What accountability and governance measures do we need?

At a glance

• When producing and disclosing anonymous information, you should take a comprehensive approach to governance.
• Being clear about processes, responsibilities and oversight makes compliance easier.
• You should use a DPIA to help you structure and document your decision-making processes around anonymisation and identify risks to rights and freedoms and mitigation strategies
• You must be clear about how and why you intend to anonymise
• You should work with other organisations who are likely to be processing, and possibly disclosing, other information that may impact the effectiveness of your anonymisation
• You should consider how different forms of anonymous information can pose different identifiability risks and choose an appropriate release model to mitigate them
• You should plan for cases where it may be difficult to assess identifiability risk and implement appropriate risk mitigation measures
• Demonstrating transparency when processing anonymous information promotes people’s trust and mitigates the risk of any negative public opinion of the processing
• You should ensure decision-makers clearly understand the latest technological and legal developments and best practices to ensure effective anonymisation
• You should think about any other legal considerations that may be relevant to your anonymisation processes and decision-making

In detail

• What governance approach should we take?
• Who should be responsible for our anonymisation process?
• Why do we want to anonymise personal data?
• How should we work with other organisations?
• What type of disclosure is it?
• How should we identify potentially difficult cases?
• How should we ensure transparency?
• How should we ensure appropriate staff training?
• How should we mitigate identification risk due to a security incident?
• What other legal considerations apply? 

What governance approach should we take?

If you anonymise personal data, the accountability principle of the UK GDPR requires that you must address the practical issues surrounding the production and any disclosure of this information in your governance approach.

Establishing an appropriate governance structure can improve your data management, record-keeping and disclosures of data. In addition, it is useful if you need to demonstrate compliance to the ICO.

We are less likely to carry out enforcement action, including monetary penalties, if you can demonstrate that you:

• made a serious effort to comply with data protection law; and
• had a genuine reason to believe that the information was not personal data (ie by showing that identifiability risk was sufficiently remote).  

You should cover the following areas in your governance structure: 

• How will you plan for anonymisation?
  • Who is responsible for your anonymisation process?
• How will you identify and mitigate anonymisation risks?
  • Have you completed your data protection impact assessment (DPIA)?  
  • Why do you intend to anonymise personal data?
  • How will you work with other organisations, where necessary?  
  • Will you use a trusted third party (TTP)?  
  • What are the relevant considerations for the type of disclosure, including limited access safeguards?
  • How will you identify and manage potentially difficult cases?
  • How you will ensure transparency?
• How will you ensure anonymisation remains effective?
  • How will you keep updated with relevant changes to the legal framework (including guidance and case law) and technological developments?
  • How you will ensure appropriate staff training?
  • How will you approach identification testing?
• How will you consider other relevant legislation?
  • Do any other legal considerations apply?

You must document your key decisions and the rationale for them as part of your accountability obligations.  

Who should be responsible for our anonymisation process?

You should make sure that someone of sufficient seniority oversees your anonymisation process and decision-making. This may be a single person or a group of authorised people, depending on your circumstances.

They could work closely with your DPO to seek their advice and guidance (if you are required to have one). They should have an appropriate understanding of:  

• the circumstances of both your process and any intended disclosure; and  
• relevant technical and legal considerations. 

Data protection law does not specify who this person may be or what their formal role is. The important point is that they have appropriate authority.

For some organisations, it can be particularly useful to adopt a Senior Information Risk Owner (SIRO) approach. In this context, the SIRO:  

• takes responsibility for key decisions and informs your general approach to anonymisation; 
• consults with your DPO to obtain their independent expert advice;
• coordinates a corporate approach to anonymisation, drawing on relevant expertise from within and outside your organisation; and 
• helps you decide on suitable forms of disclosure (ie publication or limited access). 

Why do we want to anonymise personal data?

The act of anonymising personal data qualifies as processing of that data. For example, adaptation or alteration. This means you must be clear about how and why you’re doing it.

So when you anonymise, you must define your purpose for doing so and the technical and organisational measures to achieve it. As a key consideration, you should clarify the context and purposes for anonymising.  

This is because anonymisation may be: 

• an aspect of your overall processing activities; or
• the overall purpose of your processing. 

Whether this is the case depends on your circumstances, so you must be clear on when you intend to anonymise and why.  

Anonymisation as part of your processing activities

If anonymisation is part of your overall processing activities, it can be a way to comply with the data protection principles. For example, to comply with the principles of data minimisation and storage limitation, you must: 

• only collect the personal data you need for your purpose; and  
• keep it in a form that only identifies people for the time you need to achieve that purpose.  

Once you achieve your purpose, you must either erase or anonymise the personal data, depending on your circumstances.  

In these situations, anonymisation may simply be something that you do as part of the processing and as a way of complying with the law. As long as your anonymisation is effective, data protection law does not apply if you subsequently use the anonymous information.  

In many cases, processing personal data to anonymise it is likely to be compatible with the original purpose(s) you collected it for, unless:  

• there is a reasonable expectation from a person that you will retain the data in identifiable form; or  
• when you collected it, you told them you intended to keep it in that form.  

Anonymisation as part of your purpose

Anonymisation may itself be a way for you to achieve the purpose you originally collect personal data for.

For example, if your purpose is to generate aggregate statistical information about how people engage with your service, you may need to collect information about what each one does first.  

The information you collect in this case is likely to be personal data as it relates to actions and behaviours that specific people take. You must be clear with someone that this is why you want to collect their data. 

How should we work with other organisations?

If you are planning to disclose any anonymous information, you should work with other organisations likely to be processing, and possibly disclosing, other information which might allow the identification of someone that the anonymous information relates to.  

A joined-up approach with other organisations in your sector, or those doing similar work, allows you to assess the risks collectively and agree mitigations, where appropriate.    

What type of disclosure is it?

Different types of disclosure can pose different risks. Generally, there two main types of disclosure:

• Open release - where data is made available to anyone to access, use and share.
• Limited access - where data is made available only to a restricted group.

You should differentiate between these types of release when considering making anonymous information available.

Limited access may allow the disclosure of ‘richer’ data among a restricted group. For example, a closed community of researchers. The data can have a higher level of utility, and it is also possible to restrict the further disclosure or use of the data, or provide better guarantees about it security.

However, the success of limited access relies on robust governance measures governing the disclosure.

Limited access is particularly appropriate for handling anonymous information derived from sensitive source material (eg special category data). There can still be risks with limited access. For example, further disclosure outside the group or for purposes beyond what has been agreed.

You should mitigate these risks by ensuring that you disclose anonymous information in a closed community with clear, established rules (including around data minimisation).

What limited access safeguards should we consider?

When you disclose data to a restricted group (eg one or a small number of organisations), you should take steps to prevent further disclosure. For example:

• use contractual controls; and
• apply robust technical and organisational measures to support those controls. 

Before you make the anonymous information available, you should put robust safeguards in place, including: 

• purpose limitation – establishing that the recipient(s) can only use the anonymous information for an agreed purpose or set of purposes;
• training recipients’ staff who will have access to the data (eg on security and data minimisation principles);
• security checks of those who will access the data;
• controls over the ability to bring other data into the environment to manage identifiability risks arising from linkage or association;
• limiting data use to a particular project or set of projects;
• restricting disclosure of the data outside the limited access environment;
• prohibiting attempts at re-identification;
• ensuring appropriate measures are in place to destroy any accidentally re-identified personal data;
• implementing appropriate technical and organisational security measures, including confidentiality agreements for those who will access the data (including your staff);
• restricting access to the data (eg by applying appropriate encryption techniques and access control policies);
• limiting the number of copies of the data to what is necessary for the purposes of the disclosure;  
• arranging for the destruction or return of the data and confirmation that this has been done once the project is complete; and
• imposing appropriate penalties if any recipient breaches the conditions placed on them (eg as part of contractual requirements).  

To decide which of these apply, you should conduct your own risk assessment. This could involve your normal data security risk assessment processes. You should also co-ordinate with the other parties involved in the project to establish whether you require additional security measures.

What about publication under licence?

Once you publish data under an open licence, it may be impossible to protect it from further use or to keep it secure.

Most open data licensing models are clear that those who use the information are not allowed to do so in a way that enables identification to take place.

For example, the Open Government Licence (OGL), Creative Commons or Open Data Commons.

However, in practice this may be difficult to enforce. So, you should ensure that your anonymisation processes and identifiability risk assessments are sufficiently robust to mitigate likely identification attacks.

How should we identify potentially difficult cases?

Anonymisation can be ineffective due to several factors, for example:

• you were not aware of other sources of data that could be matched to your dataset; or
• technological developments mean that the anonymisation techniques you applied are no longer effective (eg the emergence of new attacks or increased computational power). 

You should consider whether alternative state-of-the-art techniques are available to ensure that the data is effectively anonymised and the risks of identification are mitigated by any technical and organisational measures.

You should also cater for other risks relating to the use of anonymous information in your governance approach, particularly for other purposes which may not be compatible with the original purpose. For example, you should: 

• only use anonymous information in ways people would reasonably expect;
• consider whether people would reasonably expect you to retain the data in identifiable form; and
• assess whether turning personal data into anonymous information affects people. For example, if you are using the anonymous information to make decisions or decide how you treat people,  and how you can justify any adverse impact.  

The level of risk depends on the nature and context of the processing. For example, special category data, such as someone’s health status or ethnicity, is particularly sensitive and carries additional risks. So, you must account for this when you anonymise it due to the possible impact on people if they are re-identified.  

You should perform a DPIA to consider and mitigate the risk of using anonymous information when you make decisions or take actions about an identifiable person which may lead to detrimental effects on them. For example: 

• using anonymous information which may result in discrimination or financial loss to people; and
• using anonymous information with poor analytical value. For example, anonymous information related to demographic characteristics which introduce bias. In this case, you should consider whether it is possible to adjust the level of accuracy while ensuring it remains anonymous.  

How should we ensure transparency?

People have the legal right to know how and why you are processing their data. You must explain your approach to anonymisation as clearly as possible in your privacy notice, including any consequences it may have. You must make the policy clear and easily accessible.  

Demonstrating transparency about the generation and intended uses of anonymous information also promotes people’s trust and mitigates the risk of any negative opinion of the processing.  

In particular, you should:  

• tell people why you anonymise personal data;
• describe how you do this, in accessible terms (taking care not to undermine the effectiveness of your anonymisation process);  
• say what safeguards are in place to minimise the risk that may be associated with producing anonymous information. In particular, you could explain whether you intend to make the anonymous information publicly available or only disclose it to a limited number of recipients;
• be open with people about any risks of the anonymisation you are carrying out, your use of the anonymised information, and the possible consequences of this. You could give them the opportunity to submit queries or comments about this; and
• publicly describe your reasoning for publishing anonymous information and explain how you:
  • did the ‘weighing-up’;
  • what factors you took, or did not take, into account and why; and
  • how you looked at identification ‘in the round’.  

If you are a public authority, then you must include your FOIA, EIR and RPSI obligations in your privacy notice, as appropriate. You can publish anonymised information in response to a request (or if you are making it proactively available as part of your publication scheme).

You could also consider publishing any DPIAs or relevant reports about your anonymisation. You could remove certain information if needed, or publish a summary.

You should also review the consequences of your anonymisation programme, particularly through analysing any feedback. You should make this an ongoing activity. For example, technological developments may impact the effectiveness of your techniques and the outcome of any assessment of identifiability risk over a period of time.  

You should be able to analyse and deal with any complaints or queries people make to you.

How should we ensure appropriate staff training?

Members of your staff involved in decisions about creating and disclosing anonymous information should have a clear understanding of:  

• the legal definition of anonymisation;
• the anonymisation techniques you use;
• any risks involved; and 
• how to mitigate these risks.  

In particular, staff members should understand their specific roles in ensuring anonymisation is done effectively.

You should devise a training plan that:

• maps out the appropriate level of training needed; and
• includes professional development to ensure staff remain suitably competent. 

As part of your plan, you should consider training on:

• data protection, information governance, and information security; and
• the application of state-of-the-art anonymisation tools and techniques.

An effective training plan can mitigate the risk of mistakes that might compromise the effectiveness of your anonymisation process. It ensures that only people with the right motivation and skills perform anonymisation and also helps to build and maintain people’s trust and confidence. 

How should we mitigate identification risk due to a security incident?

If a security incident leads to someone being re-identified from data you previously treated as anonymous, this is not necessarily a personal data breach.  

However, this depends on your justification for the information no longer being personal data. For example, if you believed the data was anonymous but your anonymisation was actually ineffective, then a personal data breach may still have taken place.

An identification incident may lead to the end of the anonymisation process or to its modification. For example, by using more rigorous anonymisation techniques or disclosure controls. You should address in your governance procedures what you will do if you are concerned that the risk of identification has increased. For example, due to:  

• technological developments (eg emergence of new identification attacks or stronger anonymisation techniques which you need to assess if they render the current techniques you use redundant); or  
• increased availability of additional information that may facilitate identification when linked to the anonymised data. 

Applying state-of-the-art anonymisation techniques and adapting your approach in line with technological developments can help to minimise the risk of a identification incident occurring. For example, you should consider introducing some, or all, of the following measures to reduce the risk to a remote level:  

• use a more rigorous state-of-the-art anonymisation technique;
• adjust the parameters of the anonymisation technique for increased privacy (eg further generalisation or noise addition, if possible);
• implement stronger technical and organisational measures, such as limited access safeguards and environmental controls; and
• ensure that identification testing considers state-of-the-art attacks. 

In addition, you could consider applying technical measures, such as encryption of the anonymous information. In the event of a security incident, the data would be unintelligible to any person who is not authorised to access it. 

What other legal considerations apply?

Depending on the nature of your organisation, you may have other legal considerations that are relevant to your anonymisation processes and decision-making. In particular, public authorities and public bodies often have to consider freedom of information legislation for example.

How do freedom of information law and data protection law intersect?

If you are a public authority and FOIA, or the EIR, or both, apply to you, then anyone can request any information you hold. Unless an exemption applies, you must provide the information they request.

FOIA applies to recorded information held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002. 

Section 40 of FOIA and regulation 13 of the EIR say that you must not disclose the information if: 

• it’s personal data; and
• disclosing it to a member of the general public would breach the data protection principles. 

This means that you must assess whether providing the information is fair and lawful under data protection law.

To assess the status of the information at the time of the request, you should apply the motivated intruder test. In an FOI or EIR disclosure, you should consider all the means that are reasonably likely to be used by someone to re-identify the people the requested information relates to. For example, what additional information they have access to and what practical steps they could take.

If the information is personal data and disclosing it would breach the data protection principles, then you must withhold it under the section 40 or Regulation 13 exemptions.

You could consider anonymising the information in order to be able to provide something to the requester.

You must disclose data that is not personal data, unless you can show that a different exemption applies.

If you receive an FOI or EIR request for anonymised data, you must consider if there is someone in the wider public (including another organisation) who may attempt to identify the people the data relates to. This also applies if you are a public sector body for the purpose of the Re-use of Public Sector Information Regulations (RPSI).  

What if we are a public sector body for the purpose of the Re-use of Public Sector Information Regulations (RPSI)?

Under RPSI, people can request the re-use of information that certain public bodies hold. Generally, you must allow re-use, if RPSI applies to you.

This does not apply to all public bodies. For example, if you are a library, museum or archive, allowing reuse is at your discretion.

RPSI does not apply to information that is exempt under FOIA. So, if you receive a request for reuse of information, and this information contains personal data, then the legal obligations you must consider are those under FOIA and EIR.

How do human rights law and data protection law intersect?

Depending on your organisation’s circumstances, the Human Rights Act (HRA) may apply to you. For example, if you are a public authority or a private sector organisation carrying out functions of a public nature.

The HRA requires you not to act in ways that are incompatible with rights under the European Convention on Human Rights (ECHR). This includes Article 8, the right to respect for private and family life.

This right is not absolute. Broadly speaking, public authorities can interfere with it, if doing so is necessary, lawful and proportionate.

Data protection and Article 8 often overlap. If you make a disclosure that complies with data protection law, it is also likely to comply with the HRA.

You should remember that data protection rights apply only to personal data, not anonymous information.

But the Article 8 right isn’t limited to situations that involve personal data. So you should also note that some disclosures of information won’t engage data protection law, but they may still engage the HRA. For example, information about people who have passed away is not personal data, but its disclosure may breach the family’s privacy rights.

However, it is beyond the scope of this guidance to provide further advice about the HRA or ECHR.  

What other statutory prohibitions are relevant?

Other statutory prohibitions may apply to disclosing information, with different tests and considerations to the UK GDPR. For example, there are relatively strict limitations on the purposes for allowing certain government departments to produce and disclose even anonymised data. A breach of a statutory prohibition engages FOIA’s section 44 exemption.

What are the differences between data protection law and the common law duty of confidentiality?

The common law duty of confidentiality (CLDC) applies when information is obtained in circumstances where it is reasonable for the person disclosing it to expect the recipient to hold it in confidence.

Data protection law applies independently of the CLDC. For example, there may be a public interest ground that permits disclosing personal data that the CLDC otherwise applies to.

However, it is outside the scope of our functions and powers to provide specific guidance on the CLDC.