Pseudonymisation enters the stage
Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. In exchange for the lower level of privacy intrusion, the applicable requirements are less stringent.
As a result, the complexities surrounding the concept of personal data are likely to increase given the three possible categories of information:
- The framework set forth by the Regulation applies to personal data, defined as any information relating to a natural person who can be identified, directly or indirectly, by reference to an identifier. The Regulation expressly considers as identifiers a name, an identification number, location data, online identifier or other factors related with the physical, physiological, genetic, mental, economic, cultural or social identity of a person. In this respect, the Regulation is crystal clear about the fact that technology-based identifiers such as MAC addresses qualify as personal data.
- Anonymous data, which is information not related to an identified or identifiable natural person, or data that does not allow identification of an individual, is therefore excluded from the scope of the Regulation.
- In between personal and anonymous data there is a third category, so-called pseudonymous data. Such a definition did not appear in the Commission draft, but is included in the Parliament draft and the Council Pseudonymous data does not directly disclose a data subject’s identity, but it may still identify an individual by way of association with additional information. Under the Regulation, pseudonymous data is still regarded as personal information and therefore subject to data protection guarantees.
Crucially, the regime affecting pseudonymous data is less stringent. For example, profiling based exclusively on the processing of pseudonymous data is presumed not to significantly affect individuals. In addition, Member States are likely to be given the option to specify exceptions to the consent requirement with respect to the processing of health data, provided that such data is anonymous or, if anonymisation is not possible, pseudonymous in accordance with the most advanced technical standards.
New types of regulated data
Whilst the definition of data concerning health is not likely to differ greatly from how it is currently interpreted under the Data Protection Directive, there are provisions in both the Parliament’s and Council’s drafts that facilitate the processing of health data for scientific (i.e. research) purposes. Indeed, examining registries to obtain new knowledge is acknowledged to be beneficial for medical research, carrying out further processing for scientific purposes is not considered incompatible with the initial purpose, and health data may be stored beyond the normal retention period when being used for these purposes. Health data may also be processed for public interest reasons in the area of public health without consent, especially when linked to a quality or cost-effectiveness benefit, provided that it does not end up in the hands of third parties, such as employers, banks or insurance companies.
Although a data protection impact assessment must be carried out in most profiling instances, such impact assessment is not required if the processing is protected by professional secrecy, and managed, for example, by a healthcare professional. Following a similar rationale, health data processed for healthcare purposes (e.g. preventive or occupational medicine, medical diagnosis, employer assessments of the working capacity of employees, provision of health or social care or treatment or management of health or social care, or under a contract with a health professional) should be processed by or under the responsibility of a healthcare professional (or other person subject to an obligation of secrecy).
Genetic data is defined as personal data relating to the genetic characteristics of an individual that have been inherited or acquired resulting in particular from an analysis of a biological sample from the individual in question. Genetic data is regarded as personal data concerning health, and is included among the special categories of data. It will be left to Member States to allow this to be processed without consent for healthcare and medical purposes when carried out by or under the responsibility of a healthcare professional (or other person subject to an obligation of secrecy).
Biometric data, which is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual which allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data, is not included among the special categories of data, but when processed for taking decisions regarding specific individuals on a large scale, a data protection impact assessment will be required.
Likely practical impact
A key takeaway from this myriad of concepts is that those using pseudonymous data in the context of their activities (e.g. for R&D purposes, or in the health sector for clinical studies) will have to assess the anonymisation and pseudonymisation techniques being used, in order to establish whether the processed data is subject to data protection principles or not.
However in general terms and looking at the glass half full, we are heading for greater flexibility for organisations involved in the processing of personal data for scientific research and public health purposes, as long as certain privacy enhancing measures are in place.
What will happen next?
At the moment the standards according to which data is considered as anonymous or pseudonymous are established by the DPAs at a national level. Once the Regulation comes into force, the requirements and the applicable regime will become more uniform and this will provide greater legal certainty.
The latest proposals on processing of data for scientific research and public health are reassuring, but the degree to which the companies involved in those fields will face greater flexibility is still uncertain.
What to do now
- Assess the different types of information handled by the organisation in line with the new categories in the Regulation.
- Determine whether it will be possible to benefit from the greater flexibility afforded to pseudonymous data.
- Plan and develop processes for carrying out data protection impact assessments (for example for profiling or use of biometric data).
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.