27 February 2018
On 25 January 2018, the Personal Data Protection Commission (“PDPC”) posted a new “Guide to Basic Data Anonymisation Techniques” (“Guide”).
The Guide provides information and examples on anonymisation concepts and techniques for personal data and should be read together with Chapter 3 (Anonymisation) of the PDPC’s Advisory Guidelines on the PDPA for Selected Topics, which sets out PDPC’s interpretation and considerations for determining what constitutes “anonymisation” under the Personal Data Protection Act (“PDPA”).
Intended to provide information on techniques that could be applied in anonymising data, the Guide primarily addresses organisations which do not intend to release the anonymised data into the public domain, but who share data with other organisations or entities, where additional administrative and technical controls may be imposed to reduce the risk of unauthorised disclosure of personal data. Application of these techniques may not necessarily ensure that the data does not pose any serious risk of re-identification and therefore constitutes “anonymised data” to which the PDPA does not apply.
While the Guide seeks to assist organisations in anonymising personal data, the PDPC recognises that there is no “one size fits all” solution for organisations. Each organisation should therefore utilise anonymisation approaches that are appropriate for their circumstances. Some factors that organisations can take into account when deciding on the anonymisation technique(s) to use include:
- the nature and type of personal data that the organisation intends to anonymise, as different anonymisation techniques are suitable for different types of data and circumstances;
- risk management by the organisation to impose controls to protect the anonymised data, in addition to the anonymisation techniques;
- the utility required from the anonymised data.
The following materials are available from the PDPC website www.pdpc.gov.sg: