Deidentification

Image

This topic page provides insight and research to gain a better understanding of the challenges and benefits of de-identification.

Featured Resources

10 recommendations for regulating non-identifiable data

There is considerable activity today in regulatory development and updates around the privacy rights of individuals in Canada, Europe, the U.S. and elsewhere. This article offers key considerations for regulating the generation and processing of non-identifiable data.
Read More

A lawyer’s guide to pseudonymization and anonymization

In this piece for Privacy Tech, Immuta’s Alfred Rossi, Andrew Burt and Sophie Stalla-Bourdillon look to clarify the definition of these practices, help distinguish between direct and indirect identifiers, and offer some considerations for organizations that want to properly deidentify their data.
Read More

Deidentification versus anonymization

In this Privacy Tech post on privacy engineering and user-experience design, Lea Kissner breaks down the differences between deidentification and anonymization. While deidentification is not anonymization in virtually all cases, it is still useful as a data minimization technique.
Read More


Latest News and Resources

Calif. on the verge of instituting new deidentification requirements, broader research exemptions

On Sept. 5, 2020, the California Legislature passed Assembly Bill 713, which amends the California Consumer Privacy Act. Although the bill has the primary and helpful effect of largely exempting the U.S. Health Insurance Portability and Accountability Act deidentified information from the CCPA, AB 713 also regulates deidentified information in a novel way that departs from the mostly hands-off approach to such datasets adopted by federal and state regulators. As has been the case with many of th... Read More

Does anonymization or de-identification require consent under the GDPR?

Data de-identification has many benefits in the context of the EU General Data Protection Regulation. One of the recurring questions is whether consent is required to anonymize or de-identify data. In this article, we make the case that no consent is required for anonymization or other forms of de-identification. For the purposes of this discussion, we use “de-identification” as a general term that includes the full spectrum of methods, from simple pseudonymization to full anonymization.  Arti... Read More

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

De-identification: Moving from the binary to a spectrum

As with so many things in this world, there is rarely, if ever, a silver-bullet solution to a complex problem in privacy. Perhaps the most glaring example of this is in defining the identifiability of an individual.  Countless privacy laws and regulations around the world define personal information or personally identifiable information in different ways, using varying definitions and key terms. One jurisdiction may consider an IP address PII while another may not. The Federal Trade Commission... Read More

Definitions

Anonymization

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise ad... Read More

Anonymous Information

In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR. Associated term(s): Pseudonymous Data, De-Identification, Re-Identification... Read More

Pseudonymous Data

Data points which are not directly associated with a specific individual. The identity of the person is not known but multiple appearances of that person can be linked together. Uses an ID rather than PII to identify data as coming from the same source. IP address, GUID and ticket numbers are forms of pseudonymous values. Associated term(s): Identifiability, Identifiers, GUID, Authentication, De-Identification, Re-Identification.... Read More

Re-identification

The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization). Often invoked as a “risk of re-identification” or “re-identification risk,” which refers to nullifying the de-identification actions previously applied to data (see De-identification). Associated term(s): De-identification; Anonymization; Anonymous Data, Pseudonymous Data... Read More