The United Kingdom’s Information Commissioner’s Office (ICO) has published a data protection code of practice for organizations that want to anonymize user data.
The agency highlights the fact that anonymization is very important because it brings many benefits. Anonymized data allows organizations to release personal information into the public domain without having to be concerned that it might pose a risk to the individuals in question.
Currently, anonymized information is utilized by telecoms companies to address road traffic issues. They collect geo-location data from their customers and pass it on to a research body in order to determine how many users were on a particular road section at a particular time.
However, because the data is anonymized, the research body doesn’t know who the person using the phone is, or their number.
Another example for the use of anonymized data is the field of medical research. The information is utilized to conduct studies on new drugs and treatments without exposing the test subjects.
On the other hand, as ICO Head of Policy Steve Wood explains, anonymizing data is not as easy as it might sound.
”For example while a piece of information may appear to be anonymised when looked at in isolation, this may not necessarily be the case when you look at this information in context with the other information already available in the public arena. With ever increasing amounts of data in the public domain this can be challenging,” Wood wrote.
He highlighted the fact that anonymized datasets had been “broken” on several occasions in the US.
However, the ICO believes that these incidents have emerged because the organizations in question were complacent. Although some critics argue that data anonymization should not be utilized because of the risks, the agency explains that this is “unrealistic.”
Instead, those responsible for anonymizing data should ensure that the techniques they use are more effective and that the right expertise is deployed.
The complete 108-page “Anonymisation: managing data protection risk code of practice” is available here.