization and pseudonymization in research contexts;
- Guidelines on privacy enhancing technologies;
- Technological solutions and best practices for implementation; and
- Data sharing options and case study examples to help organizations choose the right data sharing measures.
The formal guidelines will follow in the coming months as the ICO seeks feedback and insights from key stakeholders, industry members and academics in order to best understand the practical challenges and update the guidelines accordingly. The ICO will publish the guide chapter by chapter. Once the guidelines are published, the ICO will welcome feedback and input leading up to its main public consultation. You can get in touch with the ICO by emailing your input on the first work [email protected].