‘Oh, *@#%! – we have a privacy breach!’
It’s a much-too-often repeated invective: be it the result of criminal activity, strategic surveillance gone wild, or carelessness in the extreme, the loss of personal, private or proprietary data seems unpreventable.
As individuals and organizations seek to new ways to protect their valuable data, identity and privacy, the notion that data can be ‘anonymized’ is gaining more traction than the hope it can be protected.
Anonymization, or data de-identification, is a process that removes and separates the data links and associations between identifying data and the data subject.
Identifying data includes names, biometrics, phone numbers – anything in a digital record or data file that directly and specifically identifies an individual.
But anonymization doesn’t mean simply masking names or other direct identifiers, although that can be a part of the process; rather, it seeks to remove the associations made among data fields in a file or set of files.
Imagine a typical spreadsheet in which one cell or bit of information – a patient name, for example – can only be linked with another cell – say, a disease name – in a traceable, repeatable and auditable process that ensures the data itself is still useful, but the person or entity it describes is not identifiable.
Particularly in health care and matters dealing with medical records, the process is seen as a way to provide additional assurances that data is better protected even as it is used in diagnosis, treatment or research purposes, while respecting and protecting individual privacy.
While it is possible that de-identification of data can greatly enhance the use and disclosure of any data collection, its application in health care is seen as a crucial and necessary next step.
Health care continues to be one of many sensitive arenas where data protection is much needed – still!
In the latest of a continuing series of stories about lost health care data, the records of some 18,000 people in Ontario were on a smart card, stolen from an employee’s car.
So, in a series of important workshops and conference presentations about data privacy and data protection in Canada, the de-identifying of data will be described as one of the strongest privacy solutions.
Speakers at the Privacy and Access 20/20 Conference, now on in Vancouver, BC, include Dr. Ann Cavoukian, Information and Privacy Commissioner for Ontario and Dr. Khaled El Emam, Associate Professor and Canada Research Chair in Electronic Health Information, University of Ottawa (among many others); they will address data de-identification in general, and proposals for comprehensive guidelines and standards for the de-identification of health information in specific.
Outright masking, or the use of other transformational data, is one anonymizing technique, and it can hide or mask names or other identifying information. A more complex statistical de-identification can also be applied to cover less specific ‘quasi-identifiers’ like date of birth, or hospital admission date.
Dr. El Emam is well-regarded in the data protection and privacy community as one of only a handful of individuals recognized to certify the de-identification of personal health information in North America.”
He’s advised an Ottawa-based company on its development of de-identification tools, and on the underlying Format Preserving Encryption technology used to create for pseudonyms and custom masks.
Privacy Analytics has unveiled software for data anonymization, and in its latest version, PARAT V5.2, includes customizable tools for masking data features, even the ability to localize to the user’s country, Canada or the United States.
Privacy Analytics says its products can “facilitate innovation to improve society and still meet stringent legal, privacy and compliance regulations.”
Its software has what’s called a Risk Measurement Functionality that lets users monitor and manage de-identification risk threshold settings and to integrate de-identification solutions into their own data applications and analytical workflows.
The Canadian company plans a number of educational and informative communications including user group sessions, monthly webinars, weekly technical articles, social media engagements, and a new quarterly corporate magazine.
The B.C. privacy conference, by the way, is being hosted by the Office of the Information and Privacy Commissioner for B.C., on the occasion of the 20th Anniversary of the Freedom of Information and Protection of Privacy Act.
Privacy and Access 20/20: A New Vision for Information Rights will look back on the privacy and access journey over the past 20 years in B.C., but sessions also will look to forward.
In a panel discussion entitled: The Future of Surveillance in Canada, the impact of ubiquitous surveillance technologies on the lives of ordinary citizens will be examined.
Dr. Colin Bennett, Professor of Political Science, University of Victoria , will moderate a panel with Dr. David Lyon, Queen’s Research Chair in Surveillance Studies, Professor of Sociology, Professor of Law, Queen’s University; Dr. Kevin Haggerty, Professor of Criminology and Sociology, University of Alberta; and Steve Anderson, Executive Director, Open Media.
submitted by Lee Rickwood