The Personal Data Protection Act, 2012 (PDPA), Singapore’s general data protection law, governs the collection, use and disclosure of personal data. The Singapore Personal Data Protection Commission (PDPC), which enforces the PDPA, recently updated the chapter on data anonymization found in its Advisory Guidelines (Guidelines). The Guidelines are not legally binding but provide guidance on how the PDPC will interpret the PDPA. The revisions encourage organizations to incorporate into the process of anonymizing data an inquiry into the risks that the data may be re-identified and any potential negative effect on the individuals involved rather than focusing purely on the various techniques to anonymize the data.
The PDPA defines personal data as data from which an individual can be identified, on its own or in combination with other information to which that organization is likely to have access. Anonymization is the process of converting personal data to data that cannot be used to identify any particular individual, and it includes data that is reversibly or irreversibly anonymized. The amendments indicate that the PDPC would consider an organization to have anonymized data if there is no serious possibility that a data owner or recipient would be able to identify individuals from that data.
The revisions to the Guidelines encourage organizations anonymizing data to consider the possible ways in which the data could be re-identified, both at the time of anonymization and in the future, as data-recognition techniques develop. The rationale behind this inquiry is that it will enable organizations to anticipate and manage these risks as they select the anonymization technique, the nature and extent of disclosure and controls or limits placed on data recipients after such disclosure. When determining which anonymization technique to use for a specific set of data, organizations should consider the nature and type of data to anonymize and the international best practices for anonymizing that data type. The nature and type of data will affect what form of alteration the data require for proper anonymization as well as whether the level of alteration needed to anonymize the data might render the data useless for its intended purpose (i.e., alteration of a data set containing only photographs may destroy the usefulness of the data set).
When disclosing anonymized data, organizations should introduce controls to lower the risk of re-identification. Such controls include limiting the number of data recipients or imposing restrictions on their use and subsequent disclosure of the data or requiring them to implement processes to govern data use and implement processes to destroy the data when it will no longer serve any business or legal purpose. The amendments to the Guidelines also suggest that organizations implement controls to limit the data users’ or recipients’ access to “other information” that, paired with the data set, could identify the individuals. Suggested methods for limiting this access could include legally binding agreements, administrative rules or policies, organizational structures, technical measures (i.e., the use of encryption) and physical measures (restricting access to data storage areas). The PDPC indicates that in assessing anonymization and the risk of re-identification of data, it will take a holistic view, including consideration of factors relevant to the specific case.