EDPS/AEPD: 10 Misunderstandings related to Anonymisation

https://edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf

    Misunderstandings:

  • “Pseudonymisation is the same as anonymisation”
    • Fact: Pseudonymisation is not the same as anonymisation

  • “Encryption is anonymisation”
    • Fact: Encryption is not an anonymisation technique, but it can be a powerful pseudonymisation tool.

  • “Anonymisation of data is always possible”
    • Fact: It is not always possible to lower the re-identification risk below a previously defined threshold whilst retaining a useful dataset for a specific processing.
      • citing: Rocher, L., Hendrickx, J. M., & De Montjoye, Y. A. (2019). Estimating the success of re-identifications in incomplete datasets using generative models. Nature communications,
        10(1), 1-9, https://doi.org/10.1038/s41467-019-10933-3

  • “Anonymisation is forever”
    • Fact: There is a risk that some anonymisation processes could be reverted in the future. Circumstances might change over time and new technical developments and the availability of additional information might compromise previous anonymisation processes.

  • “Anonymisation always reduces the probability of re-identification of a dataset to zero”

  • “Anonymisation is a binary concept that cannot be measured”

  • “Anonymisation can be fully automated”
    • Fact: Automated tools can be used during the anonymisation process, however, given the importance of the context in the overall process assessment, human expert intervention is needed.

  • “Anonymisation makes the data useless”
    • Fact: A proper anonymisation process keeps the data functional for a given purpose.

  • “Following an anonymisation process that others used successfully will lead our organisation to equivalent results”
    • Fact: Anonymisation processes need to be tailored to the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

  • “There is no risk and no interest in finding out to whom this data refers to“
    • Fact: Personal data has a value in itself, for the individuals themselves and for third parties. Re-identification of an individual could have a serious impact for his rights and freedoms.

Researchers re-identify patients from a de-identified patient data set published by the Australian government

The Australian government published a de-identified open health data set in the past, which contained the patient data of a subset of the Australian population.  – The de-identification process  involved not just stripping direct identifiers, but also adding some inaccuracies to the data set. However, the data set was still at the person-level.

Researchers have been able to successfully re-identify some patients.

Continue reading “Researchers re-identify patients from a de-identified patient data set published by the Australian government”