Carousel_Arrow Chat icon_cookie IHT_trust_wills IR35 Combined Shape 2 Group 10 Login Mobile Menu Share Share Email SubMenuMobile Group 9 VAT View_Gallery View_List capital_allow Triangle 2 Copy Close construction cyberpro employment_tax_shares emplyer_solutions entrepreneurs_corps fee_protect Group 7 grant_fund Group i_Clock i_Consult i_Done i_Eligibility_Tick i_Enter i_Filter i_HMRC i_Negative i_Play i_Plus i_Reset i_Support_Legal i_Support_TaxDesk i_Support_VAT i_Tick noun_marketing_1872083 noun_online_2126759 i_download i_meet Group Copy 24 Group 18 noun_electrical_1240755 copy noun_Technology_2125422 noun_Science_2031115 i_tick_bullet_block international_tax patent_box private_client property_sdlt r_and_d reliefs_incentives Search specialist_tax status tax_indemnity valuation
Markel Insurance

03 Jun 2019

Anonymised personal data under the Data Protection Act

The question of what constitutes personal data has become increasingly important in this data driven world. Personal data demands protection and with increased fines from the Information Commissioner, organisations are taking extra care to secure data under their control. Questions around disclosure can be tricky. Read our blog to find out more.

What is personal data?
Broadly speaking, the GDPR applies to the processing of personal data that is wholly or partly by automated means; or processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
If personal data can be truly anonymised, then the data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised. Personal data is subject to protection and strict rules.
What happened?
In a recent case, a tribunal had to decide if Bristol University’s anonymised research into chronic fatigue syndrome constituted personal data. The requester, a Mr Peters, made the request under the Freedom of Information Act. The University refused disclosure arguing the information constituted research participants' personal data. The data was anonymised but was derived from information about children's physical and mental health.
The Information Commissioner’s Office agreed with the University that it was personal data and said "it was more than remote and reasonably likely" that individual children could be re-identified and disclosure would also breach the first data protection principle under the Data Protection Act 1998. As a result they decided that the University could rely on a Freedom of Information Act exemption on the basis that it was personal data within the meaning of the DPA 1998.
Mr Peters appealed the decision. The main question for the appeal tribunal was whether the trial participants could be re-identified from a combination of the requested data and other data that was already in the public domain. The tribunal stated that educated guesswork was insufficient and carefully considered the ICO guidance on the elements of "the motivated intruder" test in the ICO's code of practice "Anonymisation: managing data protection risk".
The tribunal concluded that re-identification of the participants were not possible.

Why it matters?
The request was processed before the Data Protection Act 2018 came into force on 25 May 2018 and therefore the tribunal had to consider the principles under the Data Protection Act 1998. We can still learn from this case as the main principles remain broadly the same.
The case summary of John Peters v IC (Allowed) [2019] UKFTT 2018_0142 (GRC) can found here.
Tagged Legal Expenses Insurance
Next article in series

01 Jun 2019

Markel wins Claims Service Solution Award