A recent provision of the Privacy Guarantor indicates that the most common techniques in use are not sufficient to make data anonymous.
Il measurewhich arises from a statement by a family doctor on data processing for a scientific research project, illustrates in detail a series of considerations on data anonymization.
The Guarantor indicates that “Anonymised data, to which the legislation on the protection of personal data does not apply, is such only if it does not allow the direct or indirect identification of a person taking into account all reasonable means (economic, information, technological resources, skills , time) in the availability of whoever (owner or other subject) tries to use these means to identify an interested party.
The process described, qualified as anonymization, must therefore prevent the following from being possible:
isolate one person in a group (single-out);
link anonymised data to data referable to a person present in a separate set of data (linkability);
deduce new information referable to a person from anonymized data (inference).”
The replacing the patient code with a hash is not a sufficient measure: “In this regard, it should be noted that the mere replacement of the patient’s ID with an irreversible hash code obtained from it does not constitute, under any circumstances, an appropriate measure with respect to the requirement of the removal of singularities (single out) necessary to qualify the treatment as a ‘anonymisation’: this is reaffirmed by the Article 29 Working Party’s statement that “merely relying on the strength of the encryption mechanism as a measure of the degree of ‘anonymisation’ of a data set is misleading, as many other technical factors and organizational factors affect the general security of an encryption mechanism or a hash function” (Opinion 05/2014 on anonymisation techniques)”.
The presence of a unique hash (cryptographic code), albeit made more complex by the presence of an unknown disturbing element (salt), if this does not vary over time for a given patient, has the effect of uniquely associating a record to a specific patient essentially nullifying the benefit of generalizing patient data into equivalence classes (e.g. characterized by the same age and location), as envisaged by the k-anonymity technique. The k-anonymity technique consists in grouping the interested parties on the basis of specific combinations of attributes, suitably generalized, so that at least k indistinguishable subjects are included in each grouping. By way of example, I could eliminate the municipality of residence by replacing it with the region and discard those groups of records with the same region whose number is less than K (in the case in question this value was set at 10).
The Guarantor therefore reiterates that there should be no unique data that determine the “uniqueness of the data”. Otherwise we fall into the case of pseudonymized data which are therefore personal data and which must be processed in compliance with the Regulation.
The opinion, very articulated, also addresses some issues specific to the case in question such as the ownership of the data, the purpose of the treatment and also formulates considerations on the economic consideration that the family doctors who come to the project would have received.
I like:
Like Loading…