Legal Bulletin April 2017

Home : Publications:Legal Bulletin April 2017


Published date: 27 Apr 2017

PDPC revises anonymisation guidelines and updates healthcare sector guidelines

On 28 March 2017, the Personal Data Protection Commission (“PDPC”) revised two sets of Advisory Guidelines as follows:
 
·         Chapter 3 of the Advisory Guidelines on the Personal Data Protection Act for Selected Topics has been revised to provide greater clarity to organisations in the use and disclosure of anonymised data.
 
·         The Advisory Guidelines for the Healthcare Sector have been revised to provide clarity on service reminders.
 
Revisions relating to anonymisation to Advisory Guidelines on the Personal Data Protection Act for Selected Topics
 
The PDPC has revised the Advisory Guidelines on the Personal Data Protection Act for Selected Topics (“revised advisory guidelines”) to provide greater clarity to organisations in the use and disclosure of anonymised data, including further information on the considerations for assessing and managing the risks of re-identification from anonymised data and consequently, the applicability of the relevant requirements under the Personal Data Protection Act 2012 (“PDPA”). Set out below are some of the key points to note:
 
·         Data not considered anonymised if there is a serious possibility of re-identification: For the purposes of the revised advisory guidelines, “anonymisation” refers to the process of converting personal data into data that cannot be used to identify any particular individual, and
can be reversible or irreversible. Data would not be considered anonymised if there is a serious possibility of re-identification, taking into consideration: (i) the data itself, or the data combined with other information to which the organisation has or is likely to have access; and (ii) the measures and safeguards (or lack thereof) implemented by the organisation to mitigate the risk of identification.
 
·         Anonymised data no longer “personal data”: Data that has been anonymised would no longer be “personal data” that is subject to the relevant data protection requirements. Therefore, anonymisation allows organisations to use such data for more purposes and can also act as a protection measure against inadvertent disclosures and security breaches. Organisations that need to cease retention of personal data may also do so by anonymising the relevant personal data since anonymised data is not personal data. As good practice, where individuals need not be identifiable for the purposes in question, organisations should collect, use and disclose data in an anonymised form. Organisations should also note that once data is anonymised, in general, they must not be able to, in effect, use the same data as personal data.
 
·         Anonymisation techniques: Some commonly used anonymisation techniques include pseudonymisation, aggregation, replacement, data suppression, data recording or generalisation, data shuffling and masking. However, PDPC does not recommend or endorse the use of any particular technique - organisations should adopt the most appropriate technique based on their own assessment of the situation(s) and operational context. Some relevant considerations include
the nature or type of data to be anonymised and international best practices for anonymisation of the given data type.
 
·         Considerations for anonymising data: Not all datasets can be effectively or meaningfully anonymised. Some factors that organisations should consider in deciding whether to anonymise data include:
 
­    Nature and type of data: The nature of the dataset affects how much identifying information needs to be removed so that it no longer can be used to identify individuals. For example, altering data that is inherently “rich” and full of information (e.g. portrait photographs taken for facial recognition purposes) for the purposes of anonymisation may render it useless for its intended purpose. The uniqueness of a record or data point for certain individuals within a sample dataset or population may also challenge anonymisation (e.g. where outliers in a dataset stand out no matter how the data is generalised or recorded into ranges).
 
­    Potential impact on individuals and highly sensitive personal data: Organisations should also consider any potential negative impact on the individuals if they were to be re-identified, particularly if the personal data is of a highly sensitive nature. In such circumstances, even if the organisation assesses that there is a less than serious possibility of re-identification, the organisation should carefully consider whether using or disclosing such data would be appropriate.
 
·         Assessing the risks of re-identification: When determining if a dataset is anonymised, organisations should consider whether there is a serious possibility that an individual can be identified from the dataset when it is combined with other information by carrying out an assessment of the risk of re-identification. The revised advisory guidelines set out the following considerations which may affect the risk of re-identification:
 
­    Nature of use and extent of disclosure: In general, an organisation can better manage
re-identification risks if the anonymised data is intended for use within the organisation, or disclosed to a restricted group of users, as compared to the situation where the organisation discloses the anonymised data to any users by publishing it.
 
­    Public knowledge and personal knowledge: Organisations should consider the types of information that could enable re-identification if combined with the anonymised data as well as the ease with which such information can be accessed and understand the intended use and recipient of the anonymised data to tailor an appropriate set of risk management controls. For example,
the risk of re-identification in a disclosure of data to a single entity for research and development of new products and services under a non-disclosure agreement would likely differ from the risk of
re-identification in publishing the data to the world at large. Also, if it is known or foreseeable to the organisation that the data might be accessed by any persons with special knowledge that could be used to re-identify any individual from the data, such risk must be accounted for in the risk assessment exercise.
 
­    Disclosing multiple datasets: Organisations would have to take particular care to ensure that risk management controls are adequate to prevent re-identification of individuals by the recipient organisation, particularly where the disclosed datasets are combined with each other or with additional datasets previously released by the organisation (e.g. where two divisions of the same company release related datasets as part of an open data initiative). The revised advisory guidelines provide that organisations could maintain a centralised record to track datasets that have been disclosed or published.
 
­    Data recipient’s ability and motivation to re-identify: A data recipient in possession of complementary information, specialised skills or technologies would more likely be capable of
re-identifying individuals from the data. However, the motivation to re-identify must also be considered. As such, if there are sufficient barriers to re-identification such as legal or regulatory consequences or if there is simply no incentive or benefit for a data recipient to re-identify individuals from data, the risk of re-identification may not necessarily be considered high, even if such recipient has the requisite skills and information for re-identification.
 
­    Changing environment: The likelihood of re-identification for any given anonymised dataset is likely to increase over time due to greater ease of access to and volume of other relevant information, increase in computing power and improvements in data-linking techniques. In addition to assessing the adequacy of anonymisation techniques and risk management controls in relation to the current state of technology, it is also important for an organisation to build in robust organisational, legal and non-technical measures to manage the risks of re-identification, taking into account the possibility of technological developments over the period for which the data may be retained. Organisations should consider periodic re-assessment of re-identification risks and put in place additional safeguards to mitigate such risks.
 
·         General test for assessing risks of re-identification: The revised advisory guidelines
state that a useful starting point for assessing risks of re-identification and the robustness of anonymisation is the “motivated intruder” test, which considers whether individuals can be
re-identified from anonymised data by someone who is motivated, reasonably competent, has
access to standard resources and employs standard investigative techniques. The test also has to accommodate the features of the intended recipient organisation (e.g. totality of the risk management controls applicable to the recipient organisation or any motivations, re-identification capabilities and other information available to the recipient which are known or can be reasonably inferred) and is based on the assumption that no particular individual has been targeted for identification and that the intruder does not resort to criminality or any specialist equipment or skills. Other “residual” risks such as the risk of data being compromised or mistakenly disclosed to unintended recipients should also be taken into account in the risk assessment of re-identification.
 
·         Managing the risks of re-identification: The revised advisory guidelines provide that an organisation may consider hiring anonymisation experts, statisticians or independent risk assessors to help assess the appropriate anonymisation techniques to apply, especially if the anonymisation issues are complex. To further manage its risks, it may consider putting in place controls to lower the risk of re-identification such as limiting the number of data recipients or persons that the information is disclosed to, imposing restrictions on data recipients on the use and subsequent disclosure of the data and imposing requirements on the data recipient to implement processes and measures for the proper use of the anonymised data and destruction of the data as soon as the data no longer serves any business or legal purpose. Organisations may also limit the data users’ or recipients’ access to “other information” that could re-identify the anonymised data. Depending on the circumstances, an organisation may implement controls through organisational structures, legally binding agreements, administrative rules or policies, technical measures (e.g. encryption, passwords) and/or physical measures (e.g. restricted access areas). Measures taken need not be the most technically sophisticated technology but should ultimately be sufficiently robust for the purposes of managing the risk of re-identification given the circumstances.
 
·         Intentional / unintentional re-identification: In the event that an organisation intentionally re-identifies an individual, such deliberate actions will constitute collection of personal data, for which consent is required from the relevant individual. Generally, unintentional re-identification is not considered collection of personal data but the organisation should immediately delete the personal data or re-identifying information, and should evaluate whether the risk management controls in place are adequate. However, the use or disclosure of unintentionally re-identified personal data will be considered to be use or disclosure of personal data which would be subject to requirements under the PDPA.
 
·         Use of anonymised data within the organisation: PDPC also sets out additional scenarios to illustrate how re-identification risks can be assessed and managed in certain circumstances. One of the scenarios relate to the use of anonymised data within the organisation. In general, if the departments within the organisation have, or are likely to have, access to other information that can be combined with the data in question to re-identify individuals, the data will be considered personal data and the relevant provisions under the PDPA will apply. However, if anonymisation techniques and risk mitigation measures have been applied such that there is no serious possibility that the data can be used to identify any individual, PDPC would consider such data anonymised and the PDPA requirements would not apply. Anonymisation can be relevant to the safe use of data for a particular purpose within an organisation (e.g. where organisations with to anonymise data for a particular purpose yet retain the original dataset or other information that can re-identify individuals from the anonymised datasets for other purposes). Organisational structures should establish effective barriers to access, by a group (or groups) of users within the organisation, to other information held by the organisation that could be used to re-identify an individual. Organisations must also be mindful of subsequent actions in respect of the anonymised data that could increase the risk of
re-identification.
 
·         Disclosure of anonymised data to a specific group (or groups) of data recipients: Another scenario which PDPC set out in the revised advisory guidelines relates to instances where an organisation converts personal data into anonymised data in order to disclose it to a specific group (or groups) of recipients outside the organisation for other purposes, while the organisation continues to have access to other information that can re-identify the individuals. Where disclosure of anonymised data is restricted to specific data recipients for their own use, without any further disclosure, the disclosing organisation may consider adopting legal measures to discourage any attempts by the data recipients to re-identify individuals from the anonymised data (e.g. through contractual safeguards). The disclosing organisation could also require that the data recipients put in place additional measures, such as governance frameworks, processes, and controls, to ensure the proper handling of the dataset and further reduce the risk of re-identification.
 
·         PDPC’s approach to assessment of anonymisation and risk of re-identification: PDPC has taken the position that it will take a holistic view, not restricted to what is discussed in
the advisory guidelines, and include any other relevant facts of the case when assessing the anonymisation and risk of re-identification. In this respect, the risk of re-identification may still be considered high and disclosure may still be considered to be of personal data where there are serious doubts about the reliability or reputation of the receiving organisation, even if the relevant organisation has employed robust anonymisation techniques and legal safeguards to prevent
re-identification and further disclosure of anonymised data. Overall, the key criteria for applicability of the PDPA requirements to disclosure of data would still be whether there is a serious possibility that individuals can be identified from the disclosed dataset.
 
Revisions to Advisory Guidelines for the Healthcare Sector
 
On 28 March 2017, PDPC also updated the Advisory Guidelines for the Healthcare Sector to provide clarity on service reminders. Organisations in the healthcare sector can continue to use personal data collected before 2 July 2014 (i.e. the date on which the PDPA became fully operational) for the same purposes for which the personal data was collected without obtaining fresh consent, unless the individual has withdrawn consent. As such, a clinic may continue to send reminders by post to a patient, from whom personal data was collected by the clinic prior to 2 July 2014, until the patient indicates that he no longer wishes to receive them.
 
In respect of the Do Not Call (“DNC”) provisions in the PDPA, the revised advisory guidelines clarify that a reminder sent solely for the purpose of reminding a patient of his appointment would unlikely be considered a specified message as the Eighth Schedule of the PDPA excludes any message the sole purpose of which is to facilitate, complete or confirm a transaction that the recipient of the message has previously agreed to enter into with the sender from the definition of a specified message. Hence, such reminders would not likely be caught under the DNC provisions in the PDPA which generally prohibit organisations from sending certain marketing messages (in the form of voice calls, text or fax messages) to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers registered with the DNC Registry. However, organisations may also seek to obtain clear and unambiguous consent for the sending of reminder messages (e.g. when a patient first registers with a clinic) so that they would not be required to check the DNC Registry before sending such messages to patients who have provided the relevant consent.
 
Reference materials
 
The revised advisory guidelines are available on the PDPC website www.pdpc.gov.sg.
 
 
For further information, please contact:
 
+65 6890 7883
 
+65 6890 7627
 
+65 6890 7833
 

<Back to Legal Bulletin April 2017

Find a Publication

For more information on Singapore law, please go to: www.singaporelaw.sg