UK: ICO launches consultation on fourth chapter of updated guidance on anonymisation, pseudonymisation, and PET
The Information Commissioner's Office ('ICO') launched, on 7 March 2022, a consultation on the fourth chapter of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies ('PET'), titled 'Chapter 4: Accountability and governance'. In particular, the draft chapter, which follows the publication of the third chapter in February 2022, outlines what accountability and governance measures are needed for anonymisation, expanding on, among other things, who should be responsible for the anonymisation process, in what situations it is necessary to conduct a Data Protection Impact Assessment ('DPIA'), and how to mitigate re-identification risks following a security incident.
Furthermore, the draft chapter explains, among other things, what organisations should consider and do when anonymising data, for example:
- the establishment of an appropriate governance structure to improve data management, record-keeping, and disclosure of data, as well as demonstrating compliance and serious efforts to comply, especially in the face of an enforcement action, whereby the structure should include how it will plan for anonymisation, how to identify and mitigate anonymisation risks, how it will ensure anonymisation remains effective, and consideration of relevant legislation;
- the appointment of (a) senior member(s) to oversee anonymisation process and associated decision-making working with the data protection officer ('DPO'), or in some circumstances assigning a 'Senior Information Risk Owner' ('SIRO');
- the consideration and clarification of the purpose for anonymising personal data, such as anonymisation as part of organisational purpose or of processing activities;
- the collaboration with other organisations likely to be processing and possibly disclosing other information that could impact the effectiveness of your anonymisation, for example using a trusted third party ('TTP'); and
- the identification of cases where it is difficult to assess identifiability risk, or where that risk may be significant, and, in such cases, the consideration of alternative techniques to ensure data is effectively anonymised or technical and organisation measures to mitigate the risk of re-identification.