The new harmonised EU General Data Protection Regulation entered into force on 24 May 2016 and must be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their place of business, are already subject to the legislation. Legal enforcement in Switzerland is already in progress. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
The documentation of the Technical and Organisational Measures (“TOMs”) is used for data processing to record the means that help achieve adequate protection. The Basic Ordinance on Data Protection refers to a series of procedures which are legally privileged – i.e. which can be applied as part of technical and organisational measures. These are:
- the use of anonymous data,
- the use of pseudonymised data,
- the use of statistical data,
- the use of encrypted data.
This order of precedence cannot be interpreted linearly, because there are possible combinations. In the following, we will look at these listed procedures from the data protection point of view. The correct and secure implementation of these procedures is usually more difficult than may appear at first. But in the context of an article on data protection, these technical aspects lead too far, which is why we assume a professional and error-free technical implementation. (If only achieving it could be so easy .)
Anonymization is the process of removing characteristics from a dataset, that allow the data to be assigned to specific persons. It is a very useful process, when it can be implemented. Anonymisation means that the data is no longer related to a person and is therefore no longer subject to the provisions of the Data Protection Act. As we have stated in Part 1 of this series of articles, only data relating to an identified or identifiable natural person is subject to data protection, everything else is not.
Let us assume that we create crime statistics. As a basis for this we have a list of all crime cases of the last 10 years. The anonymization of the offender for his protection now means that the information that makes him identifiable is systematically removed from this list of crime cases. So the first obvious measure is to delete those attributes from the database that allow a direct assignment to a person. This could be, for example, the perpetrator’s name.
However, this does not really make the database anonymous. It still has to be verified whether indirect identification is possible. This is because anonymization only applies if the person cannot be identified with considerable effort, for example by referring to other sources of information. Perhaps newspaper articles appeared to the act, which makes identifying the person again possible. Or there could be further informations stored on the perpetrator. At first glance these might seem inconspicuous but in many cases it is still possible to trace back to the offender based on them.
Accordingly, an irreversible anonymisation is usually not easy to implement or even impossible due to the requirements.
Pseudonymization is the process of removing personal identifying information from data sets and storing them separately. It is therefore a kind of partial anonymisation. The key for the reconversion is kept in a separate location.
Let us illustrate this with an example from the section Anonymization. Pseudonymization would mean that, the name and the name of the perpetrator would be deleted from the database, same as during anonymization. For this purpose a unique serial number would be created. A translation table would then be kept in a second data store, which would contain the surname and first name corresponding to each sequence number. This key table must be stored separately from the data and specially protected.
Pseudonymisation is therefore not as effective as anonymisation. However, the effort required to identify people is increasing. For this reason, this procedure is legally privileged if full anonymisation is not possible.
Statistical data are aggregations of data from individual cases. To stick to the example of crime statistics mentioned above, this would mean that the starting point for updating data is always an individual case, but the data is only stored as a sum of incidents, e.g. the number of burglaries per month. Such an aggregation also results in a partial anonymisation with the same data protection advantages. It should be noted that with a small number of cases, the sum of an individual case in the statistics remains an individual case. I.e. an identification of the person becomes potentially possible again.
Example: Insufficient Protection of voting of voting secrecy in statistics
The local authorities should record the votes of “their Swiss abroad” separately by e-voting on Voting Sunday, so that the public could be informed transparently about the use of this voting channel – also due to concerns about possibilities of manipulation. Unfortunately, in practice it turned out that some small municipalities had only a handful of registered Swiss abroad and therefore only a few votes were cast. As a result, it was possible to learn from the statistics how the Swiss abroad in question had voted. The problem was finally solved by no longer crediting these votes to the municipalities, but to a separate, cross-municipal voting group for Swiss abroad.
Encrypting data is a method to enhance data security. In a first step, data is usually protected against access by unauthorized persons via firewalls, authorization concepts, and so on. Through the use of encryption, this access can be restricted even more specifically to only a few specific persons. In particular, the use of encryption can, for example, prevent access by internal system administrators and other IT personnel or at least restrict it to a select few. This introduces an additional security hurdle for potential attackers in case the other protective measures are circumvented.
However, any encryption method is only as secure as the keys used and their storage. It is often difficult to achieve truly effective protection. Because “pragmatic” implementation often results primarily in so-called security-by-obscurity, i.e. a nice sedative pill with the effectiveness of placebos. You feel better, but not really because of the ingredients.
Data encryption also has major disadvantages. On the one hand, there is usually a loss of performance, i.e. all processing takes longer and the system slows down. On the other hand, recovering and restoring service after a failure is also slower and more difficult.
From a data protection point of view, it is always preferable to encrypt as much personal data as possible. However, in regards to cost efficiency, i.e. the effectively achieved additional protection factor per invested capital, the calculation often does not add up. Encryption is therefore only used selectively and in cases where it is most useful in preventing considerable risks.
So which method to use where?
The presented, data protection-legally privileged procedures represent a toolbox to increase the protection of persons. All are desirable, the complete anonymization the ideal solution. The procedures to be used will be decided based on the risk assessment and the data protection impact assessment.
Our series of articles on the subject
- In the lead-in article, we drew attention to the need for action.
- In the first part of the series, we introduce the various actors and set the framework.
- In Part 2, we examined the principles of data protection based on four pillars.
- Part 3 explains the special requirements for the processing of special categories of personal data and profiling, which is regarded as particularly critical.
- This Part 4 highlights legally privileged, desired processing methods.
- The last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT projects.
About the author
Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities with risk analysis in projects, the conception and implementation of compliance requirements in software solutions as well as with the creation of IT security and authorization concepts. He holds a certification in Risk Management and has carried out numerous security audits on the basis of the ISO 27001 standard as an internal auditor for more than 10 years.
Do you have any questions about implementation in your company? firstname.lastname@example.org | +41 78 746 51 16