Question to the Department for Digital, Culture, Media & Sport:

To ask His Majesty's Government whether the report by the Information Commissioner's Office, Anonymisation: managing data protection risk code of practice, published in November 2012, (1) is still a statutory code of practice, and (2) if anonymising data only in line with the 2012 code, removes all of a data controller’s obligations under the Data Protection Act 2018.

The ICO Code of Practice on Anonymisation published in November 2012 was issued under the Data Protection Act 1998. That legislation was repealed and replaced by the GDPR and the Data Protection Act 2018 in May 2018. The 2012 report is therefore no longer a valid code of practice, although information which is anonymous continues to fall outside the scope of the UK’s data protection legislation.

The ICO is currently carrying out a call for views on its new, draft guidance on anonymisation, pseudonymisation, and privacy-enhancing technologies, due to finish on 31 December 2022. This new guidance includes key considerations organisations should undertake when determining whether information can be safely considered anonymous, and therefore outside the scope of data protection legislation.