The Data Protection Act 1998 is designed to protect the security of personal information, which is information that it is ‘reasonably likely’ could be used to identify individuals when matched with other data.

The Act requires that data must be processed for specific, explicit and legitimate purposes only and individual data can be processed only with the consent of the individual or where it is necessary for the purposes of the legitimate business interests of the data controller.

The Information Commissioner’s Office (ICO) has recently issued a draft code of practice indicating that consent to process individual information is not necessary when a thorough anonymisation process has taken place such that the anonymised material cannot have any direct impact on any individual and there is a system for taking into account the objections of any person who is opposed to the inclusion of their data in the anonymisation process.

The draft code of practice is part of a consultation process being carried out by the ICO, which will result in a formal code of practice being published, probably later this year.

The ICO recommends carrying out a risk assessment with regard to the data and, in particular, considering whether a ‘motivated intruder’ could re-identify the individual(s) concerned.

If you are considering making data collected from individuals public in anonymised form, following the ICO’s guidance is sensible.