Consultation launched on new data protection code
01 June 2012
Posted by John Bull
A consultation has commenced on a new anonymization code of practice that is intended to enhance data protection in the UK.
The Information Commissioner's Office (ICO) is carrying out the public exercise in order to reduce the risks of identification and explore ways in which details can be successfully anonymized.
Christopher Graham, the Information Commissioner, explained that as a growing amount of data enters the public domain, it is more important than ever that privacy rights are fully protected.
He welcomed greater access by UK citizens to the wealth of information available about the public sector and its organizations, but cautioned "the risks of anonymization can sometimes be underestimated and in other cases overstated".
"Organizations need to be aware of what those risks are and take a structured approach to assessing them," Mr Graham added.
The new code of practice is intended to provide guidance on successfully anonymizing data so that individuals are not identifiable and how to assess potential threats.
A consultation will run until August 23rd 2012 and a copy of the draft code is available from the ICO website, here. A final version, including any changes made as a result of the consultation, is scheduled for release this September.
In addition, the ICO is also planning to create a network of experts sharing best practice in the field and has launched a tendering process with a view to achieving this.
The watchdog has the power to fine companies up to £500,000 for the worst breaches of the Data Protection Act, with a recent penalty of £90,000 issued to one health authority.
Central London Community Healthcare NHS Trust was fined after an incident in March 2011 in which patient lists from the Pembridge Palliative Care Unit were faxed to the wrong recipient over a three-month period.
The individual in question let the trust know about the breach in June last year and had shredded the patient lists received, which contained sensitive personal data including resuscitation instructions and medical diagnoses.