SaaS Agreements – Data Protection – Anonymising Data

Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.

Anonymisation

Under the DPA personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes. It is therefore essential that personal data is effectively anonymised so that it is no longer personal data and thus excluded from the strict requirements of the DPA. For example data controllers must consider whether the anonymised data when combined with other information would result in a disclosure of personal data.

Consent

In order to anonymise personal data it must first be processed. Organisations may therefore need to obtain consent to the anonymisation of personal data, in order to be able to later disclose such anonymised information. Such consent can be obtained by using an appropriate privacy policy, or some other form of notification which explains the anonymisation process and its consequences for individuals. This will be particularly relevant where a data controller is required to disclose data in compliance with a request under the Freedom of Information Act.

Re-Identification

Where there is a risk that an individual could suffer “damage, distress or financial loss” as a result of “re-identification” following disclosure of anonymised information, consent to the discourse should be obtained from the individuals concerned.

ICO Anonymisation Code of Practice

By following the above basic steps set out in more detail in the ICO’s draft code of practice on anonymisation, organisations can publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. The draft guide will be finalised later this year after the consultation period ends on the 23rd of August.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.