Two recent judgments clarify the position that in the UK a data controller should be able to anonymise originally-personal data and then disclose or process the anonymised data, as long as the data are sufficiently anonymised so that the public cannot identify living individuals from the anonymised data. It should not matter that the data controller itself can identify living individuals from the anonymised data and/or the original personal data. The interpretation of the definition of ‘personal data is critical for FE and HE institutions when considering whether anonymised or encrypted personal data can be treated as ‘anonymous data’ and therefore free of data protection law constraints. The cases are Department of Health v Information Commissioner, [2011] EWHC 1430 (Admin) and All Party Parliamentary Group on Extraordinary Rendition v The Information Commissioner & The Ministry of Defence [2011] UKUT 153 (AAC). Further details and commentary on the significance of the cases are available on the Queen Mary, University of London Cloud Computing website.
this story.