ICO publishes open data privacy code of practice

Anonymised data holds risks, organisations warned

The Information Commissioner's Office (ICO) has published a code of practice to help organisations guard the privacy of individuals when putting information into the public domain.

The ICO is concerned that the increasing volume of what is termed "anonymised" data released under the Government's Open Data Institute (ODI) initiative or as a result of freedom of information requests risks personal data becoming public by accident.

There is also a risk that a database holding apparently anonymised data could be compromised, the ICO said. This would leave bodies open to legal challenge under data protection legislation

The new code is a framework covering both statistical and 'qualitative' data (i.e. meeting minutes, and images), with the latter particular hard to redact because it was often held in paper form.

The ICO is particularly concerned about the possibility of 'jigsaw' trawling where intruders attempt to relate publically-known information to anonymised data as a way of identifying individuals. Organisations needed guidance on how to structure public data to minimise this possibility.

"The code also aims to bring a greater consistency of approach and to show what we expect of organisations using this data," commented UK Information Commissioner, Christopher Graham.

"Failure to anonymise personal data correctly can result in enforcement action from the ICO. However we recognise that anonymised data can have important benefits, increasing the transparency of government and aiding the UK's widely regarded research community.

"We hope today's guidance helps practitioners to protect privacy and enable the use of data in exciting and innovative ways," he said.

The ICO said it had invested £15,000 to set up a UK Anonymisation Network (UKAN), which would be run by a consortium including the University of Manchester, the University of Southampton, the Office for National Statistics (ONS) and the ODI.

This will launch in early 2013 and act as a central source of information on the Code as well as running seminars, clinics and publishing case studies.

"Ensuring that data is properly anonymised, and not just masked can be very difficult to achieve in practice, particularly as technology is constantly evolving," commented Bridget Treacy of UK privacy and information management law firm Hunton & Williams.

"Crucially, the code deals with the risk of re-identification of anonymised data and how this may change over time, particularly with advances in technology, recommending that this risk is assessed periodically," she said.

The warning was clear. "If an organisation 're-identifies' [reveals] personal data without an individual's knowledge or consent, the collection will likely be unlawful and may be subject to enforcement action, including a monetary penalty of up to £500,000."

Join the CSO newsletter!

Error: Please check your email address.

Tags icosecurityInformation Commissioner's Officepublic sectorOpen Data Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place