So, What is the Difference Between Pseudonymised and Anonymised Data

| General

So, What is the Difference Between Pseudonymised and Anonymised Data?

What Has Happened? 

On 7th February 2022, the Information Commissioner’s Office announced that it had set up a Consultation exercise to clarify some of the key data protection law concepts that have recently given lawyers their fair share of sleepless nights.

What Does It Mean?

The Information Commissioner’s consultation relates to the concepts of pseudonymisation, technology which is designed to beef-up privacy and anonymisation, all of which are contained in the third chapter of its guidance. The document answers some of the questions many lawyers have been asking and attempts to clear up the confusion.

The Information Commissioner confirmed that data protection laws are inapplicable to anonymised data because it does not explicitly relate to identifiable individuals or any one specific individual. The ICO clarified pseudonymised data and then explored the subtle differences between the two concepts. It explained that once pseudonymised data is processed, it diminishes the connection between the information and the identifiable subject. However, this has left some lawyers (not all) perplexed when confronted by this issue in practice because individuals cannot be directly identified from pseudonymised and anonymised data sets.

However, the difference is a subtle one. There is more than a slight possibility of the pseudonymised data being processed, collated and combined with data collected from various other sources of information. In reality, this means that the link between the pseudonymised data is not entirely extinguished. The ICO advised that the extra information collated and the actual data in question remained classified as “personal data”.

What Impact Could This Have on the Legal Profession?

Following the opening of this consultation exercise by the Information Commissioner’s Office and the publication of this document, lawyers should be paying close attention to the evidence provided throughout the consultation process and the outcome of the publication of applicable reports and/or legislative changes, which may materialise.

Cynthia O’Donoghue and Angelika Bialowas from Reed Smith Solicitors said the Information Commission has made it clear that pseudonymised information falling into the hands of another party does not automatically gain anonymity. Lawyers need to be warning their clients about the differences between the two subtly different concepts. They also need to consider this issue from a risk management perspective, especially from a data privacy and security viewpoint.

It would be worthwhile for private practice and in-house lawyers to consider the reasonable prospects of successfully identifying a data subject if data was collated and combined with the data in question. They will need to carefully consider the commercial resources available to allocate to this exercise in terms of the future technological developments, potential financial price to be paid and the possible enormous time resources to be allotted. They should also be following the suggested strategy set out by the Information Commissioner in the Consultation document by advising clients to set out their goals, risks such as threats and the methods they will use to pseudonymise the information. Clients should also be advised to effectively record the above information and decisions made in documentary form.

When entering the contracts, lawyers should explore this issue using a data security lens, lawyers should not forget about the data protection clauses and the Standard Contract clauses. They should also be contemplating, specifying and thinking about what may happen when the relevant sensitive information is transferred to the other party to the transaction. It will be sensible to enforce anonymisation and pseudonymisation through a contractual provision if necessary. This will go a long way to protecting the receiving party from regulatory or litigious action in the event of a breach.

Anyone interested in this topic should follow the consultation for any further developments. We have a newly appointed Information Commissioner, and this consultation could be the first of many decisive moves to come.

The Legists Content Team

Assessing Firm

#Bird&Bird #BristowsLLP #Fieldfisher #HoganLovells #HuntonAndrewKurthLLP #LinklatersLLP #Allen&Overy #BakerMcKenzie #CMS #Covington&BurlingLLP #Dentons #DLAPiper #EvershedSutherland #Lathan&Watkins #NortonRoseFulbright #PinsentMasonsLLP #TaylorWessingLLP #CliffordChance #DWF #HerbertSmithFreehills #MishcondeReyaLLP #Orrick. 

This Article was Written Using the Following Sources

[1] O’Donoghue, C and Bialowas – ICO Launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET – 14 February 2022 - ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET | Technology Law Dispatch

[2] Information Commissioners Office – Chapter 2 – How do we ensure anonymisation is effective – October 2021 - Chapter 2: How do we ensure anonymisation is effective? (ico.org.uk)

[3] Information Commissioners Office – Chapter 3 – Pseudonymisation – February 2022 - chapter-3-anonymisation-guidance.pdf (ico.org.uk)

[4] Section 3 of the Data Protection Act 2018

[5] Article 4(1) and 4(5) of the General Data Protection Regulation - Art. 4 GDPR – Definitions - General Data Protection Regulation (GDPR) (gdpr-info.eu)

[6] Article 5(1)(b) of the General Data Protection Regulation

[7] Article 6(4) of the General Data Protection Regulation -

[8] Article 25 of the General Data Protection Regulation

[9] Article 32 of the General Data Protection Regulation

[10] Article 89(1) of the General Data Protection Regulation

[11] Section 19 of the Data Protection Act 2018

[12] Section 57 of the Data Protection Act 2018

[13] Section 66 of the Data Protection Act 2018

[14] Section 103 of the Data Protection Act 2018

[15] Section 107 of the Data Protection Act 2018

[16] Section 170 of the Data Protection Act 2018

[17] Section 171 of the Data Protection Act 2018

[18] Section 172 of the Data Protection Act 2018

[19 Article 34 of the General Data Protection Regulation - Art. 34 GDPR – Communication of a personal data breach to the data subject - General Data Protection Regulation (GDPR) (gdpr-info.eu)

[20] Standard Contractual Clauses (SCC) – European Commission - Standard Contractual Clauses (SCC) | European Commission (europa.eu)

[21] European Union Agency For Cybersecurity – Recommendations on shaping technology according the GDPR provisions – An overview on data pseudonymisation - Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation — ENISA (europa.eu)

[22] European Union Agency For Cybersecurity – Data Pseudonymisation: Advanced Techniques and Use Cases - Data Pseudonymisation: Advanced Techniques and Use Cases — ENISA (europa.eu)

banner

Articles

  • Conquering the Capital Markets - The Breakdown

    Conquering the Capital Markets - The Breakdown

    General 09.07.2024

    The capital market is where companies and governments raise long-term funds. It is a place where investors buy and sell financial securities like stocks and bonds. These markets play a crucial role in

  • Issue Bonds or Take Out a Loan?

    Issue Bonds or Take Out a Loan?

    General 05.07.2024

    A bond is like an ‘I-O-U’ issued by a company or government when they want to borrow money. When you buy a bond, you are lending money to the issuer in exchange for periodic interest payments and

Stay Tuned

Receive regular news, updates, upcoming events and more...