Feeds

Anonymous means NO identifying element left behind – EU handbook

Different test from UK's ICO, which doesn't require 'risk-free' anonymisation

Choosing a cloud hosting partner with confidence

A new handbook on European data protection laws contains a different test from the one used by the UK's Information Commissioner's Office (ICO) for determining whether data is personal or anonymised for the purposes of data protection law.

The new handbook (214-page/3.08MB PDF) has been issued jointly by the European Union Agency for Fundamental Rights, the Council of Europe and the Registry of the European Court of Human Rights. European Commission officials responsible for data protection matters and the European Data Protection Supervisor also had an input in its drafting.

The document is non-binding but is designed to "raise awareness and improve knowledge of data protection rules in European Union and Council of Europe member states". The Council of Europe (CoE) promotes collaborative legal standards in the areas of human rights between all European countries. It has 47 member countries and is separate from the EU.

EU data protection rules apply to the personal data of living "data subjects". The rules do not apply where that data has been anonymised.

Absolute anonymisation has become increasingly difficult in recent times due to the increasing volumes of data being generated and the availability of powerful technologies that allow information from one data set to be linked to information elsewhere.

A code of practice issued by the ICO in November 2012 accounted for this discrepancy between full anonymisation and "anonymisation" for the purposes of setting aside the application of data protection laws to data.

The ICO explained that the Data Protection Act (DPA) in the UK "does not require anonymisation to be completely risk free". It said that providing there is no more than a "remote" chance that data subjected to anonymisation measures can be traced back to individuals then, for the purposes of the law, that data would be treated as having been anonymised and no longer constituting "personal" data.

"If the risk of identification is reasonably likely the information should be regarded as personal data," the ICO said.

The watchdog's code made clear that the ICO would be unlikely to take enforcement action against organisations that disclose data they believe to have been anonymised when in fact it was not where those organisations could show they had "made a serious effort to comply with the Data Protection Act (DPA) and had genuine reason to believe that the data it disclosed did not contain personal data or present a re-identification risk".

However, the new data protection handbook issued by the three European bodies contains a different test for defining when personal data can be said to have been anonymised.

"Data are anonymised if all identifying elements have been eliminated from a set of personal data," according to the handbook. "No element may be left in the information which could, by exercising reasonable effort, serve to re-identify the person(s) concerned. Where data have been successfully anonymised, they are no longer personal data."

The effort required to connect so-called anonymised data to an individual is something that the Hamburg data protection authority has said it considers when assessing whether data is anonymised for the purposes of deciding whether data protection laws should apply to it.

"Our general stance towards anonymisation is not far off of that of our British colleagues," a spokesman for the Hamburg authority told Out-Law.com previously. "German privacy law defines 'rendering anonymous' as 'the alteration of personal data so that information concerning personal or material circumstances cannot be attributed to an identified or identifiable natural person or that such attribution would require a disproportionate amount of time, expense and effort'.

"It is therefore acknowledged that the absolute impossibility for re-identification in practice cannot always be achieved. Obviously this is addressed by the ICO in terms of a 'remote risk' remaining," he added.

Many organisations that collect personal data anonymise that information after they no longer have need for the information in personalised form. Anonymised data, unlike personal data, can be retained by businesses for as long as they like or sold or shared freely with other organisations without that activity being governed by sometimes restrictive data protection rules.

Anonymised data can be helpful to businesses for analytic purposes, to identify trends and general consumer behaviour.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.