HHS: HIPAA De-Identification (Safe Harbor, Expert, FAQs)
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
Spain DPA: AEPD paper on anonymisation (k-anonymity)
Danish DPA on email encryption (TLS vs. end-to-end)
From the annual report 2018 (Google translation- so there might be flaws)
http://www.datatilsynet.dk/media/7896/aarsberetning_2018.pdf
Encryption of emails
- On July 23, 2018, the Data Inspectorate published a review of conditions regarding treatments, where confidential and sensitive information was sent in e-mail over networks outside the data controller control (eg the Internet).
- The conclusion of this review was: that data controllers – for all the treatments they make – must make an assessment of the risk of the rights of the data subject, that the compromise risk profile of an unencrypted e-mail sent on a network the controller does not control is at the high end of the scale, and that the Danish Data Protection Agency is of the opinion that encryption is an appropriate security measure email containing confidential and sensitive information.
- On September 20, 2018, the Data Inspectorate published a more detailed text specifying the technical possibilities for such encryption.
Two possible approaches for encryption.
Either encryption on the transport of the data packets containing the e-mail when sent over the network,
or encrypting the actual contents of the e-mail with the sender before it is sent over the network. - It is the data controller who – based on his risk assessment – must assess the level of security and, accordingly, the form of encryption that is appropriate.
- The Data Inspectorate also stated that there are types of treatment where encryption on the transport layer is appropriate. In addition, the Authority stated that encryption on the transport layer should be considered as a minimum level of security when sending confidential or sensitive personal data by e-mail.
- Where the risk of the data subjects’ rights is higher, the safer end-to-end encryption will be appropriate.
Example:
A data controller sends a file of health information about a large number of data subjects to a data processor for the purpose of sending letters.
The data controller, based on a risk assessment, decides that end-to-end encryption will be one appropriate precautionary measure.
An ongoing collaboration with the data processor could take place at, that the two parties have exchanged S / MIME certificates, and therefore can send e-mails back and forth to each other, which is end-to-end encrypted. It is the data controller who is responsible for the secure transmission to the recipient’s mail server. - When the e-mail is delivered to the recipient’s mail server, the responsibility for processing this e-mail is handed over to the recipient himself.
A data controller cannot be held responsible for the fact that a citizen has chosen to create a free e-mail account with a service provider that potentially uses the e-mail for your own purposes. - The data controller is responsible for the processing of personal data that takes place on its own mail server, whether it is operated internally within the company, the authority or the like, or whether an agreement has been entered into with an third party for handling emails on behalf of the data controller.
EDPS: Guidelines on the protection of personal data processed through web services provided by EU institutions (Nov 2016)
https://edps.europa.eu/sites/edp/files/publication/16-11-07_guidelines_web_services_en.pdf
incl. also interesting links to other EU papers (e.g. on cloud)
Sadly from Nov 2016, so with GDPR in mind, but not in force, yet.
Covered technologies include
Cookies
Scripts (such e.g. JavaScript code) and components (such as browsers plugins) to be executed on the client side.
Web caching mechanisms
HTML5 local storage
“Device fingerprinting”
“Canvas fingerprinting” and “Evercookies”
Web beacons
CNIL Privacy Impact Assessment Knowledge Bases
https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf
I keep going back to this resource, as it has a good set of examples for privacy risks.
But it also has a long catalog of technical and organizational measures (TOM).
CNIL – From dark patterns to data protection: the influence of ux/ui design on user empowerment
Handbook on European data protection law. 2018 edition
Prof. Dr. Thomas Hoeren – Skript Internetrecht 2018
Fieldfisher’s four parts blog on CCPA
Fieldfisher has a very readable four parts blog on the California Consumer Privacy Act 2018 (CCPA)