Data protection law is in danger of lagging behind technological change

John Burn-Murdoch, Friday 12 April 2013

“Law is always going to be playing catch up to technology”, says senior UK data protection lawyer, as Britain negotiates new EU data protection regulations


Data processing practices are evolving faster than the law can adapt to them, according to a senior British lawyer at an international law firm specialising in data protection.

Ask a lawyer and a database administrator for their definitions of “delete” or “anonymise” and you will quickly realise the size of the task facing legislators around the world as they seek to define and prevent irresponsible and outright criminal uses of data in 2013.


Speaking to the Guardian, Bridget Treacy, leader of UK Privacy and Information Management practice at law firm Hunton & Williams stated her belief that legislation will always be playing catch up to technology in this area, adding “that’s just the way it is”.


Among the most contentious areas of data protection law in the UK are the dual concepts of anonymisation and pseudonymisation of data.


Anonymous data is data that is in such a format that it is impossible to establish the identity of any individuals whose details are contained in a database. Pseudonymous data has had personal details removed – such as names replaced with unique ID codes – but still contains sufficiently detailed information for someone to be able to establish the identities of individuals, even if this required combining it with a second database not held by the company in question.


If data is fully anonymised, it is no longer subject to the Data Protection Act (DPA), because it no longer relates to an identified or identifiable individual. In contrast, pseudonymous data remains personal data because it is capable of being related to an identified or identifiable individual, and thus remains subject to the DPA.


Chief among the challenges facing legislators in this area is the question of whether any individual dataset can be considered truly anonymous if its owner also holds the raw, personally identifiable data from which it was created.


“How do we decide whether the data is really anonymous when we hold all of the constituent elements of it?”, asks Treacy. “If I have a list of information where I’ve replaced individuals’ names with codes, but I also have – perhaps at another location – the same list with the names instead of the codes, I have pseudonymised information, but not anonymised information, if I can link the data sets.

“Our definition of personal data in the DPA refers not just to information that is readily to hand, but also to information that you are likely to obtain, so it takes a much broader perspective. I think therefore it is quite hard for companies to seek to anonymise data but still hold the keys that unlock it. Sometimes a trusted third party can be utilised to ensure the data sets are not combined.”


Read the complete article on


About Shailendra Nair

I am full-time IT professional, with excellent exposure in Information technology management, mission critical business application & development, Information security & advisory practice . I have been in the field for little over 13 + years have significant achievement and set new trends in the field & Industry. Grandson of late Indian freedom fighter from Kerala, I am photographer , blogger, guitarist by hobby , adamant NOT arrogant, travel & foodie at heart, globe trotting road warrior , multidimensional thinker & dreamer.
This entry was posted in Technology and tagged . Bookmark the permalink.

Kindly leave your feedback or suggestions

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s