Pseudonymous
Pseudonymous means there are appropriate technical and operational processes within the organization using the identifier to keep this identifier separate from an individual’s identity. Pseudonymous information is one form of Personal Data.
“Pseudonymize” or “Pseudonymization” is a process to create an addressable identifier that is kept separate from an individual’s directly-identifiable identity with an appropriate technical or operational process. This means the information is no longer attributable to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that this information is not subsequently mapped to an identifiable individual.
Pseudonymization techniques include algorithmic functions (such as using a one-way process to transform input identifiers into outputted ones) or tokenization process (using a bi-directional mapping process to transform input identifiers into outputted ones). A common example of the former is hashing emails to produce a new pseudonymous identifier. A common example of the latter is relying on substitution (e.g., linking the zip 90210 to “Beverly Hills,” given there are other zip codes in that California region). Algorithmic functions are preferred as strong protections than substitution or tokenization forms of pseudonymization.[1]
Often “pseudonymization” is frequently confused with “anonymization”. Pseudonymous identifiers are not linked, but could be linked, to an individual’s identity that is held separately.[2] Anonymous data cannot be linked to an individual, and as such is often excluded from data protection regulations.[3],[4] A common example of anonymized data is when it is when the input data is made available only as a summarized, aggregated output metric.
Regulator Perspectives
GDPR recommends pseudonymization as one method to comply with data organizations’ protection obligations, such as ensuring appropriate security to safeguard personal data.[5]
- Article 6 (4-e): ”the existence of appropriate safeguards, which may include encryption or pseudonymization.”[6]
- Article 32 (a): “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymization and encryption of personal data.”[7]
Pseudonymization of personal data can reduce risks to data subjects and help controllers meet data-protection obligations.[8]
- Article 25 (1): “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”[9]
- Article 40 (2): “Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:... (d) the pseudonymization of personal data.[10]
References
- ↑ https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf, section A.2
- ↑ https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf
- ↑ https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf
- ↑ https://gdpr-info.eu/recitals/no-26
- ↑ https://gdpr-info.eu/art-4-gdpr
- ↑ https://gdpr-info.eu/art-6-gdpr
- ↑ https://gdpr-info.eu/art-32-gdpr
- ↑ https://gdpr-info.eu/recitals/no-28
- ↑ https://gdpr-info.eu/art-25-gdpr
- ↑ https://gdpr-info.eu/art-40-gdpr