Anonymised personal data under the Data Protection Act

What is personal data?

Broadly speaking the GDPR applies to the processing of personal data that is wholly or partly by automated means; or processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.

Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised. Personal data is subject to protection and strict rules.

What happened?

In a recent case, a tribunal had to decide if Bristol University’s anonymised research into chronic fatigue syndrome constituted personal data. The requester, a Mr Peters made the request under the Freedom of Information Act. The University refused disclosure arguing the information constituted research participants' personal data. The data was anonymised but was derived from information about children's physical and mental health.

The Information Commissioner’s Office agreed with the University that it was personal data and said "it was more than remote and reasonably likely" that individual children could be reidentified and disclosure would also breach the first data protection principle under the Data Protection Act 1998. As a result they decided that the University could rely on a Freedom of Information Act exemption on the basis that it was personal data within the meaning of the DPA 1998.

Appeal

Mr Peters appealed the decision. The main question for the appeal tribunal was whether the trial participants could be reidentified from a combination of the requested data and other data that was already in the public domain. The tribunal stated that educated guesswork was insufficient and carefully considered the ICO guidance on the elements of "the motivated intruder" test in the ICO's code of practice "Anonymisation: managing data protection risk".

The tribunal concluded that reidentification of the participants were not possible.

Why it matters?

The request was processed before the Data Protection Act 2018 came into force on 25 May 2018 and therefore the tribunal had to consider the principles under the Data Protection Act 1998. We can still learn from this case as the main principles remain broadly the same.

The case summary of John Peters v IC (Allowed) [2019] UKFTT 2018_0142 (GRC) can found here.