New ICO guidance clarifies use of anonymisation and pseudonymisation
The Information Commissioner’s Office (ICO) has published new guidance on anonymisation and pseudonymisation.
Understanding the ICO’s latest guidance
The ICO’s updated guidance on anonymisation and pseudonymisation builds on its previous consultations and forms part of its broader focus on responsible data sharing. The guidance is intended to help organisations minimise the risk of identifying individuals when using or disclosing personal data, particularly in complex or large-scale processing environments.
Anonymisation involves turning personal data into anonymous information. Where this is achieved to the standard required by the UK GDPR, data protection law no longer applies. The guidance outlines several anonymisation techniques, explaining their strengths, limitations, and suitability in different contexts. Case studies are included to demonstrate how these techniques may be applied in practice.
The guidance also addresses pseudonymisation, where personal identifiers are often replaced with alternative references such as codes or numbers (and the personal identifiers are kept separate). The ICO emphasises that pseudonymised data is still personal data and remains subject to data protection law, but it can reduce risk and enhance data security when used appropriately.
Governance and accountability expectations are also explored. The guidance applies across three legal regimes:
- General processing under UK GDPR and Part 2 of the Data Protection Act 2018
- Law enforcement processing under Part 3 of the DPA 2018
- Intelligence services processing under Part 4 of the DPA 2018.
While the guidance is not statutory, it reflects the ICO’s expectations and is likely to influence how it assesses an organisation’s compliance in the event of an investigation. It sits alongside the ICO’s data sharing code of practice as a key reference point for organisations handling personal data.