Stergios Aidinlis s.aidinlis@keele.ac.uk
Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK
Aidinlis
Authors
Abstract
There has naturally been a good deal of discussion of the forthcoming General Data Protection Regulation. One issue of interest to all data controllers, and of particular concern for researchers, is whether the GDPR expands the scope of personal data through the introduction of the term ‘pseudonymisation’ in Article 4(5). If all data which have been ‘pseudonymised’ in the conventional sense of the word (e.g. key-coded) are to be treated as personal data, this would have serious implications for research. Administrative data research, which is carried out on data routinely collected and held by public authorities, would be particularly affected as the sharing of de-identified data could constitute the unconsented disclosure of identifiable information.
Instead, however, we argue that the definition of pseudonymisation in Article 4(5) GDPR will not expand the category of personal data, and that there is no intention that it should do so. The definition of pseudonymisation under the GDPR is not intended to determine whether data are personal data; indeed it is clear that all data falling within this definition are personal data. Rather, it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal. This leaves open the possibility that data which have been ‘pseudonymised’ in the conventional sense of key-coding can still be rendered anonymous. There may also be circumstances in which data which have undergone pseudonymisation within one organisation could be anonymous for a third party. We explain how, with reference to the data environment factors as set out in the UK Anonymisation Network's Anonymisation Decision-Making Framework.
Acceptance Date | Feb 12, 2018 |
---|---|
Publication Date | Apr 1, 2018 |
Publicly Available Date | Mar 29, 2024 |
Journal | Computer Law & Security Review |
Print ISSN | 0267-3649 |
Publisher | Elsevier |
Pages | 222 - 233 |
DOI | https://doi.org/10.1016/j.clsr.2018.01.002 |
Publisher URL | https://www.sciencedirect.com/science/article/pii/S0267364918300153?via%3Dihub |
Files
1-s2.0-S0267364918300153-main.pdf
(415 Kb)
PDF
Publisher Licence URL
https://creativecommons.org/licenses/by/4.0/
You might also like
In for the long ride? Law and technology education in the UK and its utility in pursuing responsible tech careers
(2023)
Presentation / Conference
Providing Access to Justice Data for Legal/Tech Innovation in the UK
(2021)
Presentation / Conference
The Right to Be Forgotten as a Fundamental Right in the UK After Brexit
(2020)
Journal Article
Downloadable Citations
About Keele Repository
Administrator e-mail: research.openaccess@keele.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search