23 July 2007
Financial justification for pseudonymisation to mitigate privacy breaches
The European Commission on Data Protection (DP) has defined Pseudonymised data as non-personal data and not subject to the Data Protection Directive in certain instances. This new position effectively permits organisations to meet DP responsibilities more economically when sharing data with partners, as in the case of cross-border data flows which have previously required expensive, complex, and time-consuming contracts.
In its “Opinion 4/2007 on the concept of personal data”, the European Commission Article 29 Data Protection Working Party (WP) clarified the notion of “personal data” thus enhancing legal certainty through the uniform interpretation of the EC Directive 95/46/EC. Adopted on 20th June 2007, the document describes the following conditions necessary to consider Pseudonymised data as non-personal data and thus not subject to the Directive:
- the Data Controller pseudonymises or key-codes Personally Identifiable Information (PII) to be given to a Data Processor that does not receive the key
- the goal of the processing must not be to identify individuals and influence or treat them differently from others.
In addition, the WP clarified its position on “retraceably pseudonymised” data which may be considered indirectly identifiable and thus subject to the Directive. If the linking to the individual is done by the Data Controller only under predefined circumstances, the risks to the individuals are considered to be low. In these cases, the WP claims the application of the Directive will be more flexible than if information on directly identifiable individuals were processed.
The Opinions of the WP can be found at:
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm
“This enhanced legal certainty finally provides an economic justification for those organisations who have delayed implementing pseudonymisation in their privacy breach mitigation strategies,” said Robert Navarro, Managing Director of Sapior Ltd.
About Pseudonymisation
Pseudonymisation, a Privacy Enhancing Technology (PET), is essentially the replacement of Personally Identifiable Information (PII) – such as name, address or account number – with pseudonyms. Key-coded data are a classical example of pseudonymisation. Personally Identifiable Information (PII) is earmarked by codes, while the link between the code and the PII (like name, date of birth, address, etc.) is kept separately. Pseudonymised data can be used for audits, research, analysis, and administrative tasks or other work that requires access to relationships and trends in the data but not to PII.