The Information Commissioner’s Office (ICO) has published a code of practice to help organisations guard the privacy of individuals when putting information into the public domain.
The ICO is concerned that the increasing volume of what is termed “anonymised” data released under the Government’s Open Data Institute (ODI) initiative or as a result of freedom of information requests risks personal data becoming public by accident.
There is also a risk that a database holding apparently anonymised data could be compromised, the ICO said. This would leave bodies open to legal challenge under data protection legislation
The new code is a framework covering both statistical and ‘qualitative’ data (i.e. meeting minutes, and images), with the latter particular hard to redact because it was often held in paper form.
The ICO is particularly concerned about the possibility of ‘jigsaw’ trawling where intruders attempt to relate publically-known information to anonymised data as a way of identifying individuals. Organisations needed guidance on how to structure public data to minimise this possibility.
“The code also aims to bring a greater consistency of approach and to show what we expect of organisations using this data,” commented UK Information Commissioner, Christopher Graham.
“Failure to anonymise personal data correctly can result in enforcement action from the ICO. However we recognise that anonymised data can have important benefits, increasing the transparency of government and aiding the UK’s widely regarded research community.
“We hope today’s guidance helps practitioners to protect privacy and enable the use of data in exciting and innovative ways,” he said.
The ICO said it had invested £15,000 to set up a UK Anonymisation Network (UKAN), which would be run by a consortium including the University of Manchester, the University of Southampton, the Office for National Statistics (ONS) and the ODI.
This will launch in early 2013 and act as a central source of information on the Code as well as running seminars, clinics and publishing case studies.
"Ensuring that data is properly anonymised, and not just masked can be very difficult to achieve in practice, particularly as technology is constantly evolving," commented Bridget Treacy of UK privacy and information management law firm Hunton & Williams.
"Crucially, the code deals with the risk of re-identification of anonymised data and how this may change over time, particularly with advances in technology, recommending that this risk is assessed periodically," she said.
The warning was clear. "If an organisation 're-identifies' [reveals] personal data without an individual’s knowledge or consent, the collection will likely be unlawful and may be subject to enforcement action, including a monetary penalty of up to £500,000."