ICO publishes code of practice for anonymizing data

The Information Commissioner's Office has published guidelines describing best practices for handling anonymous data.
Written by Charlie Osborne, Contributing Writer

The ICO has published its data protection code of practice (.pdf), which aims to help businesses and consumers understand individual privacy legislation.

ico data protection law regulation guidelines anonymous data protection data act
Credit: CBS

When more and more data is being placed in the public domain -- anonymous but in vast quantities due to the cheapening storage and analysis of information, otherwise known as Big Data -- it's important for guidelines to be in place to keep public services in line, and make sure consumers understand their rights.

However, it has to be noted that the code of practice is only a suggestion, and not law, although it does include guidelines to tackle a swathe of legal issues that could trip up businesses which store data.

Christopher Graham, U.K. Information Commissioner, said:

"Failure to anonymise personal data correctly can result in enforcement action from the ICO. However we recognise that anonymized data can have important benefits, increasing the transparency of government and aiding the UK's widely regarded research community.

We hope today's guidance helps practitioners to protect privacy and enable the use of data in exciting and innovative ways. We would also like to thank those people who took part in our recent consultation and helped today’s code of practice become a reality."

The guidelines give practitioners information on how the risks of anonymizing data relate to data protection and the identification -- mistaken or otherwise -- of individuals. It also includes examples of how successful anonymization can be achieved, for reasons including research in the public sector or medical field.

In addition, the report details how identities can remain concealed when responding to Freedom of Information Act (FOI) requests, and how best to use data collection in market research without breaching the U.K.'s Data Protection Act.

Any corporation or organisation is required to comply with the U.K.'s Data Protection Act, which states that data must be fairly and lawfully processed, be processed for limited uses, accurate, adequate, up-to-date and "not excessive", as well as kept only as long as is necessary. Data must also be kept secure and "not transferred to other countries without adequate protection."

However, the ICO does say that if an entity has taken steps to try and conceal the identity of individuals in anonymous data, it will not be considered in breach of the DPA if the threat of identitity is not completely foolproof and "risk-free."

"Clearly, 100% anonymisation is the most desirable position," the guidelines say. "[...] and in some cases this is possible, but it is not the test the DPA requires".

Additionally, a new website relating to data protection is due to launch next year, from the U.K. Anonymisation Network (UKAN), which will keep online users informed of any changes in data protection legislation and guidelines.

Editorial standards