Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
Because of the definition of ‘personal data’ in s.3 DPA, proper anonymisation of information stops it from being personal data at all, and therefore takes it out of the scope of the DPA/UK GDPR (and also, for public authorities, means that s.40 FOIA cannot be relied upon). But the question of what level of anonymisation suffices is always tricky. Information that would have been effectively anonymised twenty years ago can often now be de-anonymised rapidly via the internet. As is well known, the test is that of the ‘motivated intruder’ – someone who wants to de-anonymise the material and who has access to the ordinary tools of daily life, but no special skills for example in hacking, or penchant for burglary or surveillance. The test is based on ‘all the information that is reasonably likely to be used’.
In NHS Business Services Authority v IC & Spivack [2021] UKUT 192 (AAC), UTJ Jacobs held that s.3 imposes a binary test of whether the personal data can be de-anonymised, with no room for considering the remoteness or likelihood of re-identification. In a careful and detailed judgment, UTJ Jacobs rejected submissions that the case law pointed towards such a test. The question is therefore not whether there is a ‘reasonable likelihood’ or a risk of an individual being identified, but whether or not an actual individual can be identified, directly or indirectly, when taking into account all the information that is reasonably likely to be used (based on what a motivated intruder would be able to obtain). There is no bright line rule that small datasets are bound to be withheld on the basis of potential de-anonymisation.
Spivack is thus a useful re-statement and clarification of the law on de-anonymisation. But it comes at the point the Information Commissioner is running a multi-stage consultation on anonymisation, to update its Code of Practice, last issued in November 2012. The ICO has decided to run its consultation ‘in stages’, and is currently consulting on the first and second chapters of its draft guidance. One might think that a single consultation would be more efficient, and likely to gain better engagement, than a chapter-by-chapter approach. The consultation on chapters 1 and 2 remains open until 28 November 2021. It cannot, of course, change the law (as re-stated in Spivack), but hopefully will provide helpful and practical guidance on this oft-vexed issue.
NHSBSA v IC & Spivack [2021] UKUT 192 (AAC)
ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.