Guide to basic anonymisation and free tool from PDPC
The personal data that organisations hold are subject to PDPA. When there is a breach of data concerning these personal data, what the PDPC usually does is impose whopping fines. To limit this, there is a way for organizations to do to avoid this penalty regardless if there is a breach, and this is through anonymization.
When the data that was used can identify a particular person, the obligation under the PDPA applies. This means there is a need for organizations to keep their personal data safeguards high to limit breaches. However, anonymisation converts the personal data so that it can no longer be identified or attributed to a specific individual.
Anonymisation refers to the conversion of personal data into data that cannot be used to identify any individual. PDPC considers anonymisation as a risk-based process, which includes using both anonymisation techniques and safeguards to avoid re-identification.
PDPC’s Guide to basic anonymisation
The Guide to basic anonymization from the PDPC is meant to provide organizations new to anonymization with an introduction and practical assistance on how to do basic anonymization and de-identification of structured, textual, non-complex datasets.
This Guide does not cover all concerns associated with anonymization, de-identification, and re-identification of datasets. Complex anonymisation challenges should prompt organizations to consider engaging anonymisation professionals, statisticians, or independent risk assessors to undertake the proper anonymisation techniques or assessment of re-identification hazards (e.g. large datasets containing a wide range of longitudinal or sensitive personal data).
Organizations should realize that implementing the recommendations in the Guide to basic anonymization does not guarantee compliance with the Personal Data Protection Act (PDPA). In conjunction with the Personal Data Protection Commission’s (PDPC).
Purpose of anonymisation and utility
The objective of anonymization must be crystal obvious, as anonymization should only be performed when necessary. Regardless of the technique employed, anonymisation reduces the amount of original information in a dataset. Consequently, as the level of anonymisation grows, the utility of the dataset typically decreases. Therefore, the organization must determine the degree of the trade-off between acceptable (or anticipated) benefit and re-identification risk.
It should be highlighted that utility should not be evaluated at the level of the entire dataset, as it varies significantly among features. One extreme is when the precision of a particular data attribute is vital, and no generalization or anonymization technique should be used. The other extreme is when the data attribute is useless for the intended purpose and can be omitted without harming the recipient’s usability of the data (e.g. date of birth of individuals may not be important when analyzing the purchase transaction trends).
Another important consideration in determining the trade-off between utility and anonymisation is whether the recipient’s knowledge of the anonymisation techniques and degree of granularity poses an additional risk; on the one hand, this information may help the analyst better understand and interpret the results, but it may also contain hints that increase the risk of re-identification.
Data Anonymisation Tool
How a DPO can help organizations
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, part of our scope of work is to ensure that the process of data anonymization is done correctly and is duly supervised. This eliminated the risk of any data breach due to failure to fully anonymize the personal data and was used beyond its purpose.
DPOs complement the efforts of organisations in making sure that the personal data that is no longer used for its purpose is duly anonymised. This is because when there is an instance data breach, the organization will not be held liable as the data that was leaked was not personal data.
As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.