Pseudonymised data: Difference between revisions
Amwelladmin (talk | contribs) (Created page with "{{a|gdpr|}}Article 4(5) of the UK GDPR defines pseudonymisation as: {{quote| “…processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”}...") |
Amwelladmin (talk | contribs) No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
So putting in words JC understands: | So putting in words JC understands: | ||
*If you anonymise data — switch out all references to someone identifiable IRL with unique identifiers, randomised numbers and so on so that there is no possibility of anyone reverse engineering who the individuals are | *If you anonymise data — switch out all references to someone identifiable IRL with unique identifiers, randomised numbers and so on so that there is no possibility of anyone — whether inside your organisation of outside it — reverse engineering who the individuals are, then you are ''not'' processing personal data. | ||
*If you ''pseudonymise'' data — which is to anonymise it as per above but separately hold some kind of key which decodes it into something | *If you ''pseudonymise'' data — which is to anonymise it as per above but separately hold some kind of key which decodes it into something identifiable, then it still counts as personal data. If you are a third party given pseudonymised data, even though in your hands it is anonymous, seeing as someone else could reverse engineer it, it is still, in your hands, pseudonymised. This seems a bit harsh, but the risk is you (and the person holding the “key”) suffer some data breach or something like that. | ||
===Or does it=== | |||
If you wanted to make the alternative claim, you might look to thethe ruling of General Court of the European Union Case T-557/20, ''SRB v EDPS'', in which the General Court found that pseudonymised data will not be considered personal data in the hands of a recipient who does not have the additional decoding information needed to re-identify the data subjects and no legal means of obtaining it. The court thought the fact that the ''sender'' has the decoding key, and the means to re-identify data subjects, was irrelevant. | |||
{{sa}} | {{sa}} | ||
*[[Personal data]] | |||
*{{plainlink|https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf|ICO guidance}} | *{{plainlink|https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf|ICO guidance}} | ||
Latest revision as of 09:22, 24 June 2024
|
General Data Protection Regulation
|
Article 4(5) of the UK GDPR defines pseudonymisation as:
“…processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
The ICO’s guidance adds:
“At a basic level, pseudonymisation starts with a single input (the original data) and ends with two outputs (the pseudonymised dataset and the additional information). Together, these can reconstruct the original data. However, in relation to the individuals concerned, each output has meaning only in combination with the other.”
So putting in words JC understands:
- If you anonymise data — switch out all references to someone identifiable IRL with unique identifiers, randomised numbers and so on so that there is no possibility of anyone — whether inside your organisation of outside it — reverse engineering who the individuals are, then you are not processing personal data.
- If you pseudonymise data — which is to anonymise it as per above but separately hold some kind of key which decodes it into something identifiable, then it still counts as personal data. If you are a third party given pseudonymised data, even though in your hands it is anonymous, seeing as someone else could reverse engineer it, it is still, in your hands, pseudonymised. This seems a bit harsh, but the risk is you (and the person holding the “key”) suffer some data breach or something like that.
Or does it
If you wanted to make the alternative claim, you might look to thethe ruling of General Court of the European Union Case T-557/20, SRB v EDPS, in which the General Court found that pseudonymised data will not be considered personal data in the hands of a recipient who does not have the additional decoding information needed to re-identify the data subjects and no legal means of obtaining it. The court thought the fact that the sender has the decoding key, and the means to re-identify data subjects, was irrelevant.