Data Anonymization Related Laws in the US and the EU. CS and Law Project Presentation Jaspal Singh

Similar documents
Workshop on anonymization Berlin, March 19, Basic Knowledge Terms, Definitions and general techniques. Murat Sariyar TMF

Protecting Privacy After the Failure of Anonymisation. The Paper

BBMRI-ERIC WEBINAR SERIES #2

Privacy Policy SOP-031

Ethics of Data Science

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

Privacy in a Networked World: Trouble with Anonymization, Aggregates

Is Transparency a useful Paradigm for Privacy?

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

The Quantified Employee Self: Ethical & Legal Issues

Notice of Privacy Practices

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Privacy Procedure SOP-031. Version: 04.01

Dear Mr. Snell: On behalf of the Kansas State Historical Society you have requested our opinion on several questions relating to access to birth and d

Christina Narensky, Psy.D.

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Guidance on the anonymisation of clinical reports for the purpose of publication in accordance with policy 0070

Systematic Privacy by Design Engineering

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Privacy Policy. What is Data Privacy? Privacy Policy. Data Privacy Friend or Foe? Some Positives

Paola Bailey, PsyD Licensed Clinical Psychologist PSY# 25263

Rulemaking Hearing Rules of the Tennessee Department of Health Bureau of Health Licensure and Regulation Division of Emergency Medical Services

Analysis of Privacy and Data Protection Laws and Directives Around the World

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

0x1A Great Papers in Computer Security

Foundations of Privacy. Class 1

Guidance on the anonymisation of clinical reports for the purpose of publication

Before the Federal Communications Commission Washington, DC 20554

EMA Technical Anonymisation Group (TAG)

Ethical and social aspects of management information systems

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

PRIVACY ANALYTICS WHITE PAPER

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

MEDICAL ASSISTANCE BULLETIN

Medtronic Loan Agreement: Bridging the Gap Program

Privacy engineering, privacy by design, and privacy governance

Privacy by Design with or without information security? Kirsten Bock CPDP

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

Ethics Review Data Sharing Bridging Legal Environments

Artificial Intelligence, Business, and the Law

Enabling Trust in e-business: Research in Enterprise Privacy Technologies

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

Top Collection Mistakes and How to Avoid Them

MÉTIS NATION BRITISH COLUMBIA CITIZENSHIP APPLICATION PACKAGE 15 YRS & OLDER Please read carefully, items listed below are mandatory.

NYC Birth Certificate Correction Checklist

Form SS-5. Application for Account Number

IN VITRO DIAGNOSTICS: CAPITA EXOTICA

ROCKY MOUNTAIN RAPTOR PROGRAM Volunteer Application. Rodent Wrangler

Guidance for Industry and FDA Staff Use of Symbols on Labels and in Labeling of In Vitro Diagnostic Devices Intended for Professional Use

Batya F. Forsyth Partner

AT&T INDIANA GUIDEBOOK. PART 2 - General Terms and Conditions 1st Revised Sheet 1 SECTION 9 - Connections

Department of Public Welfare (DPW) National Provider Identifier (NPI) Initiative. Contingency Plan

BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA

Faculteit Rechtsgeleerdheid Faculteit Natuurkunde, Wiskunde en Informatica Leibniz Center for Law C-ITS and GDPR

Chapter 24 Outdoor Lighting Ordinance

Privacy, Ethics, & Accountability. Lenore D Zuck (UIC)

MEDICINE LICENSE TO PUBLISH

DEPARTMENT OF PUBLIC SAFETY DIVISION OF FIRE COLUMBUS, OHIO. SOP Revision Social Media Digital Imagery

Ensuring a More Accurate and Efficient Statewide Voter Registration Database

GENERAL ASSEMBLY OF NORTH CAROLINA 1989 SESSION CHAPTER 464 SENATE BILL 526

MÉTIS NATION BRITISH COLUMBIA CITIZENSHIP APPLICATION PACKAGE 14 YRS & YOUNGER

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

Staffordshire Police

Collaborating with the Office of Technology Transfer

Data protection and INSPIRE: an uncomfortable combination?

Measures for the Administration of Securities Investment within the Borders of China by Qualified Foreign Institutional Investors

Interaction btw. the GDPR and Clinical Trials Regulation

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

39: LEGISLATIVE HISTORY CHECKLIST Compiled by the NJ State Law Library

Can Data Loss Shut Down Your Company? Copyright 2014 Julie Ryan

TITLE V. Excerpt from the July 19, 1995 "White Paper for Streamlined Development of Part 70 Permit Applications" that was issued by U.S. EPA.

This Privacy Policy describes the types of personal information SF Express Co., Ltd. and

Convergence and Differentiation within the Framework of European Scientific and Technical Cooperation on HTA

CARAPELLI FOR ART COMPETITION RULES AND REGULATIONS

Throughout this article CAP will refer both to the actual Collie Art Prize competition and the Gallery representatives, as the context dictates.

The Future of Patient Data The Global View Key Insights Berlin 18 April The world s leading open foresight program

ASSEMBLY - 35TH SESSION

La protección de datos personales en el sector privado de Paraguay. Un estudio exploratorio

TRIPS and Access to Medicines. WR Briefing

Ocean Energy Europe Privacy Policy

II. Statutory and Regulatory Authorities for Underground Coal Mines

Global Alliance for Genomics & Health Data Sharing Lexicon

A Brief Introduction to the Regulatory Environment of Medical Device Supervision. CFDA Department of Legal Affairs Liu Pei

9/10/2012. Chapter 18. Learning Objectives. Learning Objectives (Cont d) Communication

Article 4 PROCEDURES for PLOT PLAN and SITE PLAN REVIEW

DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION

Legal Aspects of Identity Management and Trust Services

GOLDEN EAGLES WRESTLING

Whatever Happened to the. Fair Information Practices?

[Investment Company Act Release No ; ] New Mountain Finance Corporation, et al.; Notice of Application

Review Questions on Ch4 and Ch5

Ethical Governance Framework

PORT MOODY POLICE DEPARTMENT

B) Issues to be Prioritised within the Proposed Global Strategy and Plan of Action:

Comments from Latanya Sweeney and the Data Privacy Lab. October 26, 2011

Health Informatics Principles - Excerpt -

IT and Systems Science Transformational Impact on Technology, Society, Work, Life, Education, Training

CHAPTER ELECTRIC AND MAGNETIC FIELDS

Transcription:

Data Anonymization Related Laws in the US and the EU CS and Law Project Presentation Jaspal Singh

The Need for Anonymization To share a database packed with sensitive information with third parties or with the entire public Hospitals sharing health data with researchers Websites selling transaction data to advertisers Need to anonymize the data to protect the privacy of data subjects ensure high utility

Naive Anonymization or the De-identification Process Remove personal identifiers like name, SSN, etc Many believe this process works perfectly in ensuring utility while maintaining privacy Many studies have shown it to be insufficient to protect privacy of data subjects Re-identification/Deanonymization - process of identifying an individual in anonymized data

Anonymized Databases Undone A study by Latanya Sweeney on 1990 census data discovered (birth date, gender, zipcode) uniquely identify 87.1% individuals in the US Group Insurance Commission - a Massachusetts based govt. agency purchased health insurance for state employees decided to release records summarizing every state employee s hospital visits removing fields containing name, address, social security number William Weld, then Governor of Massachusetts, assured the public that patient privacy was protected Dr. Sweeney purchased the complete voter rolls from the city of Cambridge

Anonymized Databases Undone The America Online (AOL) data release The Netflix Prize data study

Naive Anonymization or the De-identification Process Re-identification/Deanonymization - process of identifying an individual in anonymized data Re-identification techniques Outside information More privacy preserving data anonymization techniques have been designed over time

Naive Anonymization or the De-identification Process

Naive Anonymization or the De-identification Process

Naive Anonymization or the De-identification Process

Anonymized related laws in the US No single set of data protection laws in the US Data protection laws are a combination of some federal and state law Different Acts in place to protect different types of data In general, the US data protection law assumes that the process of de-identification to maintain the privacy of the data subjects

Anonymized related laws in the US Health Insurance Portability and Accountability Act (HIPAA) Introduced in 1996 with the aim to improve healthcare and health insurance in this country de-identification of health information (DHI) DHI - information that does not identify an individual Suppress or generalize 18 identifiers HIPAA itself exempts data protected by DHI from any regulation

Anonymized related laws in the US Driver s Privacy Protection Act special protection for personal information including - SSN, driver identification number, name, address, telephone number much less protection of information including - the 5-digit zip code, information on vehicular accidents, driving violations Federal Education Rights and Privacy Act (FERPA) Enforces protection to directory info including name, address, telephone number, place of birth and major field of study Federal Drug Administration Regulations Permits disclosure of records about an individual associated with clinical trials after deleting the names and other identifying information

Anonymized related laws in the EU Article 2(a) of EU Data Protection Directive of 1995 Personal data is any information related to a natural person, who is identified or identifiable directly or indirectly in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Anonymous data - complement of personal data The principles of protection shall not apply to data rendered anonymous

Anonymized related laws in the EU Article 2(a) of EU Data Protection Directive of 1995 To determine, whether a person is identifiable, account all means likely reasonably to be used either by the controller or by any other person to identify the said person Provision takes account of the fact that absolute anonymity is not achievable Anonymity is not static: the same information can be anonymous in one context and personal data in another

Anonymized related laws in the EU Article 29 Working Party s Opinions on Anonymization (2014) Body of EU data protection regulators Helps interpret a legal criterion with applicable technical solutions Discusses on several anonymization techniques: noise addition, substitution, aggregation, l-diversity, differential privacy The new General Data Protection Regulation: Substantially similar definition of personal and anonymous data Concept of personal data made for specific and broadened

Discussion and Conclusion Absolute anonymity is not achievable Need to take into account: Available technical solutions Risks Use cases of the released data US anonymization laws: Aim at hiding personally identifiable information (PII) from the data Different set of laws for different types of data All laws assume the release-and-forget model of anonymization

Discussion and Conclusion EU anonymization laws: Keeping pace with the advancements in the field of anonymization Recommend a list of technical solutions Does not distinguish between different types of data on the basis of usability A closer look at each type of data and application setting - check applicability of differential privacy No specific laws regarding anonymization of network data

Questions

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback