Anonymisation
Contents
-
Introduction to anonymisation
- What is personal data?
- What is anonymous information?
- What is anonymisation?
- Is anonymisation always necessary?
- Is anonymisation always possible?
- What are the benefits of anonymisation?
- If we anonymise personal data, does this count as processing?
- What is the difference between anonymisation and pseudonymisation?
- What about ‘de-identified’ personal data?
-
How do we ensure anonymisation is effective?
- What should our anonymisation process achieve?
- What is identifiability?
- What are the key indicators of identifiability?
- What is the “spectrum of identifiability”?
- What does data protection law say about assessing identifiability risk?
- How should we approach this assessment?
- What factors should we include?
- Do we need to consider who else may be able to identify people from the data?
- Can we anonymise within our organisation?
- What is the “motivated intruder” test?
- How do we apply the motivated intruder test?
- When should we review our identifiability risk assessments?
- How do we decide when and how to release data?
- What approaches can we take to anonymisation?
-
Psedonymisation
- What is pseudonymisation?
- Is pseudonymised data still personal data?
- What are the benefits of pseudonymisation?
- How can pseudonymisation help us to reduce risk?
- Can pseudonymisation help us process data for other purposes?
- Are there any offences relating to pseudonymisation?
- How should we approach pseudonymisation?
- What pseudonymisation techniques should we use?
- How should we assess the risk of attackers reversing pseudonymisation?
- What organisational measures should we consider for pseudonymisation?
-
What accountability and governance measures do we need?
- What governance approach should we take?
- Who should be responsible for our anonymisation process?
- Why do we want to anonymise personal data?
- How should we work with other organisations?
- What type of disclosure is it?
- How should we identify potentially difficult cases?
- How should we ensure transparency?
- How should we ensure appropriate staff training?
- How should we mitigate identification risk due to a security incident?
- What other legal considerations apply?
-
Case studies