We tend to find that clients are, rightly, nervous about the use of personal data. We regularly read about the latest fines being imposed by the Information Commissioner’s Office relating to unauthorised disclosures or lack of adequate security measures. No start up or SME can afford such hefty fines, either financially or publicity wise.

 

The lack of understanding from some organisations around what personal data actually means results in personal data being used unlawfully. However, it also means organisations may not be taking advantage of certain data in their possession. We come into contact with many data collection, analysis and aggregator businesses asking what exactly can they do with all their data, and are they likely to fall foul of the Data Protection Act.

Why anonymise?

All businesses need to know their customers. Understanding your customer’s habits and preferences can help create more suitable products or offers. You don’t always need to know a person’s name or have their contact details in order to effectively market to them. In any event, organisations should be wary of certain data collectors looking to sell databases loaded with personal data. Where did they get this information from and more importantly, have they got the express permission from the relevant data subjects to pass that personal data on? Given the requirements for obtaining consent from a data subject to pass on their personal data to third parties, the likely answer is “no”.

Disclosing the anonymous data

It is established legal authority that where personal data has been converted into an anonymous form which is subsequently disclosed, this will not amount to a disclosure of personal data. This is even the case if you are still holding such other parts of the data that, when combined with the anonymised data, would allow “re-identification” (i.e. the anonymous data becomes personal data once again by virtue of combining the two datasets).

Although the law is clear, the ambiguity lies with the data itself, and whether it has been properly anonymised or could still be considered personal data. That decision will ultimately rest with the organisation, but it’s important to note that there isn’t a requirement for anonymization to be completely risk free of re-identification – merely that the risk is remote. However, if the risk is reasonably likely, then the supposed anonymous information would still be considered personal data, and therefore will be captured under the Data Protection Act.

The risk of re-identification

It’s clearly very difficult to say with any certainty how likely certain anonymous data could be considered personal data because of the re-identification risk.

Understanding the definition of “Personal data” is important here: this is data which relates to a living individual who can be identified from that data, or from those data and other information which is in the possession of or is likely to come into the possession of, the data controller.

The definition means that analysing the risk of re-identification becomes one of understanding what other information might be “out there”, meaning what information might be available to other organisations or to the public in general. It becomes a question of assessing the risk now and in the future. Just because data is anonymous now does not automatically mean it will continue to be in the future, hence the importance of regular reviews of anonymous data that has been disclosed to ensure it remains so.

Although the Data Protection Act doesn’t provide guidance on how to determine the likelihood of re-identification, the Information Commissioner’s Office has developed a useful test called the “motivated intruder” test. The Information Commissioner’s guidance states that this “involves considering whether an ‘intruder’ would be able to achieve re-identification if motivated to attempt this”.

The guidance goes on: “The ‘motivated intruder’ is taken to be a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived. This test is meant to assess whether the motivated intruder would be successful”.

The motivated intruder would not be assumed to have certain specialist skills or be able to resort to illegal practices such as hacking or burglary in order to obtain the information. Clearly in these scenarios, most anonymous data wouldn’t be safe! However, it would be assumed that the motivated intruder would have access to the internet, be able to use social media or the wealth of publicly available archives.

Do you need the permission of a data subject to create anonymous data?

In short, you don’t need consent to anonymise personal data. The Information Commissioner considers that creating anonymous data would be unlikely to cause that particular individual “unwarranted damage or distress”, which is the basis on which an individual would look to prevent the disclosure of their personal data.

Having said this, good practice would dictate to maintain the standards required by the Data Protection Act and the Information Commissioner, being the creation of an open and honest relationship with the individual and keep them informed of the use likely to be made. Most people reading this will be familiar with a privacy policy, which is supposed to be a document outlining an organisation’s compliance with the Data Protection Act and this includes information on what personal data is to be used for.