Deidentification

Image

This topic page provides insight and research to gain a better understanding of the challenges and benefits of de-identification.

Featured Resources

A new standard for anonymization

Privacy experts can now use a new standard, the ISO/IEC 27559:2022 privacy-enhancing data deidentification framework. This article discusses the purpose of the framework, its implementation, and more.
Read More

10 recommendations for regulating non-identifiable data

There is considerable activity today in regulatory development and updates around the privacy rights of individuals in Canada, Europe, the U.S. and elsewhere. This article offers key considerations for regulating the generation and processing of non-identifiable data.
Read More

A lawyer’s guide to pseudonymization and anonymization

In this piece for Privacy Tech, Immuta’s Alfred Rossi, Andrew Burt and Sophie Stalla-Bourdillon look to clarify the definition of these practices, help distinguish between direct and indirect identifiers, and offer some considerations for organizations that want to properly deidentify their data.
Read More


Latest News and Resources

Calif. on the verge of instituting new deidentification requirements, broader research exemptions

On Sept. 5, 2020, the California Legislature passed Assembly Bill 713, which amends the California Consumer Privacy Act. Although the bill has the primary and helpful effect of largely exempting the U.S. Health Insurance Portability and Accountability Act deidentified information from the CCPA, AB 713 also regulates deidentified information in a novel way that departs from the mostly hands-off approach to such datasets adopted by federal and state regulators. As has been the case with many of th... Read More

Deidentification versus anonymization

Anonymization is hard. Just like cryptography, most people are not qualified to build their own. Unlike cryptography, the research is far earlier stage, and the pre-built code is virtually unavailable. That hasn’t stopped people from claiming certain datasets (like this) are anonymized and (sadly) having them re-identified. Those datasets are generally deidentified rather than anonymized — the names and obvious identifiers are stripped out, but the rest of the data is left untouched. Deidentifi... Read More

Does anonymization or de-identification require consent under the GDPR?

Data de-identification has many benefits in the context of the EU General Data Protection Regulation. One of the recurring questions is whether consent is required to anonymize or de-identify data. In this article, we make the case that no consent is required for anonymization or other forms of de-identification. For the purposes of this discussion, we use “de-identification” as a general term that includes the full spectrum of methods, from simple pseudonymization to full anonymization.  Arti... Read More

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

Definitions

Anonymization

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise ad... Read More

Anonymous Information

In contrast to personal data, anonymous information or data is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR. Associated term(s): Pseudonymous Data, De-Identification, Re-Identification... Read More

Pseudonymous Data

Data points which are not directly associated with a specific individual. The identity of the person is not known but multiple appearances of that person can be linked together. Uses an ID rather than PII to identify data as coming from the same source. IP address, GUID and ticket numbers are forms of pseudonymous values. Associated term(s): Identifiability, Identifiers, GUID, Authentication, De-Identification, Re-Identification.... Read More

Re-identification

The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization). Often invoked as a “risk of re-identification” or “re-identification risk,” which refers to nullifying the de-identification actions previously applied to data (see De-identification). Associated term(s): De-identification; Anonymization; Anonymous Data, Pseudonymous Data... Read More