On 7th February 2022, the Information Commissioner’s Office announced that it had set up a Consultation exercise to clarify some of the key data protection law concepts that have recently given lawyers their fair share of sleepless nights.
The Information Commissioner’s consultation relates to the concepts of pseudonymisation, technology which is designed to beef-up privacy and anonymisation, all of which are contained in the third chapter of its guidance. The document answers some of the questions many lawyers have been asking and attempts to clear up the confusion.
The Information Commissioner confirmed that data protection laws are inapplicable to anonymised data because it does not explicitly relate to identifiable individuals or any one specific individual. The ICO clarified pseudonymised data and then explored the subtle differences between the two concepts. It explained that once pseudonymised data is processed, it diminishes the connection between the information and the identifiable subject. However, this has left some lawyers (not all) perplexed when confronted by this issue in practice because individuals cannot be directly identified from pseudonymised and anonymised data sets.
However, the difference is a subtle one. There is more than a slight possibility of the pseudonymised data being processed, collated and combined with data collected from various other sources of information. In reality, this means that the link between the pseudonymised data is not entirely extinguished. The ICO advised that the extra information collated and the actual data in question remained classified as “personal data”.
Following the opening of this consultation exercise by the Information Commissioner’s Office and the publication of this document, lawyers should be paying close attention to the evidence provided throughout the consultation process and the outcome of the publication of applicable reports and/or legislative changes, which may materialise.
Cynthia O’Donoghue and Angelika Bialowas from Reed Smith Solicitors said the Information Commission has made it clear that pseudonymised information falling into the hands of another party does not automatically gain anonymity. Lawyers need to be warning their clients about the differences between the two subtly different concepts. They also need to consider this issue from a risk management perspective, especially from a data privacy and security viewpoint.
It would be worthwhile for private practice and in-house lawyers to consider the reasonable prospects of successfully identifying a data subject if data was collated and combined with the data in question. They will need to carefully consider the commercial resources available to allocate to this exercise in terms of the future technological developments, potential financial price to be paid and the possible enormous time resources to be allotted. They should also be following the suggested strategy set out by the Information Commissioner in the Consultation document by advising clients to set out their goals, risks such as threats and the methods they will use to pseudonymise the information. Clients should also be advised to effectively record the above information and decisions made in documentary form.
When entering the contracts, lawyers should explore this issue using a data security lens, lawyers should not forget about the data protection clauses and the Standard Contract clauses. They should also be contemplating, specifying and thinking about what may happen when the relevant sensitive information is transferred to the other party to the transaction. It will be sensible to enforce anonymisation and pseudonymisation through a contractual provision if necessary. This will go a long way to protecting the receiving party from regulatory or litigious action in the event of a breach.
Anyone interested in this topic should follow the consultation for any further developments. We have a newly appointed Information Commissioner, and this consultation could be the first of many decisive moves to come.
Assessing Firm
#Bird&Bird #BristowsLLP #Fieldfisher #HoganLovells #HuntonAndrewKurthLLP #LinklatersLLP #Allen&Overy #BakerMcKenzie #CMS #Covington&BurlingLLP #Dentons #DLAPiper #EvershedSutherland #Lathan&Watkins #NortonRoseFulbright #PinsentMasonsLLP #TaylorWessingLLP #CliffordChance #DWF #HerbertSmithFreehills #MishcondeReyaLLP #Orrick.
This Article was Written Using the Following Sources
[1] O’Donoghue, C and Bialowas – ICO Launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET – 14 February 2022 - ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET | Technology Law Dispatch
[2] Information Commissioners Office – Chapter 2 – How do we ensure anonymisation is effective – October 2021 - Chapter 2: How do we ensure anonymisation is effective? (ico.org.uk)
[3] Information Commissioners Office – Chapter 3 – Pseudonymisation – February 2022 - chapter-3-anonymisation-guidance.pdf (ico.org.uk)
[4] Section 3 of the Data Protection Act 2018
[5] Article 4(1) and 4(5) of the General Data Protection Regulation - Art. 4 GDPR – Definitions - General Data Protection Regulation (GDPR) (gdpr-info.eu)
[6] Article 5(1)(b) of the General Data Protection Regulation
[7] Article 6(4) of the General Data Protection Regulation -
[8] Article 25 of the General Data Protection Regulation
[9] Article 32 of the General Data Protection Regulation
[10] Article 89(1) of the General Data Protection Regulation
[11] Section 19 of the Data Protection Act 2018
[12] Section 57 of the Data Protection Act 2018
[13] Section 66 of the Data Protection Act 2018
[14] Section 103 of the Data Protection Act 2018
[15] Section 107 of the Data Protection Act 2018
[16] Section 170 of the Data Protection Act 2018
[17] Section 171 of the Data Protection Act 2018
[18] Section 172 of the Data Protection Act 2018
[19 Article 34 of the General Data Protection Regulation - Art. 34 GDPR – Communication of a personal data breach to the data subject - General Data Protection Regulation (GDPR) (gdpr-info.eu)
[20] Standard Contractual Clauses (SCC) – European Commission - Standard Contractual Clauses (SCC) | European Commission (europa.eu)
[21] European Union Agency For Cybersecurity – Recommendations on shaping technology according the GDPR provisions – An overview on data pseudonymisation - Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation — ENISA (europa.eu)
[22] European Union Agency For Cybersecurity – Data Pseudonymisation: Advanced Techniques and Use Cases - Data Pseudonymisation: Advanced Techniques and Use Cases — ENISA (europa.eu)
General 13.11.2023
In mid-March 2023 the Health and Safety Executive handed down a financial sanction to a wheel-making enterprise after a member of the workforce sustained vibration injuries whilst using work-related
General 11.11.2023
In late February 2023 the Judicial Conduct Investigations Office handed down its decision in the form of what it termed formal advice for misconduct to a person operating in her capacity as a member
General 10.11.2023
In early March 2023, TELUS Health released its report into the public domain which seems to highlight the increasing worries from the age twenty demographic when reporting mental health issues to
Receive regular news, updates, upcoming events and more...
Please complete all the required fields.
Please provide a valid email address.
