Anonymisation provides a very valuable set of tools that allows data to be shared – thereby enabling the realisation of its huge social and economic value, whilst preserving confidentiality and allaying privacy risks and concerns.
All organisations collect some information from their clients/service users as part and parcel of their organisational activities and increasingly they are sharing (at least some of) the data they collect. The information they collect on their clients/service users i.e. direct identifiers e.g. name and address and potential indirect identifiers such as employment history, financial and health status is what is termed personal data. Personal data as described by the General Data Protection Directive (2016) are data that relate to living individuals who are or can be identified from the data.
Anonymisation is the art, or craft, of lowering or minimising the risk of individuals being identified from data, thereby allowing organisations to share, disseminate or publish their data for secondary use, whether for their own purposes or for the public good, safely and legally.
A common error when thinking about anonymisation is to focus on a fixed end-state of the data. This is a problem because it leads to much muddled thinking about what it means to produce ‘anonymised data’. Firstly, it focuses exclusively on the properties of the data whereas in reality the anonymity or otherwise of data is a function of both the data and their environment. Secondly, it leads one into some odd discussions about the relationship between anonymisation and its companion concept risk, with some commentators erroneously (or over-optimistically) assuming that anonymity entails zero risk of an individual’s being re-identified within a dataset. Thirdly, viewing it as an end-state means that one might assume that one’s work is done once the anonymisation process is complete and the end-state is produced, which in turn promotes a counterproductive mentality of ‘release-and-forget’.
Our approach called Functional anonymisation does not assume that anonymisation can be zero-risk or irreversible; it is meant instead to bring anonymisation practice in line with the art of the possible i.e. a minimisation of risk to a level of negligibility. Key to achieving functional anonymisation is a recognition that whether data are or are not anonymised is not a property of the data alone, but rather determined by the relationship between the data and the environment(s) in which they are held. In practice, this means taking account of both the data to be shared and features of the data environment(s) at the risk assessment stage not just at the risk management stage. We have developed a framework for guiding anonymisation practice: the Anonymisation Decision-Making Framework (ADF).which delivers functional anonymization.