John Burn-Murdoch guardian.co.uk, Friday 12 April 2013

“Law is always going to be playing catch up to technology”, says senior UK data protection lawyer, as Britain negotiates new EU data protection regulations

Data processing practices are evolving faster than the law can adapt to them, according to a senior British lawyer at an international law firm specialising in data protection.

Ask a lawyer and a database administrator for their definitions of “delete” or “anonymise” and you will quickly realise the size of the task facing legislators around the world as they seek to define and prevent irresponsible and outright criminal uses of data in 2013.

Speaking to the Guardian, Bridget Treacy, leader of UK Privacy and Information Management practice at law firm Hunton & Williams stated her belief that legislation will always be playing catch up to technology in this area, adding “that’s just the way it is”.

Among the most contentious areas of data protection law in the UK are the dual concepts of anonymisation and pseudonymisation of data.

Anonymous data is data that is in such a format that it is impossible to establish the identity of any individuals whose details are contained in a database. Pseudonymous data has had personal details removed – such as names replaced with unique ID codes – but still contains sufficiently detailed information for someone to be able to establish the identities of individuals, even if this required combining it with a second database not held by the company in question.

If data is fully anonymised, it is no longer subject to the Data Protection Act (DPA), because it no longer relates to an identified or identifiable individual. In contrast, pseudonymous data remains personal data because it is capable of being related to an identified or identifiable individual, and thus remains subject to the DPA.

Chief among the challenges facing legislators in this area is the question of whether any individual dataset can be considered truly anonymous if its owner also holds the raw, personally identifiable data from which it was created.

“How do we decide whether the data is really anonymous when we hold all of the constituent elements of it?”, asks Treacy. “If I have a list of information where I’ve replaced individuals’ names with codes, but I also have – perhaps at another location – the same list with the names instead of the codes, I have pseudonymised information, but not anonymised information, if I can link the data sets.

“Our definition of personal data in the DPA refers not just to information that is readily to hand, but also to information that you are likely to obtain, so it takes a much broader perspective. I think therefore it is quite hard for companies to seek to anonymise data but still hold the keys that unlock it. Sometimes a trusted third party can be utilised to ensure the data sets are not combined.”

Read the complete article on http://goo.gl/ZzRN0