Anonymisation and Pseudonymisation are important concepts in a robust data protection regime. The concepts help data controllers and processors in minimising the risk of non-compliance.
GDPR defines personal data as any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
You may be interested in: Data Protection Bill, 2019 – Key Highlights
Anonymisation and Pseudonymisation defined
Anonymisation is defined under recital 26 “as the process of rendering data into a form which does not identify individuals and where identification is not likely to take place”. Pseudonymisation is defined under Article 4(5) as “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
Benefits of pseudonymisation
GDPR and member state data protection enactments are not applicable to truly anonymised data. However, pseudonymisation techniques will not exempt controllers from the ambit of GDPR altogether. Pseudonymization helps data controllers and processors in complying with the requirements of ‘data minimisation’ and ‘storage limitation’. The two concepts help organisations to use the data for purposes beyond those for which it was originally obtained (see article 6(4)).
Ascertaining true anonymisation
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments (see recital 26 of GDPR). In reality, it can be difficult to determine whether data has been anonymised or is still personal data. This can call for sensible judgement based on the circumstances of the case in hand. The DPAs will take the effect or potential effect into account should a case of reidentification or inappropriate data disclosure come to his attention.
Case of Taxa before Danish authorities
In 2019, the Danish DPA has imposed a fine of approximately €160,754 on taxi company Taxa 4×35 (Taxa) for failure to ensure data minimization requirement. Taxa has stated that the information in DDS Pathfinder that relates to taxi rides is anonymised after 2 years and that this anonymisation consists of the customer’s name being deleted from the taxi ride. Taxa however stored the customer’s telephone number for 5 years. The DPA held that Taxa’s continued processing of the customer’s telephone number, with which the user can be identified is not true anonymisation. Therefore, it was held that Taxa has violated the data minimisation requirement by processing personal data than is reasonably required. True anonymisation requires diligent background work.
Motivated Intruder Test to ascertain the level of anonymisation
The UK ICO recommends the ‘motivated intruder’ test for assessing whether the anonymised data can be re-identified or not. The ‘motivated intruder’ is taken to be a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived. The approach assumes that the intruder is motivated, reasonably competent, has access to standard resources, and employs standard investigative techniques. The ‘motivated intruder’ is not assumed to have any specialist knowledge such as computer hacking skills. Standard resources refer to resources such as the internet, libraries, and all public documents.
You may further refer to:
https://www.dataprotection.ie/sites/default/files/uploads/2019-06/190614%20Anonymisation%20and%20Pseudonymisation.pdf
https://ico.org.uk/media/1061/anonymisation-code.pdf
Add Comment