UK: ICO launches consultation on third chapter of updated guidance on anonymisation, pseudonymisation, and PET
The Information Commissioner's Office ('ICO') announced on Twitter, on 7 February 2022, that it had launched a consultation on the third chapter of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies ('PET'), entitled 'Chapter 3: pseudonymisation'. In particular, the chapter, which follows the publication of the second chapter in October 2021, outlines the concept of pseudonymisation, its differences from anonymisation, and the significance of pseudonymisation for organisations to enable greater utility of data.
Furthermore, the chapter highlights that pseudonymisation is distinct from anonymisation, which is information that does not relate to an identified or identifiable individual. Additionally, the ICO noted the significance of this distinction, highlighting that the UK GDPR does not apply to anonymised data, but where this is mistaken for pseudonymised data, organisations risk breaching the law as the data set that has undergone pseudonymisation remains personal data. Nevertheless, the chapter clarifies that pseudonymisation should be considered as a security and privacy risk management measure which could be beneficial for organisations to fulfil their obligations, such as conducting a Data Protection Impact Assessment ('DPIAs') or a Legitimate Interest Assessment ('LIAs') in order to demonstrate the mitigation of risks.
In addition, the chapter clarifies that pseudonymisation is beneficial to achieving Data Protection by Design as a risk reduction measure which requires consideration of:
- the state of the art and costs of implementation of any measures;
- the nature, scope, context, and purpose of processing; and
- the risks processing poses to individuals' rights and freedoms.
Moreover, the chapter stipulates core considerations for organisations in approaching pseudonymisation, including:
- defining the goals, for example, what does your use of pseudonymisation intend to achieve;
- detailing the risks, for example, what types of attack are possible, who may attempt them, and what measures do you need to implement as a result;
- deciding on the technique, for example, which technique (or set of techniques) is most appropriate;
- deciding who does the pseudonymisation, for example, the processor; and
- documenting decisions and risk assessments.