The ICO acknowledged last week that 'questions about when data is personal data or anonymous information are some of the most challenging issues organisations face' as they announced plans to update their anonymisation guidance. While organisations await this new guidance, a recent Freedom of Information Act (FOIA) case, Lloyd v Information Commissioner, provides some useful insights into the ICO’s latest thinking on anonymisation.
Why FOIA cases are relevant to anonymisation
The FOIA, which sets out the framework for public access to information held by public authorities, includes an exception for third party personal data. Personal data here has the same meaning as under the Data Protection Act 2018 (DPA) and so much of the case law on the scope of the personal data exception under FOIA will have wider relevance.
Lloyd v Information Commissioner
In this decision, a FOIA request was made to an NHS Trust in relation to the number of children born with Down Syndrome over a period of 8 years. The Trust disclosed various aggregated numbers, but not the numbers of children born with Down Syndrome each year as there were fewer than five a year and, the Trust contended, disclosing these numbers would reveal their personal data. Following a complaint to the ICO (who upheld the Trust’s approach), the requester appealed to the FTT.
In its submissions to the FTT, the ICO argued that the annual figures could link with information in the educational sector, media or social media to make the identification of individuals possible. The ICO referred to case law confirming the ‘determined intruder’ test: if a determined intruder or investigative journalist would be able to identify a person from the information disclosed, the information is personal data. This test, and the broader challenge of ‘identifiability’, has been highlighted as a key topic that will be explored by the ICO in their new guidance.
Impact of the decision
Thinking about the tenacity of serious investigative journalists, we are reminded of the difficulty of rendering data anonymous in all manner of contexts, from everyday commercial business to healthcare and/or the use of technologies such as AI. Anonymisation and pseudonymisation also need to be considered in the context of international transfers, as part of the Schrems II ‘supplementary measures’. However, the leading cases on anonymisation all predate the DPA and the current key piece of UK guidance, the ICO’s Anonymisation Code of Practice (COP), is from 2012. The decision of the FTT in Lloyd v IC is therefore useful, at least in restating the relevance of much of the pre-DPA case law and elements of the COP for this new (UK) GDPR-era, particularly while the new guidance is work-in-progress. There is still a clear need for new detailed and pragmatic regulatory guidance in this area and organisations will welcome the commitment from the ICO, in their blog last week, to work closely with industry, stakeholders and academia to develop it over the coming months.
"the ‘motivated intruder’ is reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward" (ICO’s 2012 Anonymisation Code of Practice, quoted by the First Tier Tribunal )