De-Identification as Public Policy

Journal of Data Protection & Privacy 3(3): 1-18

30 Pages Posted: 19 Aug 2020

See all articles by Gilad Rosner

Gilad Rosner

University of Nottingham - Horizon Digital Economy Research Institute; Internet of Things Privacy Forum

Date Written: October 1, 2019

Abstract

Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not require or incentivize de-identification of personal data for purposes of sharing or research. This regulatory lacuna puts Canadian national law at a disadvantage in contrast with the privacy regimes of other countries, such as the United Kingdom, Australia and the United States, all of whom have regulatory language requiring or incentivizing de- identification by custodians of personal data. This report was commissioned by the Office of the Privacy Commissioner of Canada in service of eventual reform of PIPEDA to include de- identification. The report addresses terminology, definitions, key debates and policy in other jurisdictions. It recommends legal reform, specific regulatory actions, and investigation of emerging policy strategies and lists remaining open questions for the development of a national Canadian de-identification policy. Chief among these recommendations is a reorientation from a regulatory focus on ‘outputs’ (‘Is the dataset rendered anonymous?’) to a focus on ‘process’ (‘Has the data custodian taken proper steps to reduce identification and privacy risks?’). In part, this is based on a rejection of the possibility of ‘irreversible anonymization’. Relatedly, the report argues for requiring a risk management approach to de-identification and for the discouragement of the ‘release-and- forget’ model of data disclosure, which relies only on data transformations while ignoring technical, physical, administrative and contractual controls.

Keywords: de-identification, data protection, privacy, information policy, PIPEDA, Canadian law, anonymity, public policy

Suggested Citation

Rosner, Gilad and Rosner, Gilad, De-Identification as Public Policy (October 1, 2019). Journal of Data Protection & Privacy 3(3): 1-18 , Available at SSRN: https://ssrn.com/abstract=3639304

Gilad Rosner (Contact Author)

Internet of Things Privacy Forum ( email )

University of Nottingham - Horizon Digital Economy Research Institute ( email )

United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
298
Abstract Views
1,145
rank
149,682
PlumX Metrics