Often SaaS suppliers or SaaS customers anonymise personal data for use in statistical or marketing information but are unaware that by using such anonymised data they could be breaching the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) has recently confirmed that anonymised personal data may be disclosed without the consent of the data subject, provided that the anonymised data when linked with other information will not lead to the identification of an individual.
Anonymisation
Under the DPA personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes. It is therefore essential that personal data is effectively anonymised so that it is no longer personal data and thus excluded from the strict requirements of the DPA. For example data controllers must consider whether the anonymised data when combined with other information would result in a disclosure of personal data.
Consent
In order to anonymise personal data it must first be processed. Organisations may therefore need to obtain consent to the anonymisation of personal data, in order to be able to later disclose such anonymised information. Such consent can be obtained by using an appropriate privacy policy, or some other form of notification which explains the anonymisation process and its consequences for individuals. This will be particularly relevant where a data controller is required to disclose data in compliance with a request under the Freedom of Information Act.
Re-Identification
Where there is a risk that an individual could suffer “damage, distress or financial loss” as a result of “re-identification” following disclosure of anonymised information, consent to the discourse should be obtained from the individuals concerned.
ICO Anonymisation Code of Practice
By following the above basic steps set out in more detail in the ICO’s draft code of practice on anonymisation, organisations can publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. The draft guide will be finalised later this year after the consultation period ends on the 23rd of August.
Help
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here
______________________________________________________
Other related articles:
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Renewed Customer Concerns About the Patriot Act
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Hosting
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement