Information Commissioner's Office
Blog: Building on the data sharing code – our plans for updating our anonymisation guidance
Data is the lifeblood of the digital economy, and the sharing of personal data is key to opening up new opportunities. Data shared in healthcare environments can map out trends and provide new insights to improve patient care, while in the financial sector, data sharing can help to protect against money laundering and ensure individuals are protected from fraud.
In our experience, organisations want to use and share data in a safe and legally compliant way, but can be uncertain around how to do this. That’s why we’ve got clear guidance, to help build confidence in decision making around data sharing - we know that when data is shared properly, it can lead to real benefits.
The recent ICO Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. However, we recognise there are other dimensions to data sharing. The code is not a conclusion, but a milestone in this ongoing work. We will continue to provide clarity and advice in how data can be shared in line with the law.
Building on this promise, we are now outlining our plans to update our guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing. We recognise that questions about when data is personal data or anonymous information are some of the most challenging issues organisations face.
Our refreshed guidance will assist organisations in meeting these challenges. We will set out our views on approaches like the spectrum of identifiability, and how these can be practically applied. We will provide advice on how to assess the appropriate controls that need to be in place and we will be grounding our guidance in practical steps organisations can take.
The key topics we will be exploring include:
- Anonymisation and the legal framework – legal, policy and governance issues around the application of anonymisation in the context of data protection law;
- Identifiability – outlining approaches such as the spectrum of identifiability and their application in data sharing scenarios, including guidance on managing re-identification risk, covering concepts such as the ‘reasonably likely’ and ‘motivated intruder’ tests;
- Guidance on pseudonymisation techniques and best practices;
- Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs;
- Anonymisation and research - how anonymisation and pseudonymisation apply in the context of research;
- Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing;
- Technological solutions – exploring possible options and best practices for implementation; and
- Data sharing options and case studies – supporting organisations to choose the right data sharing measures in a number of contexts including sharing between different organisations and open data release. Developed with key stakeholders, our case studies will demonstrate best practice.
How can you engage with us?
Over the coming months we will be exploring these topics iteratively, and will be sharing our thinking ahead of issuing formal guidance.
Our approach will include gathering insight and feedback from industry, academia and other key stakeholders to better understand the real world challenges and where our guidance can be most effectively targeted.
We’ll be publishing each chapter of our guidance and calling for your views before our main public consultation. Your input at the early stages can make a real difference and we are inviting you to contribute by providing feedback.
You can contact us about our initial work in this area by emailing firstname.lastname@example.org.
Latest News from
Information Commissioner's Office
How modern data protection is helping to unlock the power of data13/05/2021 12:25:00
Elizabeth Denham’s keynote speech on the regulator’s view, delivered at the Data and the Future of Financial Services 2021 conference.
ICO and Office of the Privacy Commissioner, New Zealand, sign Memorandum of Understanding12/05/2021 15:15:00
The Information Commissioner’s Office (ICO) and the New Zealand Office of the Privacy Commissioner (OPC) have today signed a Memorandum of Understanding (MOU).
Blog: Work on updating the ICO’s Journalism code continues10/05/2021 09:10:00
Blog posted by: Anulka Clarke, Acting Director of Regulatory Assurance, 07 May 2021.
Five things we learned from DPPC 202107/05/2021 15:20:00
The ICO’s Data Protection Practitioners’ Conference 2021 was held this week, bringing together more than 3,000 data protection professionals from across the country.
Data Protection Practitioners’ Conference 202105/05/2021 14:15:00
Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference on 5 May 2021
Digital Regulatory Cooperation Forum’s response to DCMS on the future of the digital regulatory landscape05/05/2021 12:05:00
The Digital Regulatory Cooperation Forum (DRCF) has submitted its response to the Department of Digital, Culture, Media and Sport (DCMS) on the future of the digital regulatory landscape and how to achieve coherence in regulatory approaches across digital services.
Blog: Free advisory check-ups help small businesses make the best use of their data30/04/2021 16:25:00
A blog from Syed Ali, Lead Engagement and Regulatory Assurance Officer
Data protection is an enabler for trust and confidence in the implementation of digital identity systems23/04/2021 12:25:00
Blog posted by: Steve Wood, Deputy Commissioner (Executive Director, Regulatory Strategy), 22 April 2021.
How the ICO Innovation Hub is enabling innovation and economic growth through cross-regulatory collaboration21/04/2021 14:20:00
The COVID-19 pandemic has changed work for so many of us around the world; forcing innovation and new ways of working. And that’s just as true for regulators – we’ve had to adapt to develop new ways to support organisations.