Line to take - LTT162 - Anonymising Post codes
- FOI/EIR: FOI, EIR
- Section/Regulation: s40(2), reg 13
- Issue: Anonymising Post codes
- Source: Information Tribunal
- Details: Dundas v ICO & City of Bradford MDC (5 March 2007); Benford v ICO & Defra (14 November 2007)
- Related Lines to Take: LTT71, LTT144
- Related Documents: EA/2007/0084 (Dundas), EA/2007/0009 (Benford)
- Contact: RM
- Date: 18/01/2010
- Policy Reference: LTT162
- © Copyright Information Commissioner's Office, re-used with permission
- Original source linked from here: LTT
Line to take
This line is relevant when considering the anonymisation of personal data, not whether it is fair to disclose information on addresses.
Where a request captures personal data the first thing to do is to consider whether the personal data can be released in its entirety without breaching the data protection principles. If it can’t, it is often necessary to anonymise the information so that some of it can be released.
Where the information in question contains a postcode it will be necessary to redact part of the postcode in order to truly anonymise the information.
This is because full post codes are considered sufficient to identify specific addresses and are therefore capable of indentifying the individuals linked to that address.
However you cannot identify individual properties from the outbound part of a postcode (i.e. the first half e.g. SK9) and so this information does not risk identifying individuals.
So to anonymise information it is necessary to remove the second half of the postcode, leaving just the first half or, outbound part, of the postcode. Once information has been anonymised it is no longer personal data and there is no need to consider the data protection principles.
Identifying individuals from Postcodes
Post codes identify groups and tiers of addresses. They are comprised of two parts. The first half is known as the outbound postcode and identifies the post town. The second half is the inbound postcode and will identify a limited number of addresses and in some cases an individual address. In many cases it will be difficult to say with any certainty the extent to which postcodes falling within the scope of a request will relate to individual addresses and so the individuals living at that address. However since there is the risk that individuals could be identified from a full postcode the Commissioner considers it responsible to err on the side of caution and so our general approach will be treat the full post code of residential properties as identifying individuals.
Once the second half of the post code, the inbound half, is removed the post code can no longer identify an individual address and so can not be linked to an individual. The post code has therefore been anonymised. As explained in LTT144, data that has been anonymised is no longer considered to be personal data and so there is no need to consider the application of the data protection principles.
However this general approach does not rule out the possibility of full post codes being disclosed for example where it is obvious that the post code relates to a company address* or other non residential addresses, where the issue of personal data would not arise in the first place. (*Please note though that personal data extends to sole traders and partners and therefore post codes identifying the commercial property of such enterprises will also be personal data and therefore should not be disclosed in full if to do so would breach the data protection principles.)
There may also be cases where even though the full post code would identify an individual the disclosure of such personal data would not breach the data protection principles in that particular case.
Support for this approach is taken from two Tribunal decisions.
Dundas v ICO & the City of Bradford
In Dundas v ICO & the City of Bradford the request concerned the addresses of those involved in a consultation exercise on proposed changes to parish boundaries. By the time the case reached the Tribunal the public authority had disclosed the addresses of any organisation involved in the consultation, on the basis that these could not be personal data, and provided partial addresses for residential houses. The disputed information was the house numbers and the last two letters of the postcodes of these residential properties.
In respect of the residential addresses the Tribunal stated;
- “We consider that the full postcode, that is the last two letters, would be sufficient for a living individual to be identified and we consider that the postcodes, in this instance, fall within ...the definition of personal data. “ (para 56)
It is noticeable that in this case the Tribunal did not expect the public authority to go through its list of addresses to identify those which only related to individual residential properties so that postcodes identifying a three or four houses could be released. (Strangely the Tribunal approached this matter by reference to s16 explaining that it was not reasonable for the public authority’s duty to provide advice & assistance to extend as far as identifying those postcodes that were unique to one house. However the Commissioner would not accept that this is a situation that would trigger the duty to provide advice and assistance - see LTT87, it is really about the level of detail at which exemptions need to be applied. What we can take from this though is that in this case the Tribunal did not consider it practical for the public authority to go to such lengths)
The Tribunal then went onto to consider whether disclosing the full postcodes would contravene the data protection principles and concluded that in this particular case the first principle would be breached. (paras 72 -79)
Benford v ICO & Defra
This case concerned a request for a list of addresses of egg producing premises. Apparently egg boxes carry a code that amongst other things contains a farm ID number relating to the actual egg producer. The requestor wanted Defra’s list which allowed those serial numbers to be married up with the name of the egg producer and the address of the egg producing premises. In practice a great many egg producers are sole traders and so the addresses of those egg producers would be personal data and quite often be their residential address. The Tribunal concluded that;
- “... a residential address combined with a farm ID identifying the person at that address as an egg producer is, in our view clearly ‘personal data’.” (para 51).
However the Tribunal then went on to consider whether the list could be redacted so that information identifying the general area from which the eggs came could be released without breaching the data protection principles. The Tribunal concluded that the following level of detail could be released (see substitute DN — page 2 of the Tribunal’s decision);
Farm ID number together with
- Place name unless it is a small town or village (less than approximately 10,000 people)
- Outbound postcode
The Tribunal considered that as individuals could not be identified from this level of detail it did not constitute personal data and so did not go on to consider the application of the data protection principles.
It should be remembered that this line relates to the anonymisation of information, in order to allow information that would otherwise be personal data, to be released. There may be other situations in which it may be necessary to consider the redaction, or part redaction, of postcodes in order to render the disclosure of personal data fair. For example there may be cases where it is considered fair to disclose some, limited, information about an identifiable individual, that is, it is deemed fair to disclose some personal data, but that it would be too intrusive, and hence unfair, to disclose their full address. In such situations the redaction of postcodes is about the fairness of the disclosure, not the anonymisation of personal data. The level of redaction necessary to render a disclosure fair will depend on the circumstances of the case, but as we consider the disclosure of a full postcode equates to the disclosure of an actual address, then to prevent disclosure of the data subject’s address it will be necessary to at least redact the second half of the postcode.