The Information Commissioner's Office is asking for feedback on their Code of Practice on 'anonymisation', but the survey does not ask the right questions. We explain the issues.
The ICO survey on the Code of Practice on Anonymisation closes today.
Asking for comments and feedback on the code is a positive move, but the survey is not balanced to capture a variety of opinions. For example it asks whether the code explains the benefits of anonymisation, but not whether it explains the risks. And it doesn't.
The survey also has space for comments on the style and language of the code, but not on the content, which is surely at least as important.
The code itself is a good initiative but it falls short in certain areas. For example, some of the concepts are not properly explained.
“We draw a distinction between anonymisation techniques used to produce aggregated information, for example, and those – such as pseudonymisation – that produce anonymised data but on an individual-level basis.”
Presenting pseudonymisation – which involves converting transparent identifiers such as names into reference codes - as a proper anonymisation technique could lead to dangerous releases of personal information. In many contexts we would argue that pseudonymous data should have the same levels of protection as fully identifiable data.
In general, the code presents an excessively optimistic narrative that could encourage risks to be downplayed. The current debate on care.data is a good example of this.
The code should stress that effective anonymisation is possible, but it is hard to achieve and we should be very careful when releasing data.