de-identification – Privacy Design®

EDPS/AEPD: 10 Misunderstandings related to Anonymisation

stefan — Tue, 27 Apr 2021 22:37:57 +0000

https://edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf

Misunderstandings

“Pseudonymisation is the same as anonymisation”
- Fact: Pseudonymisation is not the same as anonymisation
“Encryption is anonymisation”
- Fact: Encryption is not an anonymisation technique, but it can be a powerful pseudonymisation tool.
“Anonymisation of data is always possible”
- Fact: It is not always possible to lower the re-identification risk below a previously defined threshold whilst retaining a useful dataset for a specific processing.
  - citing: Rocher, L., Hendrickx, J. M., & De Montjoye, Y. A. (2019). Estimating the success of re-identifications in incomplete datasets using generative models. Nature communications,
    10(1), 1-9, https://doi.org/10.1038/s41467-019-10933-3
“Anonymisation is forever”
- Fact: There is a risk that some anonymisation processes could be reverted in the future. Circumstances might change over time and new technical developments and the availability of additional information might compromise previous anonymisation processes.
“Anonymisation always reduces the probability of re-identification of a dataset to zero”
- Fact: The anonymisation process and the way it is implemented will have a direct influence on the likelihood of re-identification risks.
  - citing: External guidance on the implementation of the European Medicines Agency policy on the publication of clinical data for medicinal products for human use (2016) https://www.ema.europa.eu/en/documents/regulatory-procedural-guideline/external-guidance-implementation-european-medicinesagency-policy-publication-clinical-data_en-0.pdf
“Anonymisation is a binary concept that cannot be measured”
- Fact: It is possible to analyse and measure the degree of anonymization.
  - Step 4: Measure the data risk. De-identification Guidelines for Structured Data, Information and Privacy Commissioner of Ontario June 2016. https://www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-forStructured-Data.pdf
“Anonymisation can be fully automated”
- Fact: Automated tools can be used during the anonymisation process, however, given the importance of the context in the overall process assessment, human expert intervention is needed.
“Anonymisation makes the data useless”
- Fact: A proper anonymisation process keeps the data functional for a given purpose.
“Following an anonymisation process that others used successfully will lead our organisation to equivalent results”
- Fact: Anonymisation processes need to be tailored to the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
“There is no risk and no interest in finding out to whom this data refers to“
- Fact: Personal data has a value in itself, for the individuals themselves and for third parties. Re-identification of an individual could have a serious impact for his rights and freedoms.

Germany: BDI paper: Anonymization of personal data

stefan — Wed, 18 Nov 2020 22:39:19 +0000

Anonymisierung personenbezogener Daten
Ein branchenübergreifender Praxisleitfaden für Industrieunternehmen

https://bdi.eu/publikation/news/anonymisierung-personenbezogener-daten/

UKANON: second edition of the Anonymisation Decision-making Framework

stefan — Tue, 17 Nov 2020 22:08:53 +0000

The Framework has been given a significant overhaul and for the first time there is a systematic method for evaluating your data environment.

https://ukanon.net/framework/

HHS: HIPAA De-Identification (Safe Harbor, Expert, FAQs)

stefan — Thu, 11 Jul 2019 20:56:39 +0000

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard

Spain DPA: AEPD paper on anonymisation (k-anonymity)

stefan — Thu, 11 Jul 2019 20:50:58 +0000

https://www.aepd.es/prensa/2019-06-14.html

https://www.aepd.es/media/notas-tecnicas/nota-tecnica-kanonimidad.pdf

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

stefan — Thu, 30 May 2019 10:37:47 +0000

https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

Researchers re-identify patients from a de-identified patient data set published by the Australian government

stefan — Wed, 21 Feb 2018 09:49:39 +0000

The Australian government published a de-identified open health data set in the past, which contained the patient data of a subset of the Australian population. – The de-identification process involved not just stripping direct identifiers, but also adding some inaccuracies to the data set. However, the data set was still at the person-level.

Researchers have been able to successfully re-identify some patients.

Abstract: With the aim of informing sound policy about data sharing and privacy, we describe successful re-identification of patients in an Australian de-identified open health dataset. As in prior studies of similar datasets, a few mundane facts often suffice to isolate an individual.
Some people can be identified by name based on publicly available information. Decreasing the precision of the unit-record level data, or perturbing it statistically, makes re-identification gradually harder at a substantial cost to utility. We also examine the value of related datasets in improving the accuracy and confidence of re-identification. Our re-identifications were performed on a 10% sample dataset, but a related open Australian dataset allows us to infer with high confidence that some individuals in the sample have been correctly re-identified.
Finally, we examine the combination of the open datasets with some commercial datasets that are known to exist but are not in our possession. We show that they would further increase the ease of re-identification

https://arxiv.org/ftp/arxiv/papers/1712/1712.05627.pdf