A blog by Ali Shah, Head of Technology Policy
19 March 2021
Data is the lifeblood of the digital economy, and the sharing of personal data is key to opening up new opportunities. Data shared in healthcare environments can map out trends and provide new insights to improve patient care, while in the financial sector, data sharing can help to protect against money laundering and ensure individuals are protected from fraud.
In our experience, organisations want to use and share data in a safe and legally compliant way, but can be uncertain around how to do this. That’s why we’ve got clear guidance, to help build confidence in decision making around data sharing – we know that when data is shared properly, it can lead to real benefits.
The recent ICO Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. However, we recognise there are other dimensions to data sharing. The code is not a conclusion, but a milestone in this ongoing work. We will continue to provide clarity and advice in how data can be shared in line with the law.
Building on this promise, we are now outlining our plans to update our guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing. We recognise that questions about when data is personal data or anonymous information are some of the most challenging issues organisations face.
Our refreshed guidance will assist organisations in meeting these challenges. We will set out our views on approaches like the spectrum of identifiability, and how these can be practically applied. We will provide advice on how to assess the appropriate controls that need to be in place and we will be grounding our guidance in practical steps organisations can take.
The key topics we will be exploring include:
- Anonymisation and the legal framework – legal, policy and governance issues around the application of anonymisation in the context of data protection law;
- Identifiability – outlining approaches such as the spectrum of identifiability and their application in data sharing scenarios, including guidance on managing re-identification risk, covering concepts such as the ‘reasonably likely’ and ‘motivated intruder’ tests;
- Guidance on pseudonymisation techniques and best practices;
- Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs;
- Anonymisation and research – how anonymisation and pseudonymisation apply in the context of research;
- Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing;
- Technological solutions – exploring possible options and best practices for implementation; and
- Data sharing options and case studies – supporting organisations to choose the right data sharing measures in a number of contexts including sharing between different organisations and open data release. Developed with key stakeholders, our case studies will demonstrate best practice.
How can you engage with us?
Over the coming months we will be exploring these topics iteratively, and will be sharing our thinking ahead of issuing formal guidance.
Our approach will include gathering insight and feedback from industry, academia and other key stakeholders to better understand the real world challenges and where our guidance can be most effectively targeted.
We’ll be publishing each chapter of our guidance and calling for your views before our main public consultation. Your input at the early stages can make a real difference and we are inviting you to contribute by providing feedback.
You can contact us about our initial work in this area by emailing anonymisation@ico.org.uk.
Ali Shah, Head of Technology Policy, is responsible for ensuring the ICO can respond to complex societal challenges presented by emerging technology developments. His expertise in AI, data and emerging technology is combined with a passion for understanding the impact of technology on society, and the ethical and societal questions that emerge. |