Nous contacter
Presse
Télécharger le catalogue de formations

ICO: Publication of a Guide on the Anonymisation of HR Data

ICO: Publication of a Guide on the Anonymisation of HR Data

   News_english    7 April 2025  |  0

On March 28, 2025, the UK data protection authority, the Information Commissioner’s Office (ICO), published new guidance on data anonymisation and pseudonymisation in business environments.

In today’s data-driven landscape, sharing information within and across organisations has become essential—but it also carries inherent risks. Robust anonymisation techniques offer a privacy-respecting alternative to sharing personal data.

What is anonymisation?

Anonymisation refers to the process of applying techniques that make it practically impossible to identify an individual by any means.

Three core principles must be respected:

  • Individualisation: It must not be possible to isolate a single individual within the dataset.
  • Linkability: Separate datasets related to the same person must not be linkable.
  • Inference: It should not be possible to infer new, almost-certain information about an individual.

Anonymisation should not be confused with pseudonymisation, where re-identification remains possible if additional information is available. In practice, pseudonymisation involves replacing directly identifying data in a dataset with indirect identifiers—such as aliases or sequential numbers.

Is data anonymisation mandatory?

Anonymisation is not a general requirement under the GDPR. Rather, it is one possible way to handle personal data in a way that respects the rights and freedoms of individuals.

The priority is ensuring adequate protection of personal data. Pseudonymisation measures may be sufficient, as long as they provide effective safeguards against re-identification by parties lacking access to additional information.

How can organisations ensure effective protection?

In its case study, the ICO illustrates how to protect data effectively without resorting to full anonymisation, which might compromise the usefulness of the results.

To conduct statistical analysis on job applicants—for example, identifying characteristics of applicants most likely to apply for a job, or detecting factors associated with higher resignation rates—a company implemented a pseudonymisation approach.

It began with technical measures. An internal software application processed the database and produced two outputs:

  • pseudonymised dataset, stripped of any information directly attributable to a specific person. Direct identifiers were removed, and generalisation techniques were applied (e.g. converting exact ages into ranges).
  • A separate file containing additional information held by the company, used exclusively for statistical analysis.

In addition to these technical measures, organisational safeguards were introduced: access controls to prevent linking the two outputs, and audit logs to monitor user activity within the application.

Looking to protect personal data but can’t afford to anonymise it without compromising its value?
Feel free to reach out to us for GDPR consulting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Archives article
Categories

    Copyright © 2025 Data Privacy Professionals. All Rights Reserved. _______________________________________________ Follow us on LinkedIn, Facebook, YouTube