24 July 2020
Anonymization and pseudonymization are two important ways of protecting personal information within your organization.
These concepts have been central to EU data protection law for many years. But with strict privacy laws emerging in the US and elsewhere, organizations all over the world should now be considering how best to integrate these practices into their operations.
In this article, we'll be explaining how an Anonymization and Pseudonymization Policy can help protect personal information within your organization and outlining the contents of this type of policy.
Anonymization and pseudonymization are two ways of processing personal information.
Anonymization and pseudonymization are not the same, as explained by the Article 29 Working Party, a now-retired working group that provided guidance on EU data protection law (at page 3 of the linked PDF):
Under EU law, anonymized data is not personal information, but pseudonymized data remains personal information.
Accordingly, anonymization means removing any references to an identifiable person from a data set, thus turning personal information into non-personal information.
Given the changing nature of technology, it is possible that some anonymized data sets might, one day, be subject to re-identification. However, this should not be reasonably possible in the current technological climate.
Anonymization is commonly used to depersonalize personal information before processing it for statistical purposes.
Pseudonymization is defined at Article 4 (5) of the GDPR:
A virtually identical definition appears at Section 1798.140 (r) of the California Consumer Privacy Act (CCPA):
There are several conditions inherent to this definition:
If any one of these conditions is not present, then pseudonymization has not taken place.
Having a robust set of policies in place ensures everyone in your organization is on the same page when it comes to privacy and data protection.
Maintaining an Anonymization and Pseudonymization Policy will also help ensure you can demonstrate your compliance with the relevant laws and regulations, and it could reduce your liability under such laws.
Your Anonymization and Pseudonymization Policy will ensure that your employees understand the high standards that apply when anonymizing personal information.
The concept of "anonymization" is often misunderstood and misapplied.
A relatively common misapplication of "anonymization" involves the use of individuals' initials in place of their full name. This method is unlikely to even meet the threshold for "pseudonymized" personal information, let alone "anonymized."
In the context of EU law, anonymization is an effectively irreversible process that prevents the identification of individuals (using current technology). This is a high threshold.
As with anonymization, the threshold for pseudonymization is also relatively high.
To return to the example above, the use of an individual's initials in place of their full name would probably not meet the threshold for pseudonymization.
Your Anonymization and Pseudonymization Policy will ensure that your employees understand that the re-identification of individuals from pseudonymized personal information must be very unlikely without reference to additional information.
The Policy will also make clear that any additional information used to re-identify individuals must be stored separately from the personal information, and appropriate security measures and access controls must be applied to it.
Your employees must also understand that pseudonymized data remains "personal information," and, therefore, it must be presented to individuals in an intelligible form if they request access to it.
Another key benefit of creating an Anonymization and Pseudonymization Policy is that it will help ensure employees are anonymizing personal information wherever possible and appropriate.
The benefits of anonymization are clear. The GDPR states that data protection law does not apply to anonymous data at Recital 26:
This is confirmed by the Article 29 Working Party (at page 5, here):
The CCPA does not explicitly refer to anonymization, but given that the law uses a very similar definition of "personal information," it is reasonable to assume that anonymized data also falls outside of the scope of the CCPA.
Because privacy law no longer applies to anonymized data, this means:
Note, however, that other laws and regulations may still apply to anonymized data.
Anonymization and Pseudonymization Policy will ensure that your employees pseudonymize personal information whenever required.
The GDPR presents pseudonymization as a valid means of mitigating risks to privacy and fulfilling certain obligations to protect personal information. For example, at Recital 28:
At Article 25, pseudonymization is presented as a means by which to implement the principle of "data protection by design and by default":
Encrypting personal information also allows your company to escape liability for data breaches under some privacy laws (encryption being, under certain conditions, a form of pseudonymization).
For example, the New York Shield Act applies to businesses holding the "private information" of New York residents. Private information is defined as certain types of personal information that have not been encrypted. Therefore, it is possible that encrypting personal information could allow a business to escape the jurisdiction of this law altogether.
In addition to mitigating the risks once personal information has been compromised, pseudonymization also reduces the likelihood of a cyberattack. Ultimately, pseudonymous data is worthless to an attacker who does not have access to the additional information required to identify individuals.
Your reasons for using anonymization and pseudonymization will be specific to your organization. Therefore, every Anonymization and Pseudonymization Policy will be unique.
Below are some of the sections that are common to most Anonymization and Pseudonymization Policies, together with some examples from real organizations.
The "Scope" section of your Anonymization and Pseudonymization Policy explains whom the policy applies to and what activities it covers.
For example, your policy may apply to all members of staff and contractors, and it may apply to particular types of personal information or all personal information.
Here's an example from Dundalk Institute of Technology:
Note that the policy applies whenever employees and third parties engage in the anonymization of personal information. When doing so, these parties must abide by the process and principles set out in the policy.
The "Purpose" section of your Anonymization and Pseudonymization Policy sets out the reasons for which the policy exists.
Broadly speaking, this is to protect personal information. But your policy may serve a more specific purpose within the context of your organization.
Here's an example from the Anonymization and Pseudonymization Policy of the NHS Business Services Authority (NHSBSA):
In addition to setting out the purpose of your policy, you may also wish to describe the purposes of anonymization and pseudonymization.
Here's an example from the Anonymization and Pseudonymization Policy of Luton Council, which explains the benefits of anonymization.
Explaining the benefits of anonymization and pseudonymization will help ensure your employees adhere to your policy.
Your Anonymization and Pseudonymization Policy should provide definitions of anonymization and pseudonymization that are valid under the laws relevant to your organization. It should also define other terms commonly used throughout the policy.
Here's an example from Leicester City Council:
Your Anonymization and Pseudonymization Policy should explain who within your organization has responsibility for enforcing the policy and who is responsible for carrying out the processes of anonymization and pseudonymization.
Here's an example from Essex Partnership University:
Your Anonymization and Pseudonymization Policy should set out a standardized process by which anonymization and pseudonymization must take place.
This is important to help ensure that your employees anonymize and pseudonymize personal information in a legally-compliant way.
The process will be largely specific to the context in which your organization operates, but there are certain standards that must nonetheless be met.
An effective anonymization process will make the re-identification of an individual from the anonymized personal information very unlikely.
The Article 29 Working Party provides a three-part test for assessing the effectiveness of an anonymization method.
Once the anonymization process has been carried out, the following three conditions should apply:
Here's an example of how to carry out effective anonymization, from Northumberland County Council:
The policy provides several methods of anonymization (referred to as "de-identification"), including using date ranges instead of age (e.g. 25-35 instead of 30.
The process of pseudonymization must ensure that individuals can be reidentified, but only where necessary.
Some methods of pseudonymization include encryption, hashing, and tokenization. However, these measures must meet certain conditions above before they can be considered pseudonymization methods.
For example, encrypted data is only pseudonymized if the encryption key is kept separately, securely, and with limitations on access.
Here's how Northumberland County Council describes some of the standards that must be met when pseudonymizing personal information:
Your Anonymization and Pseudonymization Policy should list the laws and regulations that apply to when anonymizing and pseudonymizing personal information.
Depending on where your customers are based, such laws may include:
Here's an example from Cambridgeshire County Council:
An Anonymization and Pseudonymization Policy can help ensure your employees are properly applying these important information security techniques to protect personal information within your information.
Some key parts of your policy should include:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.