How do we ensure anonymisation is effective?

Chapter by the Information Commissioner’s Office (UK): “Effective anonymisation reduces identifiability risk to a sufficiently remote level.
• Identifiability is about whether someone is “identified or identifiable”. This doesn’t just concern someone’s name, but other information and factors that can distinguish them from someone else.
• Identifiability exists on a spectrum, where the status of information can change depending on the circumstances of its processing.
• When assessing whether someone is identifiable, you need to take account of the “means reasonably likely to be used”. You should base this on objective factors such as the costs and time required to identify, the available technologies, and the state of technological development over time.
• However, you do not need to take into account any purely hypothetical or theoretical chance of identifiability. The key is what is reasonably likely relative to the circumstances, not what is conceivably likely in absolute.
• You also need to consider both the information itself as well as the environment in which it is processed. This will be impacted by the type of data release (to the public, to a defined group, etc) and the status of the information in the other party’s hands.
• When considering releasing anonymous information to the world at large, you may have to implement more robust techniques to achieve effective anonymisation than when releasing to particular groups or individual organisations.
• There are likely to be many borderline cases where you need to use careful judgement based on the specific circumstances of the case.
• Applying a “motivated intruder” test is a good starting point to consider identifiability risk.
• You should review your risk assessments and decision-making processes at appropriate intervals. The appropriate time for, and frequency of, any reviews depends on the circumstances…(More)”.