SaaS Agreements – Data Protection – Anonymising Data

Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.


Under the DPA personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes. It is therefore essential that personal data is effectively anonymised so that it is no longer personal data and thus excluded from the strict requirements of the DPA. For example data controllers must consider whether the anonymised data when combined with other information would result in a disclosure of personal data.


In order to anonymise personal data it must first be processed. Organisations may therefore need to obtain consent to the anonymisation of personal data, in order to be able to later disclose such anonymised information. Such consent can be obtained by using an appropriate privacy policy, or some other form of notification which explains the anonymisation process and its consequences for individuals. This will be particularly relevant where a data controller is required to disclose data in compliance with a request under the Freedom of Information Act.


Where there is a risk that an individual could suffer “damage, distress or financial loss” as a result of “re-identification” following disclosure of anonymised information, consent to the discourse should be obtained from the individuals concerned.

ICO Anonymisation Code of Practice

By following the above basic steps set out in more detail in the ICO’s draft code of practice on anonymisation, organisations can publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. The draft guide will be finalised later this year after the consultation period ends on the 23rd of August.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: