2.4 General Data Protection Regulation (GDPR)
2.4.3 Takeaway
There are a few points to consider when considering doing processing of personal data, and in particular health data, the topic of this thesis.
1. Does the data concern people located in the EU?
2.4. GENERAL DATA PROTECTION REGULATION (GDPR)
2. Is the controller or processor based in the EU?
3. Does it fall under the umbrella of purely personal or household-activity use?
4. Has the data been collected in a way which complies with the GDPR, including purpose limitation, data minimization, data subject consent?
5. Are the premises for the processing lawful?
When performing the actual handling of the data, there are some things to consider with regard to the proper procedure and security.
1. Is there a risk of significant harm to the rights and freedoms of data subjects? Has a risk assessment been made? Has a data protection officer been involved?
2. Are the organizational and technological security measures sufficient to protect the data?
3. Is data being transferred during processing or for the purpose of processing? Are there guarantees the data will be treated according to the GDPR?
Furthermore, when doing further processing beyond the original purpose which data subjects consented, consider the following:
1. Does the new purpose align with the previous purpose?
2. Does the purpose fall under the specific purposes which a limited exception is provided for, such as scientific research?
3. Has there been done extra work, such as pseudonymization and encryption, for the data to align with the original purpose?
4. While pseudonymized data is still considered personal data, suffi-ciently anonymizing the data will ensure the GDPR no longer applies.
It is important to mention that the regulations presented in the GDPR are extensive and cover much more than what is presented in this chapter.
Nevertheless, this is serves as an introduction to the topic and includes many of the most relevant concepts and regulations to consider when doing work related to the topic of this thesis. A more comprehensive understanding will be required for anyone doing processing, such that no mistakes occur which may lead to serious negative consequences.
Chapter 3
Literature Review
This section aims to contextualize this project in the field of anonymization with a focus on health data. It builds on the previous introduction to the topic, and presents a variety of works featuring research on both anonymization in the health sector in particular and the field of anonymization in general. Furthermore, some research on the more recent legislation introduced by the GDPR is examined. Through this, an understanding can be gained on current state of the field, as well as interesting research directions.
3.1 Anonymization of health data
There exists a variety of research on the anonymization of health data.
The paper Strategies for De-identification and Anonymization of Electronic Health Record Data for Use in Multicenter Research Studies [38] reviews a large corpus of previous work on the topic, mostly articles detailing various anonymization strategies used for the treatment of different types of medical data. Kusida et al. examine the different cases studied in the various articles and review the results with a focus on the strengths and weaknesses of approaches taken, with the purposes of possible application in multicenter research studies. Their conclusions are contextualized by the HIPAA regulations that medical research in the United States is covered by, and find the examined strategies to in be somewhat limited in their ability to adequately deal with all the different types of health information found in relevant medical records. They particularly suggest further work on strategies for handling genetic data.
A French Anonymization Experiment with Health Data [15] is a case study on anonymization of microdata containing health information from a French administrative database on hospital stays. They considered two approaches, making use of two different tools for anonymization,µ-Argus and ARX, and attempted to reach k-Anonymity and l-Diversity, specifically
3.1. ANONYMIZATION OF HEALTH DATA
employing a value of 10 and an l-value of 3. They reason that, while a k-value of 5 is a common, a k-k-value of 10 might provide additional protection from an attacker possessing background data. At the same time, this would make it easier to obtain an l-value of 3, a value chosen to avoid exact value disclosure of sensitive attributes, given the larger groupings which may contain distinct values.
To achieve their privacy model goals, they make use of global recoding, and in their discussion and conclusion find that the loss of utility in the data sets is high. They attribute this to the non-uniformity of the specific type of data they were working with, which included two types of geographic data, and conclude that it is hard to reach a good trade-off between disclosure risk and data utility. They suggest a research direction including perturbation of data, specifically geographic data, to attempt a better risk/utility trade-off.
In A Case Study of Anonymization of Medical Surveys [32], researchers seek to anonymize a data set of medical surveys, which are high-dimensional data sets, and present their methods for evaluating the resulting disclosure risk and information utility. They too, make use of the k-anonymization approach, opting for a k-value of 3, reasoning that the extent to which the data is shared, is limited. They also decide specifically not to use the l-diversity technique which counteracts a risk to attribute disclosure, because of the heavy skew and low modality of their confidential attributes, being a binary presence value with a low with a low occurrence rate.
A very recent paper on the anonymization of structured health data [3]
propose a practical methodology including a cryptographic algorithm which preserves privacy through construction. Instead of preserving the semantic value of the raw data, and ensuring privacy through methods such as k-anonymity, this approach rather encrypts the values using a method which preserves properties which can be useful for some types of research. With this encrypted data released, analysis can be performed where the results can be shared with the source of the data, such as a hospital, which can then use the results for their purposes. They compare their approach to an approach utilizing k-anonymity in a previous research paper, and find that their method better preserves the utility of the data.
A less recent paper [44] focuses on a method for anonymization of both structured and unstructured data. Their system attempts to identify and extract sensitive information using a Bayesian classifier from unstructured data, before performing anonymization techniques using k-anonymity and on the extracted information. They find that their system performs effectively when extracting information, and manages to sufficiently protect the privacy of its data subjects while preserving as much utility as possible.
CHAPTER 3. LITERATURE REVIEW