Pseudonymization

From LIMSWiki
Jump to navigationJump to search

Overview

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.[1] A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

Pseudonymization (or pseudonymisation, the spelling under European guidelines) is one way to comply with the European Union's General Data Protection Regulation (GDPR) demands for secure data storage of personal information.[2] Pseudonymized data can be restored to its original state with the addition of information which allows individuals to be re-identified. In contrast, anonymization is intended to prevent re-identification of individuals within the dataset. Clause 18, Module Four, footnote 2 of the Adoption by the European Commission of the Implementing Decisions (EU) 2021/914 “requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone ... and that this process is irreversible.”[3]

Facial recognition

In the context of facial recognition technology, pseudonymization addresses privacy concerns by replacing identifiable data with pseudonyms, and preventing the misuse of user data. It also allows for identifiers to be either renewed or revoked, which provides companies/developers of facial recognition software with more flexibility when it comes to data management.

Per the article Transparency and Accountability Mechanisms for Facial Recognition Article (2021) [4]:

"The ISO with well-chosen standards, play an important role IEC 24745:2011 standard on biometric information for facial-recognition technology. To the extent that protection could certainly also be very relevant, these legal and ethical principles can be translated into context."

In other words, the ISO/IEC standard focuses on biometric information protection and includes pseudonymization as a privacy protection method. The General Data Protection Regulation (GDPR) includes clear guidelines on "data protection by design and by default," which can serve as a guide for companies looking to ensure that privacy is actively taken into consideration in the development process. This international standard encourages organizations to make privacy a core part of their design planning and encourages further protection of privacy. Certification mechanisms are another key part of this privacy protection process, as these programs translate legal principles into specific technical requirements that companies can easily follow. While such certification systems for facial recognition are still developing, they could potentially improve transparency by helping users see which technologies meet privacy and ethical standards.

Racial profiling

The GDPR's clear guidelines and regulations along with continued implementation of pseudonymization will help prevent inappropriate situations from occurring, such as those states in study run by the National Institute of Standards and Technology (NIST)[5] Facial recognition software can often have built in biases against certain races or demographics. As the software continues to evolve, these groups will continue to be targeted, which will raise a lot of false positives within the biometric software itself—according to the NIST, American Indian's had the highest rates for false positives. The ISO/IEC and GDPR standards can potentially help regulate how training data for recognition software is designed, in order to anonymize user data as much as possible and prevent instances of racial profiling when looking for a person of interest.

Generative AI

Generative Artificial Intelligence (or simply Gen AI) refers to a specific form of artificial technology that is capable of producing content, such as text, images, code, and, in some cases, even audio. As such, sites like ChatGPT have become largely popular due to their ability to aid users in productivity, brainstorming, or simply delegating tasks. Pseudonymization can help ease many of the concerns that sites like ChatGPT pose for user privacy and data management, by reducing the risk of data being linked back to any one specific person, through the creation of pseudonyms and de-identification of information.

Research published in the paper Data Pseudonymization in the Generative Artificial Intelligence Environment (2023), [6] highlighted how pseudonymization actually works within the context of generative AI. In one study, researchers provided ChatGPT with four sets of information, with some containing pseudonymized data while others did not, in order to test whether the AI would be able to link the data together. Using the 2023 version of ChatGPT, which is the model that was available at the time, researchers found that ChatGPT did not remember nor did it store data once a new session had begun. It also lacked the ability to revisit previous topics of conversation within the same conversation session, unless that same information was provided by the user again. These findings suggest that using pseudonymization does help lower the risk of any personally identifying information from being exposed when using sites like ChatGPT.

This outcome highlights an important point about how generative AI is able to manage information. Since models like ChatGPT process each request separately and do not retain any information between sessions, pseudonymization can effectively help to protect user data. However, this still does not eliminate all privacy risks, as generative AI technologies are trained on massive data sets, and there is always a possibility that personal identifying information may be included as part of the training material. It should also be taken into account that since the original publication of the paper in 2023, generative AIs like ChatGPT have improved significantly, so further research is still needed in order to see whether pseudonymization continues to be effective.

Data fields

The choice of which data fields are to be pseudonymized is partly subjective. Less selective fields, such as Birth Date or Postal Code are often also included because they are usually available from other sources and therefore make a record easier to identify. Pseudonymizing these less identifying fields removes most of their analytic value and is therefore normally accompanied by the introduction of new derived and less identifying forms, such as year of birth or a larger postal code region.

Data fields that are less identifying, such as date of attendance, are usually not pseudonymized. This is because too much statistical utility is lost in doing so, not because the data cannot be identified. For example, given prior knowledge of a few attendance dates it is easy to identify someone's data in a pseudonymized dataset by selecting only those people with that pattern of dates. This is an example of an inference attack.

The weakness of pre-GDPR pseudonymized data to inference attacks is commonly overlooked. A famous example is the AOL search data scandal. The AOL example of unauthorized re-identification did not require access to separately kept “additional information” that was under the control of the data controller as is now required for GDPR compliant Pseudonymisation, outlined below under the section "New Definition for Pseudonymization Under GDPR".

Protecting statistically useful pseudonymized data from re-identification requires:

  1. a sound information security base
  2. controlling the risk that the analysts, researchers or other data workers cause a privacy breach

The pseudonym allows tracking back of data to its origins, which distinguishes pseudonymization from anonymization,[7] where all person-related data that could allow backtracking has been purged. Pseudonymization is an issue in, for example, patient-related data that has to be passed on securely between clinical centers.

The application of pseudonymization to e-health intends to preserve the patient's privacy and data confidentiality. It allows primary use of medical records by authorized health care providers and privacy preserving secondary use by researchers.[8] In the US, HIPAA provides guidelines on how health care data must be handled and data de-identification or pseudonymization is one way to simplify HIPAA compliance.[9] However, plain pseudonymization for privacy preservation often reaches its limits when genetic data are involved (see also genetic privacy). Due to the identifying nature of genetic data, depersonalization is often not sufficient to hide the corresponding person. Potential solutions are the combination of pseudonymization with fragmentation and encryption.

An example of application of pseudonymization procedure is creation of datasets for de-identification research by replacing identifying words with words from the same category (e.g. replacing a name with a random name from the names dictionary),[10][11][12] however, in this case it is in general not possible to track data back to its origins.

New definition

Effective as of May 25, 2018, the EU General Data Protection Regulation (GDPR) defines pseudonymization for the very first time at the EU level in Article 4(5). Under Article 4(5) definitional requirements, data is pseudonymized if it cannot be attributed to a specific data subject without the use of separately kept "additional information." Pseudonymized data embodies the state of the art in Data Protection by Design and by Default[13] because it requires protection of both direct and indirect identifiers (not just direct). GDPR Data Protection by Design and by Default principles as embodied in pseudonymization require protection of both direct and indirect identifiers so that personal data is not cross-referenceable (or re-identifiable) via the "Mosaic Effect"[14] without access to “additional information” that is kept separately by the controller. Because access to separately kept “additional information” is required for re-identification, attribution of data to a specific data subject can be limited by the controller to support lawful purposes only.

GDPR Article 25(1) identifies pseudonymization as an “appropriate technical and organizational measure” and Article 25(2) requires controllers to:

"...implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons."

A central core of Data Protection by Design and by Default under GDPR Article 25 is enforcement of technology controls that support appropriate uses and the ability to demonstrate that you can, in fact, keep your promises. Technologies like pseudonymization that enforce Data Protection by Design and by Default show individual data subjects that in addition to coming up with new ways to derive value from data, organizations are pursuing equally innovative technical approaches to protecting data privacy—an especially sensitive and topical issue given the epidemic of data security breaches around the globe.

Vibrant and growing areas of economic activity—the “trust economy,” life sciences research, personalized medicine/education, the Internet of Things, personalization of goods and services—are based on individuals trusting that their data is private, protected, and used only for appropriate purposes that bring them and society maximum value. This trust cannot be maintained using outdated approaches to data protection. Pseudonymisation, as newly defined under the GDPR, is a means of helping to achieve Data Protection by Design and by Default to earn and maintain trust and more effectively serve businesses, researchers, healthcare providers, and everyone who relies on the integrity of data.

GDPR compliant pseudonymization not only enables greater privacy-respectful use of data in today's "big data" world of data sharing and combining, but it also enables data controllers and processors to reap explicit benefits under the GDPR for correctly pseudonymized data. The benefits of properly pseudonymized data are highlighted in multiple GDPR Articles, including:

  • Article 6(4) as a safeguard to help ensure the compatibility of new data processing.
  • Article 25 as a technical and organizational measure to help enforce data minimization principles and compliance with Data Protection by Design and by Default obligations.
  • Articles 32, 33 and 34 as a security measure helping to make data breaches “unlikely to result in a risk to the rights and freedoms of natural persons” thereby reducing liability and notification obligations for data breaches.
  • Article 89(1) as a safeguard in connection with processing for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes; moreover, the benefits of pseudonymization under Article 89(1) also provide greater flexibility under:
    1. Article 5(1)(b) with regard to purpose limitation;
    2. Article 5(1)(e) with regard to storage limitation; and
    3. Article 9(2)(j) with regard to overcoming the general prohibition on processing Article 9(1) special categories of personal data.
  • In addition, properly pseudonymized data is recognized in Article 29 Working Party Opinion 06/2014 as playing “…a role with regard to the evaluation of the potential impact of the processing on the data subject...tipping the balance in favour of the controller” to help support Legitimate Interest processing as a legal basis under Article GDPR 6(1)(f). Benefits from processing personal data using pseudonymized-enabled Legitimate Interest as a legal basis under the GDPR include, without limitation:
    1. Under Article 17(1)(c), if a data controller shows they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test, they have greater flexibility in complying with Right to be Forgotten requests.
    2. Under Article 18(1)(d), a data controller has flexibility in complying with claims to restrict the processing of personal data if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected.
    3. Under Article 20(1), data controllers using Legitimate Interest processing are not subject to the right of portability, which applies only to consent-based processing.
    4. Under Article 21(1), a data controller using Legitimate Interest processing may be able to show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected; however, data subjects always have the right under Article 21(3) to not receive direct marketing outreach as a result of such processing.

Impact of Schrems II ruling

The European Data Protection Supervisor (EDPS) on 9 December 2021 highlighted pseudonymization as the top technical supplementary measure for Schrems II compliance.[15] Less than two weeks later, the EU Commission highlighted pseudonymization as an essential element of the equivalency decision for South Korea, which is the status that was lost by the United States under the Schrems II ruling by the Court of Justice of the European Union (CJEU).[16]

The importance of GDPR-compliant pseudonymization increased dramatically in June 2021 when the European Data Protection Board (EDPB) and the European Commission highlighted GDPR-compliant Pseudonymisation as the state-of-the-art technical supplementary measure for the ongoing lawful use of EU personal data when using third country (i.e., non-EU) cloud processors or remote service providers under the "Schrems II" ruling by the CJEU.[17] Under the GDPR and final EDPB Schrems II Guidance,[18] the term pseudonymization requires a new protected “state” of data, producing a protected outcome that:

(1) Protects direct, indirect, and quasi-identifiers, together with characteristics and behaviors;

(2) Protects at the record and data set level versus only the field level so that the protection travels wherever the data goes, including when it is in use; and

(3) Protects against unauthorized re-identification via the Mosaic Effect by generating high entropy (uncertainty) levels by dynamically assigning different tokens at different times for various purposes.

The combination of these protections is necessary to prevent the re-identification of data subjects without the use of additional information kept separately, as required under GDPR Article 4(5) and as further underscored by paragraph 85(4) of the final EDPB Schrems II guidance:

  • Article 4(5) "Definitions" of the GDPR defines Pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”[19]
  • "Use Case 2: Transfer of pseudonymised Data Paragraph 85(4)" of the final EDPB Schrems II Guidance requires that “the controller has established by means of a thorough analysis of the data in question – taking into account any information that the public authorities of the recipient country may be expected to possess and use – that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information.”[18]

GDPR-compliant pseudonymization requires that data is “anonymous” in the strictest EU sense of the word – globally anonymous – but for the additional information held separately and made available under controlled conditions as authorized by the data controller for permitted re-identification of individual data subjects. Clause 18, Module Four, footnote 2 of the Adoption by the European Commission of the Implementing Decision (EU) 2021/914 “requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.”[3]

Before the Schrems II ruling, pseudonymization was a technique used by security experts or government officials to hide personally identifiable information to maintain data structure and privacy of information. Some common examples of sensitive information include postal code, location of individuals, names of individuals, race and gender, etc.

After the Schrems II ruling, GDPR-compliant pseudonymization must satisfy the above-noted elements as an "outcome" versus merely a technique.

See also

References

  1. ^ "General Data Protection Regulation". 4(5).{{cite web}}: CS1 maint: location (link)
  2. ^ Skiera, Bernd (2022). The impact of the GDPR on the online advertising market. Klaus Miller, Yuxi Jin, Lennart Kraft, René Laub, Julia Schmitt. Frankfurt am Main. ISBN 978-3-9824173-0-1. OCLC 1303894344.{{cite book}}: CS1 maint: location missing publisher (link)
  3. ^ a b "Commission Implementing Decision (EU) 2021/914". Official Journal of the European Union. 7 June 2021. Retrieved 5 January 2024.
  4. ^ Kindt, Els J. (2021). Transparency and Accountability Mechanisms for Facial Recognition (Report). German Marshall Fund of the United States.
  5. ^ "NIST Study Evaluates Effects of Race, Age, Sex on Face Recognition Software". NIST. 2019-12-19.
  6. ^ Kniežová, Jaroslava; Hrkút, Patrik; Kršák, Emil (May 2025). "Data Pseudonymization in the Generative Artificial Intelligence Environment". 2025 37th Conference of Open Innovations Association (FRUCT): 116–121. doi:10.23919/FRUCT65909.2025.11008283 – via IEEE Xplore.
  7. ^ http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.31.pdf Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology
  8. ^ Neubauer, T; Heurix, J (Mar 2011). "A methodology for the pseudonymization of medical data". Int J Med Inform. 80 (3): 190–204. doi:10.1016/j.ijmedinf.2010.10.016. PMID 21075676.
  9. ^ Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. § 164.514(a)-(c) (de-identification standard) https://www.govinfo.gov/content/pkg/CFR-2002-title45-vol1/pdf/CFR-2002-title45-vol1-sec164-514.pdf
  10. ^ Neamatullah, Ishna; Douglass, Margaret M; Li-wei; Lehman, H; Reisner, Andrew; Villarroe, Mauricio; Long, William J; Szolovits, Peter; Moody, George B; Mark, Roger G; Clifford, Gari D (2008). "Automated de-identification of free-text medical records". BMC Medical Informatics and Decision Making. 8 32. doi:10.1186/1472-6947-8-32. PMC 2526997. PMID 18652655.
  11. ^ Ishna Neamatullah (5 September 2006). "11 Automated De-Identification of Free-Text Medical Records" (PDF). PhysioNet. Retrieved 4 January 2024.
  12. ^ Deleger, L; et al. (2014). "Preparing an annotated gold standard corpus to share with extramural investigators for de-identification research". J Biomed Inform. 50: 173–183. doi:10.1016/j.jbi.2014.01.014. PMC 4125487. PMID 24556292.
  13. ^ "What does data protection 'by design' and 'by default' mean?". European Commission. Retrieved 2023-01-22.
  14. ^ Vijayan, Jaikumar (2004-03-15). "Sidebar: The Mosaic Effect". Computerworld. Retrieved 2021-01-26.
  15. ^ "IPEN webinar 2021: Pseudonymous data: processing personal data while mitigating risks". European Data Protection Supervisor. 9 December 2021. Retrieved 4 January 2024.
  16. ^ "Commission Implementing Decision 2022/254". Official Journal of the European Union. 24 February 2022. Retrieved 4 January 2024.
  17. ^ "Press Release No 91/20" (PDF). Court of Justice of the European Union. 16 July 2020. Retrieved 4 January 2024.
  18. ^ a b "Recommendations" (PDF). European Data Protection Board. 18 June 2021. Retrieved 5 January 2024.
  19. ^ "Article 4 GDPR Definitions". Intersoft Consulting. 25 May 2018. Retrieved 5 January 2024.

Further reading

Notes

This article is a direct transclusion of the Wikipedia article and therefore may not meet the same editing standards as LIMSwiki.

Retrieved from "https://test.limswiki.org/index.php?title=Pseudonymization&oldid=40738"