First of all, great video as it helps many people to understand what can be done to safeguard personal information. Even when using Pseudonymization, would this attribute still counts as personal data (e.g. as identification number)? If so, there must be a lawful ground in place to process this data even if its Pseudonymised. Is this correct?
Hi Tony, Thank you for the kind feedback! Also, that's a great question. Unlike anonymization, pseudonymization does not remove all identifying information from the data but reduces the linkability of a dataset with the identity of an individual. Although Recital 28 of the GDPR recognizes that pseudonymization “can reduce risks to the data subjects,” it is not alone a sufficient technique to exempt data from the scope of the Regulation (i.e., it remains as personal data).
Great video, thank you! Quick Question, take a lab referral, for example, it contains 3 data entities, patient data (the person the referral is about), the referring doctor (person sending the referral), the outpatient lab (the people receiving the referral data). In order to use this data for research, would we only anonymize the patient data, or the other parties as well?
Hi Arvind, To answer your question, it's best to compare what the main difference is between anonymization and pseudonymization. Under recital 26 of the GDPR, anonymized data is “personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Data that has successfully been anonymized is no longer capable of reidentification of the data subject. For this reason, GDPR no longer applies to anonymized data. Pseudonymization, in contrast, reduces the linkability of data to its data subjects by separating the data from direct identifiers and replacing them with artificial identifiers, or pseudonyms, which may be recalled at a later date to re-identify the record. The data protection officer (or another responsible stakeholder) within an organization holds the key that may later re-identify the data subjects in that given data set. To answer your question, pseudonymized data can ultimately result in re-identification if the data protection officer re-identifies the data set or if the key (that was supposed to be safeguarded) were to be access by hackers, lost, etc. As a result, pseudonymized data remains subject to the GDPR, despite having less risk for reidentification. I hope this helps answer your question.
@tried1998 Re-identification must happen at some point, otherwise healthcare facilities won't know anything about a patient to treat them. The goal is to prevent unauthorized access from hackers, etc. So, even if someone manages to steal the data, they'd see that the personal identifiers were already detached from any record in a database that could potentially re-identify someone. Also, since the data is likely to be encrypted, along with using pseudonyms, it's virtually useless to even the most advanced hackers in the world without a decryption key. So it's still very secure.
Just some positive criticism - Great video and good explanation but I would work on using facial expressions and hand gestures at a slower rate and possibly with more variety. It just seems slightly unnatural. Also try limiting up-speak.
Great explanations. Thank you very much.
Ariyo, Thank you for the kind feedback. I am glad you found the video helpful!
-Mike
very helpful, thank you so much
You're welcome. Glad you found it helpful!
wow..very good.
Thank you, Wonkyu!
Brilliant! Thanks
Thank you, Iubna!
First of all, great video as it helps many people to understand what can be done to safeguard personal information. Even when using Pseudonymization, would this attribute still counts as personal data (e.g. as identification number)? If so, there must be a lawful ground in place to process this data even if its Pseudonymised. Is this correct?
Hi Tony, Thank you for the kind feedback! Also, that's a great question. Unlike anonymization, pseudonymization does not remove all identifying information from the data but reduces the linkability of a dataset with the identity of an individual. Although Recital 28 of the GDPR recognizes that pseudonymization “can reduce risks to the data subjects,” it is not alone a sufficient technique to exempt data from the scope of the Regulation (i.e., it remains as personal data).
Sir, can i know how you create slide or motion ? Thank You.!
Great video, thank you! Quick Question, take a lab referral, for example, it contains 3 data entities, patient data (the person the referral is about), the referring doctor (person sending the referral), the outpatient lab (the people receiving the referral data). In order to use this data for research, would we only anonymize the patient data, or the other parties as well?
The map of the EU is incomplete- Croatia is missing (a member since 2013.).
How can Pseduonymization cause reidentification
Hi Arvind,
To answer your question, it's best to compare what the main difference is between anonymization and pseudonymization.
Under recital 26 of the GDPR, anonymized data is “personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Data that has successfully been anonymized is no longer capable of reidentification of the data subject. For this reason, GDPR no longer applies to anonymized data.
Pseudonymization, in contrast, reduces the linkability of data to its data subjects by separating the data from direct identifiers and replacing them with artificial identifiers, or pseudonyms, which may be recalled at a later date to re-identify the record. The data protection officer (or another responsible stakeholder) within an organization holds the key that may later re-identify the data subjects in that given data set. To answer your question, pseudonymized data can ultimately result in re-identification if the data protection officer re-identifies the data set or if the key (that was supposed to be safeguarded) were to be access by hackers, lost, etc. As a result, pseudonymized data remains subject to the GDPR, despite having less risk for reidentification.
I hope this helps answer your question.
@tried1998 Re-identification must happen at some point, otherwise healthcare facilities won't know anything about a patient to treat them. The goal is to prevent unauthorized access from hackers, etc. So, even if someone manages to steal the data, they'd see that the personal identifiers were already detached from any record in a database that could potentially re-identify someone.
Also, since the data is likely to be encrypted, along with using pseudonyms, it's virtually useless to even the most advanced hackers in the world without a decryption key. So it's still very secure.
@tried1998 Where did I say that?...
I was using healthcare as an example.
Does GDPR codify metadata?
Just some positive criticism -
Great video and good explanation but I would work on using facial expressions and hand gestures at a slower rate and possibly with more variety. It just seems slightly unnatural. Also try limiting up-speak.