ICO POST: Data sharing code

Very beneficial blog has been shared by Ali Shah, Head of Technology Policy

Blog:Building on the data sharing code: our plans for updating our anonymisation guidance.

Data is the lifeblood of the digital economy, and the sharing of personal data is key to opening up new opportunities. Data shared in healthcare environments can map out trends and provide new insights to improve patient care, while in the financial sector, data sharing can help to protect against money laundering and ensure individuals are protected from fraud.

In our experience, organisations want to use and share data in a safe and legally compliant way, but can be uncertain around how to do this. That’s why we’ve got clear guidance, to help build confidence in decision making around data sharing – we know that when data is shared properly, it can lead to real benefits.

The recent ICO Data Sharing Code of Practice. provides organisations with a practical guide on how to share personal data in line with data protection law. However, we recognise there are other dimensions to data sharing. The code is not a conclusion, but a milestone in this ongoing work. We will continue to provide clarity and advice in how data can be shared in line with the law.

Building on this promise, we are now outlining our plans to update our guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing. We recognise that questions about when data is personal data or anonymous information are some of the most challenging issues organisations face.

Our refreshed guidance will assist organisations in meeting these challenges. We will set out our views on approaches like the spectrum of identifiability, and how these can be practically applied. We will provide advice on how to assess the appropriate controls that need to be in place and we will be grounding our guidance in practical steps organisations can take.

The key topics we will be exploring include:

• Anonymisation and the legal framework – legal, policy and governance issues around the application of anonymisation in the context of data protection law;
• Identifiability – outlining approaches such as the spectrum of identifiability and their application in data sharing scenarios, including guidance on managing re-identification risk, covering concepts such as the ‘reasonably likely’ and ‘motivated intruder’ tests;
• Guidance on pseudonymisation techniques and best practices;
• Accountability and governance requirements in the context of anonymisation and pseudonymisation, including data protection by design and DPIAs;
• Anonymisation and research – how anonymisation and pseudonymisation apply in the context of research;
• Guidance on privacy enhancing technologies (PETs) and their role in safe data sharing;
• Technological solutions – exploring possible options and best practices for implementation; and
• Data sharing options and case studies – supporting organisations to choose the right data sharing measures in a number of contexts including sharing between different organisations and open data release. Developed with key stakeholders, our case studies will demonstrate best practice.

Find out more on the following link .