Brussels Privacy Symposium on Identifiability

Slides:



Advertisements
Similar presentations
Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
Advertisements

Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Data Protection (Jersey) Law 2005.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
L, E & P ISSUES1 Follow up on PSP: The PSP is about QUALITY - numerous measures are used - with the obvious commitments to data collection. One of the.
EUROPEAN COMMISSION - DG Internal Market 1 "Reviewing the Review: The European Commission's Third Review of the Product Liability Directive"
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.
František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
An agency of the European Union Guidance on the anonymisation of clinical reports for the purpose of publication in accordance with policy 0070 Industry.
Independent Centre for Privacy Protection Schleswig-Holstein
Industry 4.0 – New ways of cooperative working – are we prepared?
Making the Connection ISO Master Class An Overview.
Brussels Privacy Symposium on Identifiability
GDPR (General Data Protection Regulation)
Issues of personal data protection in scientific research
Viewing the GDPR Through a De-Identification Lens
Amandine Jambert - IT Experts Department
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation
Data protection issues in regulatory investigations
The European Union General Data Protection Regulation (GDPR)
EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.
Data Protection & Freedom of Information- An Introduction
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Bob Siegel President Privacy Ref, Inc.
GENERAL DATA PROTECTION REGULATION (GDPR)
Introduction to GDPR 09/11/2018.
The General Data Protection Regulation (GDPR)
State of the privacy union
G.D.P.R General Data Protection Regulations
The GDPR and research data
Communication and Consultation with Interested Parties by the RB
Ethical questions on the use of big data in official statistics
General Data Protection Regulation
Relocation CARNIVAL come one…come all
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR Workshop MEU Symposium Prague 2018
How do you specify terms of use for the research data with licences
Detecting, reporting & investigating data breaches under GDPR
The activity of Art. 29. Working Party György Halmos
What is the Data Protection Act (DPA)? 1998
GDPR & Accountability ISACA Ireland Annual Conference 2018
Presentation privacy law
Recording Clinical Data
Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
Data Protection: The new EU Regulation
General Data Protection regulation (GDPR)
The EDPS: competences and processing of personal data in EU funds
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Alignment of Part 4B with ISAE 3000
EU Data Protection Legislation
General Data Protection Regulation (GDPR) and library authority data
EU Data Privacy: What US Orgs Need to Do Now to Prepare for the GDPR
Institutional Review Board
Should we also regulate non-personal data?
Presentation transcript:

Brussels Privacy Symposium on Identifiability The new General Data Protection Regulation - Is there sufficient pay-off for taking the trouble to anonymize or pseudonymize data ? Waltraut Kotschy Brussels Privacy Symposium on Identifiability November 8, 2016

What is „personal data“? Defined in Art. 2 (a) of Directive 95/46/EC; nearly identical in the new data protection legal framework (italics = new): Art 4 (1) GDPR: “personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

What is „identified“? The definition of “personal data” gives several examples for elements which can be used for the process of identification HOWEVER, unfortunately the definition does not say, when precisely the effect of “identification” is finally achieved Art. 29 Group, Opinion 4/2007 on the concept of personal data, WP 136, from June 20th 2007: To identify a person means to describe this person so that he or she is “singled out” from all other persons in a group Which group? That depends  The circumstances of using the data are important!

What is „identifiable“? A natural person is, according to the definition of „personal data“, „identifiable“ if she or he „can be identified“ Rec. 26 to the Directive: “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person;” Rec. 26 of the GDPR: …” To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments…..”

When are data „anonymized“? There is no definition, neither in the Directive not in the Regulation Data are „anonymized“ as soon as they are no longer „personal data“: Rec. 26 to the GDPR: „…..The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” Rec. 26 to the GDPR: “……To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly…”

Why is „anonymous“ an important concept? Our age is information- driven  Data, including personal data, are a valuable commodity However, the use of personal data is strictly limited. Is anonymization THE solution? - Reliable anonymization is not easy to achieve - Anonymization can usually be achieved only by considerable loss of informational value in the anonymized data

Pseudonymisation The GDPR introduces the concept of pseudonymization with the purpose of making it possible to - further use data , especially for scientific research and statistics, - with lesser risks for the data subject Pseudonymized data are defined as personal data, where the additional data, necessary for identifying the data subject, are kept separate and safe from attribution to the rest of the data; - definition open concerning the method of “pseudonymizing”, - disguising (especially encryption) of the main identifiers is not mentioned but would be covered by the text

Practical experience with pseudonymized data Experience in Austria: Directive: extremely wide definition of “identifiability” Research community demanded a more workable approach Austrian implementation 2000: “indirectly personal data” = special key coded data: If identification without access to the pseudonymization key is not possible according to the state of the art, pseudonymized data shall be considered as - “(nearly) no-risk”, - but still “personal data”!

Privileged use Disclosure to reliable third parties is generally allowed - not publication! Processing “indirectly personal data “ is exempt from several duties: - no obligation to notify the processing to the DPA, - no obligation to obtain permission from the DPA for transfers to known (reliable) recipients in third countries, - no obligation to inform the data subjects about transfers to third parties, - access rights of data subjects are suspended  No serious case of misuse encountered within 15 years Census is conducted in Austria since 2010 by means of “indirectly personal data” – no more data about identified citizens!  no more protests concerning census

Effects of pseudonymization under the GDPR Pseudonymization under the GDPR: mentioned in Art. 89 (1): as a means of enhancing protection in case of further use of data for research and statistics Art. 6 (4): as a means of possibly contributing to the compatibility of further use of data Art. 25: as a means to contribute to “privacy by design” in data applications Rec. 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.”  pseudonymization is no guarantee for data processing being “allowed”

Conclusions (1) Using anonymized data results in clear consequences under the GDPR: The GDPR is not applicable. So, rendering data “anonymized” will “pay off” under the Regulation, but there is always a risk that anonymization, as to the level required in Rec. 26, has not been achieved : Although the consequences are clear, the requirements for dealing with “anonymized data” are less clear. Using pseudonymised data under the GDPR has no precise legal consequences: Only on a case to case basis it can be evaluated whether a processing operation is rendered lawful by means of using pseudonymized data;

Conclusions (2) The potential “pay-off” for pseudonymization in data protection has not (yet) been fully explored: Best practise rules for different areas of processing could clarify the conditions which could trigger privileged use of properly pseudonymized data – the GDPR offers several possibilities to have such best practise rules checked and approved by competent authorities Within the fining system implemented according to the GDPR there should be severe fines foreseen concerning any attempt of recipients of pseudonymized data to re-identify such data Such rules should be established on a European level in order not to counteract the harmonising effect of the GDPR