Re: When is an ID not an ID?
This is a hard problem. What we need are some experts to help define the rules.
For example, take data from those cameras that watch traffic to help navigation apps (the commercial ones - let's put police cameras on one side for now). The data they collect includes a load of observations of the same number plate in different places over time. They then analyse that to understand how long it is taking traffic to get from (say) J1 on a motorway to J2 on the motorway at this time.
Now they realise that this data may be valuable at later time for other purposes (such as road planning). They could just sell the data, with the full reg number (or maybe a cut down reg number). Better, they could replace each occurrence of the same reg each day with a random number - so journeys for the same person could not be correlated across different days. Except that is probably not enough: many people make the same journeys every day so the person who leaves my village at 8AM, stops for 10 minutes in the local Sainsburys, then drives up the M1 is probably me. And if I sometimes take a diversion to my mistress on the way it can probably be spotted.
Like most hard problems we need multiple solutions working together. People selling data must make sure it contains no identifiers (nothing that definitely links samples together - not just email addresses, names or IP addresses but device fingerprints, etc).
They also need to make sure that data that is not critical for the purpose it has been sold for is removed - for example, age may not be necessary if you are calculating footfall for new bus routes. Thirdly, reidentification must be a criminal (not just contractual) act. And I am sure more.
Of course, Boris has decided the new ICO will burn all the privacy rules, instead of actually trying to fix these problems.