Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
De-identification as public policy
Journal of Data Protection & Privacy,
3
(3),
250-267
(2020)
Abstract
Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not require or incentivise de-identification of personal data for purposes of sharing or research. This regulatory lacuna puts Canadian national law at a disadvantage in contrast with the privacy regimes of other countries, such as the United Kingdom, Australia and the United States, all of whom have regulatory language requiring or incentivising de-identification by custodians of personal data. This paper is based on a report commissioned by the Office of the Privacy Commissioner of Canada in service of eventual reform of PIPEDA to include de-identification. The paper addresses terminology, definitions, key debates and policy in other jurisdictions. It recommends legal reform, specific regulatory actions, and investigation of emerging policy strategies and lists remaining open questions for the development of a national Canadian de-identification policy. Chief among these recommendations is a reorientation from a regulatory focus on ‘outputs’ (‘Is the dataset rendered anonymous?’) to a focus on ‘process’ (‘Has the data custodian taken proper steps to reduce identification and privacy risks?’). In part, this is based on a rejection of the possibility of ‘irreversible anonymisation’. Relatedly, the paper argues for requiring a risk management approach to de-identification and for the discouragement of the ‘release-andforget’ model of data disclosure, which relies only on data transformations while ignoring technical, physical, administrative and contractual controls.
Keywords: de-identification; PIPEDA; Canadian law; data protection; anonymisation; risk management
The full article is available to subscribers to the journal.
Author's Biography
Gilad L. Rosner is a privacy and information policy researcher and consultant. Gilad’s work focuses on digital identity management, US and EU privacy regimes, data protection and emerging technologies. His research has been used by the Office of the Privacy Commissioner of Canada and the UK House of Commons Science & Technology Committee. He has been a featured expert on the BBC and O’Reilly, and his 25-year information technology career spans ID technology, digital media, robotics and telecommunications. Gilad is a member of the UK Cabinet Office Privacy and Consumer Advisory Group and the Advisory Group of Experts convened to support the forthcoming review of the Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines. He is a Visiting Researcher at the Horizon Digital Economy Research Institute and has consulted on trust issues for the United Kingdom’s identity assurance programme, Verify.gov. Gilad was a policy adviser to a Wisconsin State Representative, contributing directly to legislation on law enforcement access to location data, access to digital assets upon death and the collection of student biometrics. Gilad is founder of the nonprofit IoT Privacy Forum, which produces research, guidance and best practices to help industry and government lower privacy risk and innovate responsibly with connected devices.
