What is Anonymisation?

The Joint Parliamentary Committee in its report on the Indian Data Protection Bill, 2021 (“DP Bill”) recently included anonymized data within the purview of the bill. The DP Bill defines anonymization in relation to personal data as:

“Such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Data Protection Authority”.

Accordingly, anonymized data under the Data Protection Bill means data that has undergone the process of anonymization.

EU’s General Data Protection Regulation (GDPR), on the other hand, specifically excludes anonymized data from the scope of its applicability. Clarifying that the principles of data protection apply to information concerning an identified or identifiable natural person, Recital 26 of the GDPR does not apply to “anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Therefore, the GDPR does not apply to the processing of anonymous information, including information collected for statistical or research purposes.

What is Pseudonymisation?

The GDPR defines pseudonymisation as:

“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.

Key Differences – Pseudonymisation and Anonymisation

Data controllers and processors can de-identify data using two processes: anonymization and pseudonymization. The key differentiator between the two processes is whether the data can be re-identified in the future. Pseudonymised data can eventually be linked back to the individual, and the process can be reversed.

The most common methods for data anonymization are data masking, randomization, and generalisation. When data is randomised, the link between the data and the individual is broken, resulting in data that is no longer recognisable yet valuable to a company. When data is generalised, it loses its detail and becomes unidentifiable. Data masking entails hiding the data using altered values such symbols “x” or “*”. These processes make the detection of data difficult and sometimes impossible.

Australia – Privacy Principles (APP) and Privacy Act, 1988

As per the Privacy Act, 1988, personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable

APP 2 deals with anonymity and pseudonymity according to which, individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter. There are exceptions to this principle, such as obligations under Australian laws, or circumstances that require a personal identity for the entity to process the data.

Information that has undergone an appropriate and robust de-identification process is not personal information, and is not subject to the Privacy Act 1988

The entities that collect and retain information or data that includes personal information must comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988

India – DP Bill

Pseudonymisation has been termed as de-identification and is defined as the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal.²

Pseudonymised data still comes under the ambit of personal data.

The DP Bill empowers the Central Government to frame policies on handling of anonymized data. Further, the Central Government may also direct a data fiduciary or data processor to provide any anonymized personal data for better targeting of delivery of services or formulation of evidence-based policies.

Benefits of Anonymization and Pseudonymization

As per the GDPR, the application of processes like pseudonymization to personal data can mitigate the risk to data subjects and assist data controller and processors in achieving their data protection obligations. The process of anonymization also helps secure data transfers, which are increasingly becoming a need in the digital economy. Anonymization also reduces the possibility of the information being reused in undesired ways. Lastly, the safeguards resulting from processes of anonymization and pseudonymization contribute towards future-proofing an organization’s data privacy policies and reducing costs from any enforcements and fines.

Need help?

Implementing anonymization and pseudonymisation techniques in an organisation for processing personal data shall be clearly explained in their policies, procedures, and controls. With our privacy programs, we can help incorporate a stringent, practical, and flexible compliance program for your organization.