Wednesday 21 November 2012

Commenting on the ICO’s Anonymisation Code

I’ve been asked by a professional journal to comment on the ICO’s Code of Practice on Anonymisation, which has just been released. I’ll report later on the extent to which my comments were finally quoted.

The full text of my response appears below.

But I will develop just one point, which niggled me as I was reading the thing.

In his introduction, Information Commissioner Christopher Graham explained that: “This code of practice is not a security engineering manual, nor does it cover every anonymisation technique. The Anonymisation Network will provide greater access to more detailed expertise and advice. But it does contain clear, practical advice and a straightforward explanation of some very tricky legal concepts. This code of practice will be of use to freedom of information and data protection practitioners, and to all those who are contributing to the creation of one of the world’s most transparent and accountable economies.”

So, is the document a Code of Practice, a Guidance Manual, a Briefing Note or what?

Having been involved in the creation of a few Codes myself (admittedly over a decade ago), I thought I knew what a Code was. But this document performs a slightly different function. Just a quibble, nothing major.

Anyway, for what its worth, here is what went to the requesting editor:

"The document may be 108 pages long, but it is quite easy to read. There’s plenty of white space and nice photos, with key points highlighted in coloured boxes. Readers with a statistical background will get more out of the Annexes than Data Protection Officers who gave up maths at school as soon as they possibly could.

It’s refreshing to learn how to anonymise data effectively, thus ensuring that it falls outside the ICO’s remit. No breach reporting requirements, here!

My only quibble is whether the document really is a Code of Practice. I’ve been brought up to believe that Codes are relatively short regulatory mechanisms that set out what it is that needs to be done. Not a lot more, not a lot less.

But this document is far more than that – it’s quite a comprehensive (and extremely useful) briefing manual on anonymisation, setting out the regulatory landscape, and drawing attention to a range of techniques to anonymise data, with case studies illustrating how this anonymised data can subsequently be used.

A number of pages are deliberately blank, and some are coloured gold. So ask yourself whether you really need to print the entire document, before doing so."