.jpg)
Data protection decision clarifies when personal information is anonymised - 04/09/2008
An organisation was asked to disclose information under the Freedom of Information Act in Scotland. It refused on the basis the information was 'personal data' under the Data Protection Act (and therefore exempt from disclosure). The question of whether information is 'personal data', so the Data Protection Act applies to it, is relevant to all businesses.
The Scottish Information Commissioner said it should have provided it in 'barnardised' form, ie manipulated to reduce the likelihood that the individuals could been identified from it.
The House of Lords decided that, if information is truly anonymous in the hands of both the organisation holding it and the person looking it it, it is not 'personal data'. The question of whether 'barnardised' data is 'personal data' will therefore depend on whether it is in fact anonymous.
The decision still leaves open whether information that is anonymous in itself, but not when combined with other information held by the same organisation, is 'personal data'. For example, a database that identifies individuals by reference to a unique id code is anonymous in itself, but not when combined with a database held by the same organisation that relates the unique ids to the individuals' names.
Recommendations
- Businesses holding information that is truly anonymous, even when combined with other information and data, can be confident that it is not 'personal data', so the Data Protection Act does not apply.
- Businesses holding apparently anonymous information but which could identify individuals if combined with other information held by it should take advice on whether it is personal data.
Related Resources
in the Muckle LLP Resource Centre
