ICO's code of practice on anonymisation

The Information Commissioner's Office has released its code of practice on anonymisation, following a consultation period earlier in the year.

It's quite a lengthy document, but is worth a look —

• it reaffirms that anonymising data is an act of processing in itself, but one which is likely to be permitted under the "legitimate use" basis, and thus does not require consent;
• there's an interesting discussion about the disclosure of anonymous data, and the "motivated intruder" test for determining whether something should be treated as anonymous or not; and
• the second case study, on mobile footfall analytics, is particularly pertinent to the course here — my view is that the overall privacy harm (and public perception of the activity) would seem to demand more user control over the activity than ICO has seemed to suggest here.

What do you think? Does it set the bar too low, or it is realistic?