Anonymization Governance: Why It's Important for GDPR and for CPRA

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

What does the United Kingdom's Information Commissioner's Office's draft guidance say about governance and anonymization? Why is it important for GDPR and for the host of new US Privacy laws, including CPRA, CDPA and CPA?

Well, because if you properly anonymize, the data falls out of scope for GDPR. And in the US, if you de-identify, the information is not longer personal. Still, you need to take steps (technical, organizational, contractual) to ensure that you comply. The guide helps with how to implement these requirements.

CPRA defines deidentified information as information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information:

  • Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.
  • Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information. The business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision.
  • Contractually obligates any recipients of the information to comply with all provisions of this subdivision.

Here is what you need to know

General:

  • When producing and disclosing anonymous information, you should take a comprehensive approach to governance.
  • You should use a DPIA to help you structure and document your decision-making processes around anonymization and identify risks to rights and freedoms and mitigation strategies in a structured way. (e.g. consider: whether using anonymous information for further purposes which may to lead to detrimental effects on an individual (eg discrimination or financial loss); and whether using anonymous information with poor analytical value, which may lead to detrimental effects on an individual.
  • Someone of sufficient seniority must oversee your anonymization process and associated decision-making.
  • The process of anonymizing personal data involves an operation, or set of operations, performed on that data and is therefore “processing.”
  • The act of anonymizing the personal data you hold must be fair and lawful.
  • You need to define your purpose and detail the technical and organizational measures you will do to achieve it. A key aspect of your considerations should be clarifying the context and purposes for anonymizing.
  • If you are planning to disclose any anonymous information, you should work with other organizations likely to be processing, and possibly disclosing, other information that could impact the effectiveness of your anonymization.

Limited Access

  • You should draw a distinction between publishing anonymous information to the world at large and limited access disclosures.
  • The more detailed the information is, the stronger the argument for limited access over general disclosure. The more aggregated and non-linkable, the more possible it is to publish, but the more robust your identifiability risk assessment needs to be.
  • For activities such as research, systems testing or planning, limited access may be more appropriate. For example, releasing data among a closed group with a finite number of researchers or institutions involved. You should prohibit further disclosure by contractual controls backed up by robust technical and organizational measures.
  • Limited access is particularly appropriate for handling anonymous information derived from sensitive source material.
  • If you are responsible for disclosing data on a limited access basis, you should put robust safeguards in place, before making the anonymous information available to others. This includes:
    • purpose limitation (of the use by the recipients)
    • training of recipients’ staff who will have access
    • security checks for those who will access the data controls over the ability to bring other data into the environment
    • limiting data use to a particular project or set of projects
    • restricting disclosure of the data outside the limited access environment
    • prohibiting attempts at re-identification (This is specifically required by CCPA et al.)
    • ensuring appropriate measures are in place to destroy any accidentally re-identified personal data (This is specifically required by CCPA et al.)
    • implementing appropriate technical and organizational security measures, including confidentiality agreements for those who will access the data (including your staff) (This is specifically required by CCPA et al.)
    • restricting access to the data (eg by applying appropriate encryption techniques and access control policies)
    • limiting the number of copies of the data to what is necessary for the purposes of the disclosure
    • arranging for the destruction or return of the data and confirmation of completion thereof once the project is complete
    • imposing appropriate penalties if any recipient breaches the conditions placed on them (eg as part of contractual requirements.)
  • You must conduct your own risk assessment to decide which controls apply. However, you should also coordinate with the other parties involved in the project to establish if you should include additional security measures.
  • Open data licensing models are clear that while anonymous information is within the scope of their conditions, those using the information are not permitted to do so in a way that enables re-identification to take place. However, in practice this may be difficult or impossible to enforce.

Difficult Cases:

  • Your governance approach should cater to cases where it is difficult to assess identifiability risk, or where that risk may be significant.
  • Consider whether alternative state-of-the-art techniques are available to ensure that the data is effectively anonymized and if there are technical and organizational measures to mitigate the risk of re-identification.
  • You should only use anonymous information in ways individuals would reasonably expect.
  • You should consider whether individuals would reasonably expect you to retain the data in identifiable form.
  • You should assess whether rendering personal data as anonymous information would affect related individuals and how any adverse impact can be justified.

Transparency:

  • Individuals have the right to know how and why you are processing their data. Your privacy policy should explain your approach to anonymization as clearly as possible, including any consequences it may have. The policy should be clear and easily accessible to individuals.
  • You should explain and describe:
    • Why you anonymize individuals’ personal data.
    • The techniques that you use to do this (in general terms).
    • What safeguards are in place to minimize the risk that may be associated with the production of anonymous information. In particular, whether you intend to make the anonymous information publicly available or only disclose it to a limited number of recipients.
    • Any risks of the anonymization you are carrying out, and the possible consequences of this. You should give them the opportunity to submit queries or comments about this.
    • Your reasoning for publishing anonymous information and explain how you did the “weighing-up,” what factors you took or did not take into account and why, and how you looked at identification ‘"in the round."
  • Do not disclose data that would make re-identification more likely.
  • Consider whether you can publish any DPIAs or relevant reports about your anonymization. This does not require you to publish the entire document. You can remove certain information if needed, or publish a summary.
  • Review the consequences of your anonymization program, particularly through analyzing any feedback. This should be an ongoing activity.
  • Make sure you are able to analyze and deal with any complaints or queries you receive from individuals.

Staff Training:

  • Staff must understand: (1) the anonymization techniques you use; (2) any risks involved; (3) how to mitigate these risks; and (4) their specific roles in ensuring anonymization is done safely.
  • It is important to keep up-to-date with any new guidance or case law that clarifies the legal framework surrounding anonymization. You should also ensure you keep up-to-date with new techniques that are available.

Re-identification in a security incident:

  • If a security incident leads to re-identification of an individual from data you treated as anonymous information prior to the incident, the ICO would not consider this as a personal data breach at the time, provided that you can demonstrate your decision-making to justify that the data was effectively anonymized.
  • Your governance procedures should address what you will do if you are concerned that the risk of re-identification has increased.

Confidentiality:

The legal duties of confidentiality apply independently of data protection law and can also apply to non-personal data or data of the deceased. Data protection law can apply even where there is no duty of confidentiality, or a public interest ground permitting the disclosure of confidential data.

[View source.]

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide