knowledge 19 October 2016 |

New DPC Guidance on Anonymisation and Pseudonymisation

In addition to providing an overview of the concepts of anonymisation and pseudonymisation, the Guidance also provides useful insights into the DPC’s views on these issues, some of which may be a cause of concern for organisations that have a different understanding of anonymisation. In particular:

• organisations are reminded that, when subjecting personal data to an anonymisation process, in order to effectively remove such data from the scope of applicable data protection law, they should ensure that no data subject may be identified from the relevant data;     
• the view is expressed that, in assessing whether a data subject can be identified from data which has undergone an anonymisation process, regard must be had to all methods reasonably like to be available, not only to the data controller but also to any other person, to identify the data subject. Considerations that are identified as being relevant to a data controller’s assessment of whether anonymised data has been rendered unidentifiable include:
  • the availability of data linking technologies (noting that such technologies may become more effective over time);
  • the possibility of an ‘intruder’ gaining access to the relevant data and the possible identity of such ‘intruder’;
  • the data which may be known personally to somebody who obtains access to the data (which could be linked with the anonymised data to identify data subjects);
  • how likely it is that somebody may attempt to identify an individual from the data; and
  • any other information which may be available to somebody with access to the relevant data (eg publicly available information, searchable registers, etc).
• where data has been effectively anonymised so that individual data subjects are no longer identifiable, it is suggested that the identifiability status of such data should be kept under regular review, as it is likely that current data anonymisation techniques could be diminished or undermined by the development of more advanced data processing techniques than those which currently exist or by new information becoming available which could allow the anonymised data to be linked to an individual;
• it is suggested that, where data is anonymised but the original source personal data is retained, both the source data and the anonymised data should be treated by organisations as personal data for the purposes of Irish data protection law;
• organisations are reminded that the use of pseudonymisation is not considered, on its own, to be sufficient to render personal data unidentifiable so as to remove it from the scope of data protection law; and
• it is reiterated that the process of anonymising personal data constitutes a data processing activity for the purposes of data protection law and is therefore subject to the usual data protection principles, including the principles of fair collection and processing, legitimising processing and the purpose limitation.

While the guidance is a useful resource for organisations in identifying the approach the DPC is likely to take when considering anonymisation and pseudonymisation, the primary reference point in this area will continue to be applicable data protection law, including the Irish Data Protection Acts 1988 and 2003, the Data Protection Directive and relevant decisions of the Irish and European Courts. The CJEU’s decision in the Breyer case (C-582/14) will be particularly relevant in this regard. It is also worth noting that the General Data Protection Regulation (“GDPR”), with effect from May 2018, will place the concept of pseudonymisation on a firm legislative footing across the EU and will provide a framework in which that data minimisation technique can be specifically addressed by data protection law. For more on the GDPR, please see here. 

Contributed by Ruairi Madigan