Anonymisation is about removing the possibility of identifying individuals in a data set. Anonymisation is an important means of enabling the extraction of valuable insights through data analysis, while reducing the risks for those concerned. When personal data are anonymised, they are no longer deemed to constitute personal data. The processing of such data therefore falls outside the scope of the Data Processing Act.
Anonymising data is challenging – and it is more challenging today than it was before. The vast reservoir of publicly accessible data, combined with the availability of ever cheaper and more powerful analysis technology, has increased the risk of re-identification.
The increased risk of re-identification makes it even more important to perform thorough risk assessments before publishing anonymised data, and to use robust anonymisation techniques. In this guide, we will review key legal provisions, point out risk factors it is important to take into consideration, and discuss the strengths and weaknesses of various different anonymisation techniques.
This guide is intended for all those wishing to anonymise personal data in the public and private sectors. It applies irrespective of the purpose of such anonymisation. There may be many reasons why an organisation wishes to anonymise the personal data it has collected. It may, for example:
- Privacy legislation does not apply to anonymous data. Data is anonymous if it is no longer possible, with the tools that can reasonably be expected to be used, to identify individuals in a data set.
- The anonymisation of data makes it possible to exploit the value inherent in data analysis in a way not injurious to privacy.
- This guide will help organisations wishing to anonymise personal data, irrespective of their reason for doing so.
- This guide will help organisations to identify the challenges and risks associated with the anonymisation of personal data, in order for the outcome to be as secure as possible.
- This guide provides an introduction to key aspects of the Personal Data Act.