The Information Commissioner’s Office (ICO) has produced draft guidance with five core considerations on the use pseudonymisation in managing data.
It is the latest step in its programme of publishing guidance on anonymisation in a series of chapters on specific issues to support the safe sharing of data.
The 20-page document defines pseudonymisation as techniques that replace, remove or transform information that identities individuals and keeps it separate. This provides a method of reducing risk and improving security in data sharing.
It sets out five core considerations in approaching pseudonymisation, the first of which is to define what it is meant to achieve.
Risks, techniques, decisions
This should come with detailing risks – such as what types of attack are possible – deciding on the most appropriate technique, deciding who does the pseudonymisation and documenting decisions and risk assessments.
“There are many pseudonymisation techniques,” it adds. “Some will help you achieve pseudonymisation as defined by the law. Others may not, but can still be useful technical measures from a security perspective.
“Ultimately, the appropriate technique to use depends on the circumstances of your processing.”
The ICO has previously indicated that the series of publications will take in issues including anonymisation and the legal framework; the spectrum of identifiability; accountability and governance requirements; anonymisation and research; and guidance on privacy enhancing technologies.
