Report “Privacy and AI Ethics – Understanding the convergences and
tensions for the responsible development of machine learning
”
https://sebastiengambs.openum.ca/files/sites/82/2021/11/OPC_final.pdf
CANON – Canadian Anonymization Network
Website
https://deidentify.ca/
Report “Practices for Generating Non-identifiable Data” (March 2021)
https://deidentify.ca/wp-content/uploads/2021/08/CANON-OPC-Project-Final-Report-v9.pdf
The CANON website includes an excellent list of external resources at https://deidentify.ca/resources/, including
Standards Bodies
- NIST Privacy Engineering Collaboration Space – De-Identification Tools – June 2019
- ISO/IEC 20889:2018 – Privacy enhancing data de-identification terminology and classification of techniques – 2018
- ISO 25237:2017 – Health Informatics – Pseudonymization – January 2017
- NIST Special Publication (SP) 800-188: De-Identifying Government Data Sets – December 2016
- NIST Internal Report (NISTIR) 8053 – De-Identification of Personal Information – October 2015
Regulators / Government
Canada
- Health Canada – Public Release of Clinical Information – March 2019
- Information and Privacy Commissioner of Ontario – De-Identification Guidelines for Structured Data – June 2016
Europe
- United Kingdom Information Commissioner’s Office (ICO) – Anonymisation: managing data protection risk code of practice – March 2015
- Norway Datatilsynet (Norwegian DPA) – A Guide to the Anonymisation of Personal Data – 2015
- Article 29 Working Party – Opinion 05/2014 on Anonymization Techniques – April 2014
Asia-Pacific
- Australia (Queensland) Office of the Information Commissioner – Privacy and De-Identification – February 2019
- Australia (Victoria) Office of the Victoria Information Commissioner – Protecting unit-record level personal information – The limits of de-identification and the implications for the Privacy and Data Protection Act 2014 – May 2018
- Australia Office of the Australian Information Commissioner – De-identification and the Privacy Act – March 2018
- Australia (Victoria) Victorian Centre for Data Insights – De-identification Guideline – February 2018
- Hong Kong Office of the Privacy Commissioner for Personal Data – Guidance on Personal Data Erasure and Anonymisation – April 2014
- Japan Personal Information Protection Commission Secretariat – Anonymously Processed Information: Towards Balanced Promotion of Personal Data Utilization and Consumer Trust – February 2017
- Korea Multiple Agencies – Guidelines for De-Identification of Personal Data – June 2016
- Singapore Personal Data Protection Commission
- (Turkish only) Turkey Turkish Data Protection Authority – Guidelines on the Erasure, Destruction or Anonymization of Personal Data – November 2017 (summary here and here)
United States
- California Health and Human Services Agency – Data De-Identification Guidelines – September 2016
- Department of Health and Human Services – Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule – November 2012
- Federal Committee on Statistical Methodology – Working Paper 22: Report on Statistical Disclosure Limitation Methodology – 2005
NGOs, Not-for-Profit Organizations, etc.
Canada
- Health System Use Technical Advisory Committee Data De-Identification Working Group – ‘Best Practice’ Guidelines for Managing the Disclosure of De-Identified Health Information – October 2010
- CHEO Research Institute – Pan-Canadian De-Identification Guidelines for Personal Health Information – April 2007
United States
- TransCelerate BioPharma – De-Identification and Anonymization of Individual Patient Data in Clinical Studies – 2016
- DataSF (City and County of San Fransisco’s Official Open Data Portal) – Open Data Release Toolkit – November 2016
Europe
- Pharmaceutical Users Software Exchange – PhUSE Data Transparency Workstream: A Global View of the Clinical Transparency Landscape – Best Practices Guide (May 2020)
- UK Medical Research Council Guidance Note 5 – Identifiability, Anonymisation and Pseudonymisation – September 2019
- UK Anonymisation Network – Anonymisation Decision-making Framework – 2016
- Pharmaceutical Users Software Exchange – PhUSE De-identification Standards – 2015
Asia-Pacific
- Australia National Data Service – ANDS De-Identification Guide – April 2018
- Australia Data61 / Commonwealth Scientific and Industrial Research Organization – The De-Identification Decision-Making Framework – September 2017
Global
- World Bank / International Household Survey Network – Statistical Disclosure Control for Microdata – A Practice Guide | A Theory Guide – October 2019
Documented timeline of defi exploits (not privacy-related, off-topic)
CCC RC3: Listen to Your Heart: Security and Privacy of Implantable Cardio Foo
https://media.ccc.de/v/rc3-2021-cwtv-272-listen-to-your-heart-s
(see also: https://media.ccc.de/c/rc3-2021 )
Starts with the usual security analysis of three devices by three manufacturers
– then the talk pivots to the responses to GDPR requests (information, data portability) by actual patients from the data controllers
Talk then closes with an anaylysis on how DSR requests were managed, which communication channels have been used, etc
The NO DPA imposes fine against Grindr LLC
The Norwegian Data Protection Authority has imposed an administrative fine of NOK 65 000 000 – approximately € 6.5 million – for not complying with the GDPR rules on consent.
Germany: Update (Dec 2021): DSK Orientierungshilfe Telemedien (Cookies, trackers, ..)
FDA: Digital Health Technologies for Remote Data Acquisition in Clinical Investigations
Draft Guidance for Industry, Investigators, and Other Stakeholders – Dec 2021
EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Adopted on 18 November 2021
(e.g. MedTech comments at https://www.medtecheurope.org/resource-library/response-to-the-european-data-protection-board-consultation-on-the-guidelines-05-2021-on-the-interplay-between-article-3-and-the-provisions-on-international-transfers-as-per-chapter-v-of-the-gdpr/ )
https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf
includes:
Example 3: Processor in the EU sends data back to its controller in a third country
XYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers, all of them non-EU residents, to the processor ABC Ltd. for processing in the EU, on behalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is established in the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and therefore Chapter V applies.
[..]
Example 5: Employee of a controller in the EU travels to a third country on a business trip
George, employee of A, a company based in Poland, travels to India for a meeting. During his stay in India, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller (company A). Therefore, the disclosure is carried out within the same controller (A). The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR.
[..]
Example 6: A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country
The Irish Company A, which is a subsidiary of the U.S. parent Company B, discloses personal data of its employees to Company B to be stored in a centralized HR database by the parent company in the U.S. In this case the Irish Company A processes (and discloses) the data in its capacity of employer and hence as a controller, while the parent company is a processor. Company A is subject to the GDPR pursuant to Article 3(1) for this processing and Company B is situated in a third country. The disclosure therefore qualifies as a transfer to a third country within the meaning of Chapter V of the GDPR.
[..]
Example 7: Processor in the EU sends data back to its controller in a third country
Company A, a controller without an EU establishment, offers goods and services to the EU market. The French company B, is processing personal data on behalf of company A. B re-transmits the data to A. The processing performed by the processor B is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by A is also covered by the GDPR, since Article 3(2) applies to A. However, since A is in a third country, the disclosure of data from B to A is regarded as a transfer to a third country and therefore Chapter V applies.
IPEN webinar 2021: “Pseudonymous data: processing personal data while mitigating risks”
Material from IPEN webinar 2021: “Pseudonymous data: processing personal data while mitigating risks” – with recorded videos etc..
https://edps.europa.eu/ipen-webinar-2021-pseudonymous-data-processing-personal-data-while-mitigating-risks_en
including e.g.
- On overview of existing pseudonymisation techniques https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-prokopios-drogkaris_en
- Pseudonymisation As a Service https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-cedric-lauradoux_en
- Cryptography at the service of pseudonymisation https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-konstantinos-limniotis_en
- Data subject access requests for pseudonymised diagnostic data https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-sjoera-nas_en
- Pseudonymisation in healthcare research and practice https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-prof-dr-fabian-prasser_en
- How GDPR fosters pseudonymisation in academic research – The perspective of a university hospital DPO https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymisation-data-griet-verhenneman_en
- Pseudonymisation: some feedback from supervisory authorities
DATENTAG ONLINE: DATENSCHUTZ UND KÜNSTLICHE INTELLIGENZ
Stiftung Datenschutz, 13 Dec 2021
includes
- Potenziale von Künstlicher Intelligenz mit Blick auf das Datenschutzrecht – Gutachten https://stiftungdatenschutz.org/fileadmin/Redaktion/Gutachten-Studien/Stiftung-Datenschutz_Gutachten-Georg-Borges-Potenziale-Kuenstliche-Intelligenz-Datenschutzrecht-2021-12.pdf
- Chancen und Risiken von Künstlicher Intelligenz und Algorithmen aus antidiskriminierungsrechtlicher Perspektive – Gutachten https://stiftungdatenschutz.org/fileadmin/Redaktion/Gutachten-Studien/Stiftung-Datenschutz_Gutachten-Dr-Duygu-Damar-2021-12.pdf
- Antidiskriminierungs- und datenschutzrechtliche Grenzen algorithmischer Entscheidungsprozesse – Eine Handreichung https://stiftungdatenschutz.org/fileadmin/Redaktion/Gutachten-Studien/Stiftung-Datenschutz-Wiebke-Froehlich-Handreichung-Datenschutz-und-Gleichstellung-2021-12.pdf
(artificial intelligence, ai)