Open data & privacy: report by European Data Portal

Although the benefits of open data are already widely known as they have become an important resource to increase citizens' access to information in the public or private sector, and promote economic growth, scientific research and corporate accountability, concern grows when the open publication may damage the privacy of the individuals and violate the current legislation which prohibits the release of personal information.

There are methods to open up the information in a way that the data anonymity is preserved, however there are certain risks in the process. For this reason, a successful and sustainable open data programme should be guaranteed, based on three pillars: Morally, the data publisher should consider the privacy of data subjects; legally, data protection law must be respected and pragmatically, public confidence has to be maintained.

In this context, the European Data Portal has published the report "Open data and privacy", a new document carried out by the pan-European initiative to promote the re-use of data whereas data protection is respected.

Compiled from interviews with experts in the field and the analysis of the reform of the EU Data Protection rules, this document explains in detail the concepts of privacy, personal data protection, dissociation and re-identification of data at the same time it explores and shows governments how to publish information while the individual data are dissociated.

Moreover, the different phases in the open data lifecycle are shown, from collection to final follow-up, explaining what each of the stages consists of and how it is possible to maintain the anonymity of open data and not to violate privacy during the opening up and re-use process.

To conclude, this report includes eight general recommendations for a data controller or an organisation that was considering making datasets that have been derived from personal data open:

1. Understand the data. Consider potential use cases, and the value of the data. Identify stakeholders. Consider the effects on stakeholders of making it public.
2. Consult. Engage stakeholders about the publication programme. Key stakeholders include data subjects, potential consumers, domain experts, internal data controllers, and technical advisors. If consent for data releases can be obtained, then try to obtain it.
3. Three pillars: privacy, data protection and public confidence. By law, a data controller has to obey data protection legislation. But morally, the controller should consider subjects’ privacy, and retaining public confidence is essential for the sustainability of an Open Data programme.
4. Publication. A decision to publish personal data should be made only on the basis of a strong case in law.
5. Anonymity. Follow guidelines for anonymising personal data as the ICO (Information Commissioner’s Office) code of practice.
6. Utility. There is no point publishing data which has been denuded of serious content. Ideally, anonymisation will go far enough to reduce the risk of identification while retaining sufficient utility to meet the needs of data consumers.
7. Follow-up. Anonymisation and Open Data demand responsible data stewardship, including monitoring the context in which the data is likely to be used.
8. Crisis plan. Have a plan in place in the event of a problem.

This report is published only a few months after the entry into force of the reform of EU Data Protection rules. With this new material, the European Data Portal helps public agencies and private entities immersed in open data initiatives comply with the new rules intended to ensure throughout the European Union high standards of protection of personal information, adapted to the digital environment.

The state members have two years to amend their national legislation according to the latest European directive. Thus, in Spain, the current law 37/2007 on Reuse of Public Sector Information, which was already renovated in 2015, will have to be adjusted once again to give citizens more control over their data and ensure that their privacy is well protected in the digital area.