Pseudonymised data not subject to Data Protection says EC

June 28th, 2010 by admin

23 July 2007

Financial justification for pseudonymisation to mitigate privacy breaches

The European Commission on Data Protection (DP) has defined Pseudonymised data as non-personal data and not subject to the Data Protection Directive in certain instances. This new position effectively permits organisations to meet DP responsibilities more economically when sharing data with partners, as in the case of cross-border data flows which have previously required expensive, complex, and time-consuming contracts.

In its “Opinion 4/2007 on the concept of personal data”, the European Commission Article 29 Data Protection Working Party (WP) clarified the notion of “personal data” thus enhancing legal certainty through the uniform interpretation of the EC Directive 95/46/EC. Adopted on 20th June 2007, the document describes the following conditions necessary to consider Pseudonymised data as non-personal data and thus not subject to the Directive:

  • the Data Controller pseudonymises or key-codes Personally Identifiable Information (PII) to be given to a Data Processor that does not receive the key
  • the goal of the processing must not be to identify individuals and influence or treat them differently from others.

In addition, the WP clarified its position on “retraceably pseudonymised” data which may be considered indirectly identifiable and thus subject to the Directive. If the linking to the individual is done by the Data Controller only under predefined circumstances, the risks to the individuals are considered to be low. In these cases, the WP claims the application of the Directive will be more flexible than if information on directly identifiable individuals were processed.

The Opinions of the WP can be found at:

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm

“This enhanced legal certainty finally provides an economic justification for those organisations who have delayed implementing pseudonymisation in their privacy breach mitigation strategies,” said Robert Navarro, Managing Director of Sapior Ltd.

About Pseudonymisation

Pseudonymisation, a Privacy Enhancing Technology (PET), is essentially the replacement of Personally Identifiable Information (PII) – such as name, address or account number – with pseudonyms. Key-coded data are a classical example of pseudonymisation. Personally Identifiable Information (PII) is earmarked by codes, while the link between the code and the PII (like name, date of birth, address, etc.) is kept separately. Pseudonymised data can be used for audits, research, analysis, and administrative tasks or other work that requires access to relationships and trends in the data but not to PII.


Latest From Blog

Oct 25

The Cameron government has re-opened the debate on how much of ou ... Read...

Aug 27

I've heard many times through many media the need for "balance" i ... Read...

Latest News

Safemerge v2 released

May 2013 - Building on Sapior's market lead in e ... Read...

Self service Pseudo service launched

March 2012 - Sapior has launched a self service ... Read...