Table of Contents
As a business owner handling personal data, you must avoid these errors when using pseudonymised data. Some data relate to individuals, customers and clients, while others are confidential and commercial. While most information exists to provide maximum detail, some forms of data aim for the opposite. This article will explore why some companies in England utilise pseudonymised information and the potential legal implications that come with its use. This should enable your business to weigh up the usefulness of pseudonymised data.
What is Pseudonymised Information?
Pseudonymised data is a form of amended information. The main aim of pseudonymisation is to protect the identities of individuals. So, for example, you could amend a list of daily customers to read ‘purchaser 1’ rather than naming the identifiable natural person. This would mask their identity and make the information more anonymous.
This sounds relatively straightforward as, in reality, it is a process within which you substitute identifiable personal information of any data subject for neutral terms. Let us explore a couple of the most significant errors businesses in England make.
1. Equating Pseudonymised Data and Anonymous Data
As you are likely aware, the General Data Protection Regulation (UK GDPR) sets data protection rules for businesses in England.
There are two main types of data under the GDPR, which are:
- personal data – this covers information that can help identify an individual (for example, their name, address, telephone number or date of birth); and
- anonymised data – this is anonymised information that contains no data that can be traced back to any individual.
At first glance, many businesses in England believe pseudonymised data constitutes anonymous data. This is because the identifiable information is removed and replaced with a more neutral label.
However, the Information Commissioner’s Office (ICO) advises that pseudonymised data is information that has had data removed but is not truly anonymous. In essence, it is akin to semi-anonymous information.
Let us consider how pseudonymised information is semi-anonymous. We will consider an example below.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Example
Let us pick up the above example of your business substituting customer names for ‘purchaser 1’ and ‘purchaser 2’. At the end of a business day, you have four orders by individuals for power tools. Your pseudonymised data spreadsheet records them as follows:
- Purchaser 1
- Purchaser 2
- Purchaser 3; and
- Purchaser 4.
But in a different tab of the same spreadsheet, you have a list of delivery addresses for those individuals. Because you have listed the individuals in chronological order throughout the day, your business has possession of the time entries for their home addresses and card data within the same spreadsheet. So, if needed, you could reverse engineer their personal identifiers from additional data in your possession.
Any information your organisation can reverse-engineer is not truly anonymous and will, instead, be called pseudonymised data.
What would be truly anonymous? One step would be to assign random titles for the purchasers which are not in chronological order, such as ‘t829’, ‘g232’, y652’ and ‘u892’. Another step would be to ensure the spreadsheet only contains an anonymous data tab and no further information.
2. Underestimating ICO Regarding Pseudonymised Information
Some business owners make the mistake mentioned above of labelling pseudonymised information as ‘anonymous data’. In this way, they believe that the GDPR rules on processing personal data do not apply to that information because they mistakenly believe that pseudonymised data does not constitute personal data.
Unfortunately, because you can reverse-engineer it, it does constitute personal data. Thus, handling information outside the principles of the GDPR could lead to fines of up to £17.5 million.
Key Takeaways
The easiest way to ensure information is pseudonymised is to keep it away from data that could reverse engineer the relevant people’s identities. Overall, using pseudonymised information is a good idea in some situations (such as employee surveys), as removing personal information from documents is welcomed by the ICO. However, the primary way businesses in England get into hot water is when they mistakenly label the data as ‘anonymous’ for the purposes of the GDPR when it is not.
Because of this, many business owners consult expert lawyers when they need clarification as to whether information constitutes pseudonymised data or truly anonymous information.
If you need help handling pseudonymised data correctly, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Because the GDPR and ICO believe that a business cannot breach the data protection rights of an individual it cannot identify. So, for example, if a cyber attack resulted in hackers obtaining a document solely listing random identifiers for individuals with no personal data, it could not cause serious harm.
Some common examples of pseudonymised information include job recruitment exercises and customer purchase data. For example, your business may wish to examine trends in the purchase of certain items in specific months of the year and, to do so, needs purchase numbers rather than personal identities.
We appreciate your feedback – your submission has been successfully received.
