The Information Commissioner’s consultation on an Anonymisation Code of Practice is mainly concerned with the exchange or publication of datasets derived from personal data. However it once again highlights the long-standing confusion around the treatment of pseudonyms under Data Protection law.
A pseudonym is an identifier (often randomly generated) whose value is unique to me, but which isn’t any of the identifiers (name, address, etc.) that I use in the real world. Membership numbers are an example of a pseudonym that we frequently encounter: the organisation that issued it knows that member 002684 is me, but no one else can make either the link between that number and me, or between it and my membership numbers of other organisations.
EU law says that anything attached to the membership number is always personal data, because there is someone on the planet who can link it to me. The Article 29 Working Party even seem to suggest that it would be personal data without the link, because the membership number distinguishes me from all other people. UK law agrees that it’s personal data in the hands of anyone who can make the link (me, the organisation and – if I told you which organisation it was – any reader of this article). But if you don’t have, and aren’t likely to obtain, the linking information then the membership number isn’t regarded by the Data Protection Act 1998 (DPA) as personal data in your hands.
Indeed the Consultation document is explicit that “There is clear legal authority for the view that, where a data controller converts personal data into an anonymised form and publishes it, this will not amount to a disclosure of personal data – even though the disclosing organisation still holds the ‘key’ that would allow re-identification to take place. This means that the DPA no longer applies to the disclosed information”. Where the information might cause harm if a recipient were somehow able to perform re-identification without the key (for example by spotting unique patterns in the anonymised information) or by obtaining the key from somewhere else, the Code suggests “only disclos[ing] within a properly constituted closed community and with specific safeguards in place” but still allows the disclosure to take place outside the scope of the DPA. Several examples in the Code demonstrate how this could work.
Computer systems don’t care what identifier is used – they are all just sequences of bytes. Lighter regulation of pseudonyms could provide a strong encouragement to use those in place of direct identifiers, with immediate improvements for privacy. Unfortunately so long as there is a difference in interpretation across Europe this is unlikely to be achieved.
