東盟數(shù)據(jù)匿名化指南 ASEAN Guide on Data Anonymisation 202501

ASEANGuideon

DataAnonymisation

Contents

EXECUTIVESUMMARY 1

1)INTRODUCTION 4

2)TERMINOLOGYANDKEYCONCEPTS 8

3)THEANONYMISATIONPROCESS 15

ANNEXA:BasicDataAnonymisationTechniques 28

ANNEXB:AnOverviewonK-anonymity,L-diversityandT-closeness 44

ANNEXC:CommonMisunderstandingsinAnonymisation 48

ANNEXD:AnonymisationTools 50

1

EXECUTIVESUMMARY

TheASEANGuideonDataAnonymisation(this“Guide”)isatechnicalandapplication-orientedintroductoryguidetoanonymisationofpersonaldata.

Part1:Introduction

Part1ofthisGuideintroducestheGuide’spurposeandscope.Specifically,thepurposeofthisGuideistoprovideinformationandguidanceonbasicdataanonymisationthatmaybereferencedbypolicymakers,regulatorsaswellasindustryorganisationswithincountrieswhoaremembersoftheAssociationofSoutheastAsianNations(“ASEAN”).Asmemberstatesareincreasinglyadoptingdataprotectionlaws,thisGuidemaybeparticularlyusefulasabaselineforadaptationtotheirspecificjurisdictionalcontexts.Tothisend,itsetsoutageneralintroductiontotheanonymisationprocessandsomecommonanonymisationtechniques.

Dataanonymisationisarisk-basedprocessofconvertingpersonaldataintodatathatcannolongerbeusedtoidentifyanindividual,eitheraloneorincombinationwithotherinformation,byapplyingrelevanttechniquesandincombinationwithgovernancemeasures.Whetherasetofdatacanbeconsiderednolongerabletoidentifyanindividualwoulddependonthelevelofre-identificationrisksandtheapplicabledataprotectionlaws.WhiledataanonymisationisnotnecessarilyaspecificlegalrequirementundermanydataprotectionlawsinASEAN,practisingdataanonymisationcanassistintheprotectionofpersonaldata,facilitatecompliancewithapplicabledataprotectionlawsandprovideadditionalbenefits(e.g.,safesharingandcollaborationusingdatafromindividuals).

Part2:KeyConceptsandTerminology

Part2ofthisGuidediscusseskeyconceptsandterminologyatanintroductorylevel,whichcanserveasausefulreferenceandpromoteharmonisationindataanonymisationpracticesacrossASEANjurisdictions.Forexample,itsetsoutthedefinitionofadataattributeandhowitmaybecategorisedasadirectidentifier,indirectidentifier,ortargetattributebeforetheanonymisationprocess.Similarly,itexplainsidentifiabilityandrelatedconcepts,whichfacilitateseffectivecategorisationofdataattributes,applicationofanonymisationtechniquesandriskassessments.Italsodescribestypicalscenarios(alsoknownasusecases)foranonymisationsuchasinternalandexternaldatasharing,toillustratetheoutcomesofanonymisation.

TheannexestothisGuideprovideamoredetailedandtechnicalexplanationofvariousconceptsasfollows:

?AnnexA:BasicDataAnonymisationTechniques

?AnnexB:AnOverviewonK-Anonymity

?AnnexC:CommonMisunderstandingsinAnonymisation

?AnnexD:AnonymisationTools

Part3:TheAnonymisationProcess

Part3ofthisGuideprovidesanoverviewofthenatureofanonymisationtechniquesingeneral,brieflysummarisesgoodpracticesfordocumentation,andsetsoutkeyanonymisationstepsthatcanbeadoptedaspartoftheanonymisationprocess.Thenecessityoftailoringthesestepstosuitspecificrequirements,and/orrepeatingstepstobetterachieveanonymisation,dependsonfactorssuchastheusecaseandcomplexityofthedata.

AnonymisationSteps

TheanonymisationstepsinthisGuidearesummarisedinthefollowing

diagram1:

Foravoidanceofdoubt,thesteps‘Applyanonymisationtechniques’and‘Computeyourrisk’(steps3and4above)canbeaniterativeprocess(hencerepresentedinaloop).

STEP1

Step1(knowyourdata)involvesunderstandingthesuitabilityofdataforanonymisation,andtheappropriatenessofanonymisationfortheintendedusecase.Therearevarious

1DiagramreproducedwithpermissionfromtheSingaporePersonalDataProtectionCommission’sGuidetoBasicAnonymisation.

2

3

factorstoconsider,suchasthenatureofuseandextentofdisclosure.Dataminimisationshouldbepractisedtoexcludeanydataattributeswhicharenotneededfortheusecase,andtolimitthedatatoasampleofrecordsratherthanthefulldataset(wherepossible).

STEP2

Step2(de-identifyyourdata)involvestheremovalofdirectidentifiersfromthedataand,optionally,usingreversiblepseudonymisationwherethereisneedtobeabletolinkeachrecordinthe(anonymised)datasetbacktoauniqueindividualand/orbacktotheoriginaldatabase.

STEP3

Step3(applyanonymisationtechniques)involvestheapplicationofanonymisationtechniquestoindirectidentifiersinthede-identifieddataset,sothattheycannotbeeasilycombinedwithotherdatasetsthatmaycontainadditionalinformationtore-identifyindividuals.

STEP4

Step4(computeyourrisks)involvesanestablishedriskthresholdforanonymisationandtheapplicationofprocedurestodeterminewhetherasufficientanonymisationlevelhasbeenachieved.Iftheriskthresholdhasnotbeenmet,Step3(applyanonymisationtechniques)shouldberepeated.Afinalriskassessmentshouldbeconductedandresidualriskswillneedtobereviewed,asthiswouldaffecttheadditionalriskmanagementmeasures/controlsthatneedtobeappliedinStep5below.Thisisespeciallyimportantincaseswherethefinalanonymisationlevelisinsufficienttosatisfythelegalthreshold(i.e.relevantdataprotectionrequirements).

STEP5

Step5(manageyourrisks)involvestheimpositionofcontrols/measuresinrelationtotheanonymiseddata,tofurtherreducetherisksofre-identificationofthedata.Suchmeasuresareusuallycontractual,administrativeand/ortechnicalinnature.

1)INTRODUCTION

5

PART1:INTRODUCTION

PurposeofthisGuide

ThepurposeofthisGuideistoprovideinformationandguidanceonbasicdataanonymisationconceptsandtechniques.ItisaimedprimarilyatgovernmentsandindustryorganisationsthatprocesspersonaldataandarelocatedincountrieswhoaremembersofASEAN,andthoseworkingwithinsuchorganisations.Itwillalsobenefitthoseworkinginfieldsofriskassessmentandcompliancewhomayneedtoappreciateandunderstandthecapabilitiesandlimitationsofanonymisationtechniquesinthecontextoftheirspecificdomain.

Dataanonymisationmaynotnecessarilybeaspecificrequirementundervariouscountries’dataprotectionlaws.However,anonymiseddataisgenerallynotconsideredpersonaldataandthus,notsubjecttodataprotectionlaws.Besidesthat,anonymisingpersonaldatawouldalsoenableorganisationstoenjoythepracticalbenefitssummarisedatparagraph1.2.below.

Anonymisationisarisk-basedprocessofconvertingpersonaldataintodatathatcannolongerbeusedtoidentifyanindividual,eitheraloneorincombinationwithotherinformation,byapplyingrelevanttechniquesandincombinationwithgovernancemeasures.Whetherasetofdatacanbeconsiderednolongerabletoidentifyanindividualwoulddependonthelevelofre-identificationrisksandtheapplicabledataprotectionlaws.Thespecifictypeandnumberofanonymisationtechniquesaswellasgovernancecontrolstoapplytoachieveanonymisationwilldependonthesensitivityofthedataitself,theintendedusecasefortheanonymiseddata,andtheassessedrisksandpotentialattacksregardingsuchdata.

Aproperriskassessmenthelpstodeterminetheamountofresourcesthatoughttobeinvestedfordataanonymisationtostriketheappropriatebalancebetweentheutility/usefulnessandanonymityofthedata.Inshort,anonymisationisarisk-basedprocesswhichrequiresunderstandingtherequirementsoftheintendedusecaseandassessingtherisksinvolved.

BenefitsofAnonymisation

Engaginginanonymisationofpersonaldatahasseveralkeybenefits.Theseinclude:(a)Buildingtrustinorganisations’dataprotectionpractices;

(b)Enablingthesafeuseofdatawhilepreservingthedata’sutilityandindividuals’privacyduringanalysisandresearch,whichmaybecarriedoutwithpartnersthroughthesharingofanonymiseddata;

6

(c)Promotingdatasharingandcollaborationasanonymiseddatacanbesharedwiththirdpartiesandacrossjurisdictionssafelyandwithoutinfringingindividuals’privacy;

(d)Demonstratinggoodgovernanceoverdataandincreasingconsumers’confidencethattheirpersonaldataisprotectedwhendataissharedamongstbusinessesandacrossborders;

(e)Enhancingindividuals’privacyandsafeguardsagainstdatamisuseandexploitation,especiallywhenusedincombinationwithgovernancemeasures/controlstominimiseunauthorisedaccesstodata;and

(f)reducingtheimpactorharmtoindividualsintheeventofadatabreach,includingidentitytheft.

ScopeofthisGuide

ThisGuideprovidesageneralintroductiontotheanonymisationprocessandsomecommonanonymisationtechnique

s2.

Theseanonymisationtechniquesaresuitablefordatawhereeachrecordwithinthedatapertainstoandrepresentsasingleindividual.Additionally,theanonymisationprocesssetoutinthisGuideassumesthatthedatawhichanonymisationtechniquesareappliedtoarecompleteandaccurateorhavebeenpre-processedsothattheyaresufficientlycompleteandaccurateforanonymisation.Aspre-processingdata,sometimesreferredtoasdatacleansing,isamajortopiconitsown,itisoutsidethescopeofthisGuide.

ThisGuidefocusesontabularandsimilarlystructureddata,whichistypicallystoredinExcelsheets,SQLdatabases,JSONformat,CSVformat,etc.,asthesearethemostcommonlyusedformattostoreandprocessdatasets.

DataProtectionLandscapeinASEAN

AcrossASEAN,memberstatesareincreasinglyadoptingdataprotectionlaws.Atpresent,Singapore,Malaysia,Thailand,thePhilippines,IndonesiaandVietnamhaveanexistingoverarchingdataprotection

law3.

Inaddition,asofDecember2024,Brunei

2Forfurtherinformationandresources,pleaserefertointernationalstandardssuchasISO/IEC20889:2018onprivacyenhancingdatade-identificationterminologyandclassificationoftechniquesandISO/IEC27559:2022oninformationsecurity,cybersecurityandprivacyprotection-privacyenhancingdatade-identificationframework.

3SeeSingapore’sPersonalDataProtectionAct2012;Malaysia’sPersonalDataProtectionAct2010;Thailand’sPersonalDataProtectionActB.E.2562(2019);thePhilippines’RepublicActNo.10173–DataPrivacyActof2012;Indonesia’sLawNo.27of2022onPersonalDataProtection;andVietnam’sDecreeNo.13/2023/ND-CPontheProtectionofPersonalData.

DarussalamandCambodiaareintheprocessofenactingtheirowndataprotectionlaw

s4.

BasedonasurveyconductedacrosstheASEANmemberstates,abouthalfoftheASEANmemberstateshavelaws,regulations,guideline

s5,

orstandardsrelatingtodataanonymisationandacorrespondingnumberofASEANmemberstateshaveobservedthatitiscommon(andpracticable)forprivateorgovernmentorganisationstoperformdataanonymisationintheirjurisdictions.Whiletherewereindicationsthatsimpleranonymisationtechniquessuchascharactermaskingandde-identificationwereprimarilyadopted,moresophisticatedanonymisationtechniqueswerealsosometimesutilised.

ImportantNote:ThisGuideisprimarilya‘technicalandapplication-oriented’introductiontothecommonconceptsaroundanonymisationinthecontextofpersonaldataprotectionlaws.DataprotectionlawsvaryacrosstheASEANmemberstates,andthelegaldefinitionandtreatmentof‘a(chǎn)nonymiseddata’andotherconceptsintroducedinthisGuidemayalsodifferacrossjurisdictions.Nevertheless,thisGuideaimstosetoutarisk-basedapproachtoanonymisationthatcanserveasausefulreferenceacrossASEAN(whichcanthenbeadaptedforeachjurisdiction’sspecificrequirements).

4See,forinstance,BruneiDarussalam’sAuthorityforInfo-communicationsTechnologyIndustry’swebsite(accessibleat:

.bn/regulatory/pdp/

),andtheMinistryofPostandTelecommunicationofCambodia’spublicannouncementdated4November2022(accessibleat:

/announcements/press-release-on-the-

progress-of-digital-policies-and-regulations-in-the-digital-sector-in-cambodia/).

5SeeSingapore’sPersonalDataProtectionCommission’sGuidetoBasicAnonymisation,accessibleat:

.sg/help-and-resources/2018/01/basic-anonymisation

.

7

2)TERMINOLOGYANDKEYCONCEPTS

PART2:TERMINOLOGYANDKEYCONCEPTS

2.1KeyTerms

Theconceptofanonymisationisfairlynewtomanyorganisations.Hence,variouskeytermssometimesbearadifferentmeaningwhenusedbyorganisations,ascomparedtotheirspecificmeaningunderdifferentdataprotectionlaws.ForthepurposesofthisGuide,thefollowingtableprovidesthedefinitionsofkeytermsusedinthisGuid

e6:

Term

Definition/ExplanationofConcept

Personaldata

Generally,thisreferstodataaboutanindividualwhocanbeidentifiedfromthatdataaloneorincombinationwithotherinformationtowhichanorganisationhasorislikelytohaveaccessto.

Non-personaldata

Thisreferstodatathatdoesnotrelatetoanindividual.

De-identifieddata

Thisgenerallyreferstodatafromwhichdirectidentifiers(seebelowforthedefinitionof“directidentifiers”)havebeencompletelyremoved,voided(setto“null”)oroverwritten.

Dataattribute

Thisreferstofeatures/characteristicsofadataset,e.g.,customernames,productspurchasedandsoon.Hence,dataattributesaretheinputsinananonymisationprocess.

Anonymisation

Thisreferstoarisk-basedprocessofconvertingpersonaldataintodatathatcannolongerbeusedtoidentifyanindividual,eitheraloneorincombinationwithotherinformation,byapplyingrelevanttechniquesandincombinationwithgovernancemeasures.

Whetherasetofdatacanbeconsiderednolongerabletoidentifyanindividualwoulddependonthelevelofre-identificationrisksandtheapplicabledataprotectionlaws(seealsodefinitionof“anonymiseddata”below).

6NotethatthesearenotlegaldefinitionsandareintendedonlytoprovideguidanceonthetermsusedinthisGuide.Thetermsinthetablemayhavevariationsintheirspecificlegaldefinitionsacrossdifferentjurisdictions.

9

Term

Definition/ExplanationofConcept

Anonymiseddata

Thisreferstodatatowhichanonymisationtechniqueshavebeenapplied(ifnecessary,incombinationwithgovernancemeasures)toachievealowlevelofre-identificationrisk,soastomeetaparticularlegaland/orindustry-accepted(e.g.,risk-based)standard.

Generally,anonymiseddataisnotconsideredpersonaldataunderajurisdiction’sdataprotectionlaws.Whetherornotdataissufficientlyanonymisedwoulddependontheapplicablelaws.Hence,organisationsshouldrefertotheregulatoryguidanceonanonymisationstandardsintheirrespectivejurisdictions(ifany),toensurecompliancewithrelevantdataprotectionlegalrequirements.

2.2IdentifiersandTargetAttributes

Itisimportanttounderstandhowdataattributes,whichareinputsfortheanonymisationprocess,arecategorisedbeforeanonymisationisperformed.Thisfacilitatesaproperexecutionofriskassessmentsandachievementofdesiredoutcomes.Dataattributesareusuallycategorisedasfollows:

(a)Directidentifier:Adirectidentifier(alsoreferredtoas“uniqueidentifier

”7)

isusuallyseenasa‘highrisk’attribute.Thesearedataattributesthatareuniquetoanindividualandcanbeusedtoidentifytheindividual.Becauseapersonmaybeidentifiablefromasingledirectidentifier,alldirectidentifiersneedtoberemovedaspartoftheanonymisationprocess.

(b)Indirectidentifier:Anindirectidentifier(alsoreferredtoas“quasi-identifier”)isusuallyseenasa‘mediumrisk’attribute.Thesearedataattributesthatarenotuniquetoanindividualbutcanpotentiallyidentifyanindividualwhencombinedwithotherindirectidentifiers.Manydataanonymisationtechniquesprimarilyfocusonthetreatmentofindirectidentifiersinordertoachieveasufficientlevelofanonymisation.

(c)Targetattribute:Atargetattributeoftencontainsthemainutilityofthedataset(i.e.,theyarepiecesofusefulinformationassociatedwiththeindividual).Itisusuallyseenasa‘lowrisk’attributeintermsofitspotentialtore-identifytherelevantindividualasitisusuallyinformationthatisnotpubliclyoreasily

7Notethatalthoughthesetermsaresometimesusedinterchangeably,auniqueidentifierisnotalwaysadirectidentifierbecausesometimesapseudonym,recordidentifierorforeignkeycanbeuniquebutnotidentifying.

10

11

accessibletoothers.Nevertheless,suchattributesmaybesensitiveandmayresultinhighpotentialforadverseeffecttotheindividualifdisclosed.

Theappropriatecategorisationforanygivendataattributedependsonthebroadercontextinwhichthedataattributeislocated.Forexample,dataattributesthatwouldordinarilybeindirectidentifiersinlargerdatasetscouldbecomedirectidentifiersinsmallerdatasets(e.g.,informationaboutasmallgroupofpeople,eachpersonbeingofadifferentage).Hence,thecategorisationofdataattributesisnotalwaysatrivialprocessandoftenrequiressomedeliberation.

Someexamplesforatypicalcategorisationofdataattributesarelistedbelow.Foravoidanceofdoubt,thesearenotintendedtoserveasalegaldefinitionorclassificationunderanyofthelawsoftheASEANmemberstates.

DirectIdentifiers

IndirectIdentifiers

TargetAttributes

??

???

?

??

?

AccountnumberBirthcertificate

number

EmailaddressFullName

Mobilephonenumber

National

identificationnumberPassportnumber

Socialmediausername

Biometricdata

??????????

???

Address

Postalcode/PostcodeAge

DateofbirthSex/GenderMaritalstatus

Race

CompanynameJobtitle

Vehiclelicenseplatenumber/vehicleregistrationnumberInternetProtocoladdress

Weight/Height

Geolocation

?

??????

Financial

transactions

RetailpurchasesSalary

Creditrating

InsurancepolicyMedicaldiagnosisVaccinationstatus

2.3Identification,De-identificationandRe-identification

Toproperlyplaceattributesoridentifiersofagivendatasetintooneofthethreecategoriesabove,itisimportanttounderstandtheprocessof“identification”,“de-identification”and“re-identification”,aswellaswhatitmeansforanindividualtobe“identifiable”fromadataset.Thesetermscanbeunderstoodasfollows:

(a)Identifying,Identifiable:Asanaction,“identifying”and“identification”referstoaprocessofestablishingoneormoreindividuals’identityfromthedata.Whenevaluatingadataset,“identifyingcharacteristics”referstotheinformationcontentcontainedinthedatasetwhichissufficienttoestablishtheidentityofoneormoreindividuals.Hence,anindividualis“identifiable”fromdataifitcontainsidentifyingcharacteristicspertainingtotheindividual.

12

(b)De-identification:De-identificationusuallyreferstoacompleteremoval,voiding(settingto“null”)oroverwritingofdirectidentifiersinthedataset.Thisdoesnotnecessarilyresultincompleteanonymisationofthedata–individualsmaybeidentifiedfromindirectidentifierswhencombinedwithotherinformation.

(c)Re-identification:Thistermiscommonlyusedtorefertotheidentificationofanindividualfromadatasetthatwaspreviouslyde-identifiedoranonymised.Itcansometimesinvolvethereversalofpreviousstepstakentoperformde-identificationoranonymisation,orthecombinationofvariousdatasetstoobtainidentifyingcharacteristics(asdescribedabove).

Ageneralapproachtodeterminetherespectiveattributetype(e.g.,directidentifier,indirectidentifier,andtargetattribute)intheabsenceofaspecificlistfromtherelevantdataprotectionauthority(“DPA”)canbegleanedfromthechartbelow.Organisationsmaywishtoconsiderestablishingandfollowingasimilarapproachtosortdataattributesintotheirrespectiveattributetypes.

2.4TypicalScenariosforAnonymisation

Anonymisationtypicallyinvolvesremovalofdirectidentifiersandmodificationofindirectidentifiers.Targetattributesareusuallyleftunchanged,exceptwherethepurposeistocreatefictitiousdata.

Toillustratetheoutcomesofanonymisation,thefollowingexamplesofusecasesdescribecommonscenarios(i.e.,usecases)andsetoutcommonconsiderationsduringanonymisationwhendealingwiththesamedatafordifferentpurposes.Guidelinesfortheprocessbywhichdatacanbeanonymised(afterdeterminingtherelevantusecase)aredescribedbelowatPart3:TheAnonymisationProcess.

13

Itshouldbenotedthattheexamplesbelowareforillustrationonly.Whencarryingouttheirownanonymisationexercises,organisationswillneedtoassesstheappropriatebalancebetweenthedatautilityanddepthofanonymisation(intermsofthetechniquesandcontrolsapplied)requiredforeachoftheirspecificusecases,takingintoaccounttheamountandtypesofdatainvolved,specificrisksandpotentialattackswithintheusecases,andtheapplicablelawsineachASEANmemberstate.

Internaldatasharing(lowrisk)

Example

De-identifiedcustomerdatasharedbetweentheresearch&developmentdepartmentandtheproductsdepartmentforanalysisandin-housedevelopmentofnewgoodsandservices.

Description

Onlydirectidentifiers(e.g.,namesandcustomerIDs)areremovedfromthedatasetwhileindirectidentifiers(e.g.,age,gender,address)

andtargetattributesareleftunalteredtosupporttheintendedusecase.

Thede-identifieddataisstillpersonaldataasindividualsarelikelytobere-identifiablefromtheotherattributesinthedata.Hence,eventhoughthedataisonlysharedwithintheorganisation,itisstilladvisableinsuchcasestopracticedataminimisation(i.e.,removinganyindirectidentifiersand/ortargetattributeswhicharenotneededfortheusecase).Thiswillprovideanadditionallayerofprotectiontothede-identifieddata.

Internaldatasharing(highrisk)

Example

Anonymiseddataonthespendinghabitsanddemographicsofhighnet-worthcustomerssharedwithin-houseloyaltyteamstocreatedifferentiatedcustomervaluepropositions.

Description

Anonymiseddata(usingtheappropriateanonymisationtechnique(s)totreatbothdirectandindirectidentifiers)shouldbesharedinsteadofonlyde-identifieddataincaseswhere:

?theinternaldatasharingdoesnotrequiredetailedpersonaldata(e.g.,fortrendanalysis);and/or

?thedatainvolvedismoresensitiveand/orgranularinnature(e.g.,financialinformation).

14

Externaldatasharing

Example

Anonymisedcustomerdatasharedbetweenanin-housemarketingteamandexternalmarketingpartnerforanalysisofcustomerprofilesanddevelopmentofmarketingcampaigns.

Description

Insuchcases,thedatasetsaresharedwithanauthorisedexternalpartyforbusinesscollaborationpurposes.Hence,appropriateanonymisationtechniquescanbeappliedtothedatasetstohelporganisationsbettercomplywithdataprotectionrequirements.

Long-term/archivaldataretention

Example

Retentionofanonymiseddata(wherethelegallypermissibleretentionperiodinrelationtothepersonaldatahaspassed)forthepurposeofdataanalysisandhistoricalanalysisofcustomertrends.

Description

Anonymisationtechniquescanbeusedtoconvertpersonaldatatonon-personaldata.Thisallowstheorganisationstolegallyretaintheresultantdataasusefulbusinessrecordsforlong-termdataanalysiswhenthereisaretentionlimitationobligationapplicabletotheoriginalpersonaldata.

Takenotethatthisusecaseisdifferentfromtheothersas:

a)Sincesuchdataistoberetainedbeyondthelegallypermissibleperiodforretentionofpersonaldata,nocopies(whetheroriginalorotherwise)ofthedata,orsub-setsofthedata,shouldcontainpersonaldata.

b)Incontrast,theotherusecasestypicallyinvolveorganisationsretainingboththeanonymisedandoriginalpersonaldata(assumingthatthelegallypermissibleretentionperiodforthepersonaldatahasnotbeenexceeded).

c)Theorganisationshouldensurethattheanonymiseddatawillnotbere-identifiable,asthisusecasedemandsstronger(andirreversible)anonymisationtechniquestobeappliedinthecontextwherethelegallypermissibleretentionperiodhaspassed.Ifthedataisanonymised,buttheorganisationhastheabilitytoreversetheanonymisation,thiswouldpotentiallyresultinnon-compliancewiththeretentionlimitationobligation.

3)THEANONYMISATIONPROCESS

16

PART3:THEANONYMISATIONPROCESS

3.1OverviewofAnonymisationTechniques

TheanonymisationprocessdescribedinthisGuideconsistsofseveralkeysteps.Beforeconsideringthestepsindetail,itwillbehelpfultofirsthaveageneralunderstandingofthenatureofanonymisationtechniques.

AnonymisationtechniquesareappliedatStep3oftheanonymisationprocess(describedbelow).Theyconsistofvariousmethodstoremoveidentifyingcharacteristicsfrompersonaldata.Differentanonymisationtechniqueshavedifferentcharacteristicsandmodifythedataindifferentways(seeAnnexAforfurtherdetailsoncommonanonymisationtechniques).Moreover,severalanonymisationtechniquescanbeusedincombinationonasingledataattribute.

Theappropriatenessofatechniquedependsonthecategorisationandthecharacteristicsofthedatainquestion.Forinstance,certaintechniques(e.g.,charactermasking)canbemoreappropriatefordirectidentifiers.Ontheotherhand,techniquessuchasaggregationcanbebettersuitedforindirectidentifiers.Anothercharacteristictocons