As business and society become ever more data-rich, data minimisation techniques equally become increasingly important. In August 2016, the Data Protection Commissioner ("DPC") published guidance on the use of data anonymisation and pseudonymisation. This follows similar guidance published by EU regulators in 2014.
The DPC's guidance focuses on the effectiveness of anonymisation techniques and provides recommendations for organisations wishing to use these techniques. Given that the Data Protection Acts 1988 and 2003 (the "Acts") are silent on this point, each organisation must ensure that the techniques it uses are sufficiently robust to avoid the identification of individuals.
The new guidance acts as a useful resource for organisations that already use anonymisation and pseudonymisation techniques. Similarly, it is also instructive for organisations wishing to make use of those techniques, especially given the incentives for organisations to use pseudonymisation techniques under the General Data Protection Regulation ("GDPR").
We take a look at some key points from the DPC's guidance note.
What are anonymisation and pseudonymisation?
Anonymisation of data is a technique used to irreversibly prevent an individual being identified from that data. Pseudonymisation, on the other hand, is not a method of anonymisation. Instead, it is a method of replacing one attribute in a record,such as a name, with another, such as a unique number Given this, pseudonymisation still allows an individual to be identified, but indirectly.
Importantly, the DPC warns that while pseudonymisation is a useful security measure, pseudonymised data remains 'personal data'.as defined in the Acts. Despite this, the DPC recognises that effectively anonymised data identified is not personal data and therefore falls outside the scope of the Acts.
The scope of 'personal data'
In the DPC's view, the threshold for truly anonymised data is extremely high. To meet this threshold, organisations must take appropriate steps to ensure that individuals are not identified by or identifiable from the data in question. In other words, organisations must ensure that the information can no longer be considered personal data.
In order to determine whether an individual is identified or identifiable, the DPC suggests that organisations should consider whether a person can be distinguished from other members of a group. According to the DPC, a person is identifiable even if identification...