On 28 March 2017, the Personal Data Protection Commission ("PDPC") published a revised version of its Anonymisation Advisory Guidelines ("Guidelines") issued under the Personal Data Protection Act. A high level summary of the changes made to the Guidelines are set out below.
Serious possibility vs. less than serious possibility
In this Guideline, the PDPC has clarified that the standard to be applied in considering whether personal data has been anonymised is whether there is a serious possibility that an individual could be re-identified. In applying this standard, the PDPC will consider the following factors in assessing the risks of re-identification:
- whether the data itself, or combined with other information to which the organisation has or is likely to have access will result in re-identification; and
- the measures and safeguards implemented by the organisation to mitigate the risk of identification.
For highly sensitive personal data, the PDPC has set a higher bar in that it requires an organisation to consider whether it would be appropriate to use or disclosure such anonymised data, even if there is a less than serious possibility of an individual being identified from that data.
Assessing the risks of re-identification
The revised Guidelines also introduced several additional factors for an organisation to consider when determining if there is a serious possibility that an individual can be re-identified. These factors are:
- the nature of use and extent of disclosure of anonymised data (e.g. internal vs. public disclosure);
- the public and personal knowledge available to the recipients that may enable re-identification;
- the risks involved when disclosing multiple datasets; and
- the current state of technology as well as the possible technological developments occurring over the data retention period.
Managing the risks of re-identification
Organisations should implement controls to limit access to other information that could enable re-identification. These controls need not always involve technically sophisticated anonymisation technology and include common sense methods such as adopting:
- organisational structures;
- legally binding agreements, administrative rules, or policies;
- technical measures; and/or
- physical measures,
that limit access to information.
Additionally, the PDPC considers that it may be appropriate for an organisation to consider engaging external experts to aid risk management, especially for complex anonymisation issues. Ultimately, the PDPC will take a holistic view in assessing the risk of re-identification, with regard to the relevant facts of the case.
Use, collection or disclosure of re-identified data
The PDPC has clarified that any unintentional re-identification by an organisation is generally not considered as collection of personal data, which requires the individual's consent. However, if the organisation subsequently uses or discloses such re-identified personal data, its actions would constitute use or disclosure of personal data.