Interview with the Information Commissioner’s Office (ICO) on Privacy and The Era of Big Data

Questions for the Information Commissioner’s Office (ICO) in Privacy and The Era of Big Data

Answers from Iain Bourne, who helped draft the anonymisation code of practice.

1.Why is it essential to publish a new code of practice to protect the privacy of individuals in the era of big data?   

“We thought the time was right because so much data derived from individuals’ personal information is being put into the public domain, both in response to individual FoI requests and through broader initiatives such as MiData. We’re all for social transparency but there are risks that go with that – there is a consensus I think that we want transparency but we also want privacy protection, and anonymisation is a means of achieving that. Thus the ICO’s code of practice. “

2.How many organisations are failing to comply with protecting individuals’ privacy rights in the UK?

“It is impossible to put a precise figure on it, but we are confident though that the majority of organisations use individuals’ personal information properly and responsibly. We handled just under 13,000 data protection complaints in 2011/12, but this is a relatively small figure given the sheer scale of data processing happening in the UK. It is worrying though that after all these years some basic rights are not being complied with properly, for example the right of subject access, which accounts for 45 per cent of those complaints. We are tackling that through our enforcement action and through guidance and education: a code of practice on dealing with subject access rights will be out in the New Year.”

3.How can practitioners use the framework to assess the risks of anonymisation when it related to data protection and the identification of individuals?

“Well, we hope the code takes practitioners through a logical series of steps that will help them to convert personal information into a safe, usable anonymised form. It describes all the main techniques and explains some admittedly difficult legal concepts very clearly. If they follow the steps we suggest and take the considerations set out into account, then practitioners will not go far wrong as far as we are concerned. We are also funding an anonymisation network – ukanon.net where practitioners will be able to get practical advice on how to do anonymisation in the real world.  The network will formally launch early next year and our funding will last for two years.”

4.How can successful anonymisation be achieved whether for medical research, Freedom of Information requests or for usage by commercial organisations?

“This depends on the data, the anonymisation technique used and how the end result is disseminated. We explain the relationship between these factors very clearly in the Code of Practice. Anonymisation is usually possible though. It is worth remembering that a lot of medical and social science research – in particular – isn’t about publishing data – it is about the exchange of information within closed, closely controller communities working to a proper set of rules. Again, this is something which we cover in the code, having added a lot more about ‘closed communities’ following the public consultation.” 

5.Why is more and more anonymised data being pushed into the public domain, and how is the government’s open data agenda influencing this?

“That is really a question for the government but I think it is clear that the public expects to know more about how our institutions are working, how significant decisions are being made and how public money is being spent. There is also a view that publishing more data openly in usable formats will bring about economic benefits and generally bolster the information economy. There is also a lot of data being put out through FoI – the scale and breadth of information the ICO has ordered to be disclosed since 2005 is remarkable. “

6.How can data be protected while also being used in innovative ways, and how can it create more transparency in government while aiding research organisations?

“Again, we hope the code of practice explains this. In most cases it is possible to create usable, linkable data which still does not identify anyone. The ‘University of Stevenham’ example in the code illustrates this. A lot of research takes place using that sort of technique – for example longitudinal health studies. The skill of the game here is to make the data as usable as possible whilst minimising the risk of re-identification – i.e. combining data so that somebody’s identity is revealed. However the techniques develop all the time and I think all the parties involved in putting out anonymised data are getting better at understanding and mitigating the risks.” 

7.What are the penalties for breaching the code?

“There are no penalties for breaching the code itself – the code is the ICO’s recommended good practice and following this will help organisations to comply with the Data Protection Act itself. A failure to comply with the DPA could mean a fine of up to £500,000. Again, the code contains an explanation of its status and its relationship to the DPA.” 

8.What will be the role of the new UK Anonymisation Network (UKAN)? 

“I hope I have explained this above. It is clear that there is a need for a place to go for experts in the field to discuss the challenges and share good practice, both with experienced practitioners and those new to the field.  We’re proud to fund the network. We also hope we’ll be able to use it ourselves to build up our own understanding of how anonymisation works. “

9.How will you encourage through the new consortium the sharing of best practices?

“Well, that is very much a question for the consortium and we will leave the running of the network to them,  we are confident though that it will  get members and that it will be useful in terms of helping people with very different levels of knowledge how to understand the complex of data types, anonymisation techniques, outputs and forms of dissemination. “

10.Any further comments? 

“Just to say that we hope the code of practice will be useful and to urge practitioners not to be put off by the more technical stuff. We have explained everything as clearly and accessibly as we can and we hope everyone will find it useful.”