Requirements for the use of pseudonymisation solutions in compliance with data protection regulations - GDD eV
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Rolf Schwartmann / Steffen Weiß (Ed.) Requirements for the use of pseudonymisation solutions in compliance with data protection regulations A working paper of the Data Protection Focus Group of the Platform Security, Protection and Trust for Society and Business at the Digital Summit 2018
Rolf Schwartmann / Steffen Weiß (Ed.)
Benjamin Walczack
Requirements for the use of pseudonymisation Johannes Landvogt
Independent Centre for Data
The Federal Commissioner for Data
solutions in compliance with data protection Protection and Freedom of
Protection Schleswig-Holstein
regulations Information (BfDI) Author:
Data Protection Focus Group
Prof. Dr. Michael Meier
A working paper of the Data Protection Focus Group of the of the Digital Summit
University of Bonn/German
Platform Security, Protection and Trust for Society and Business Informatics Society (GI) Chairman of the Focus Group:
at the Digital Summit 2018 Prof. Dr. Rolf Schwartmann
Dr. Frank Niedermeyer
Federal Office for Information Security
Chairman of the Focus Group: Walter Ernestus Robin L. Mühlenbeck
Prof. Dr. Rolf Schwartmann The Federal Commissioner for Data Cologne Research Centre for Media
Cologne Research Centre for Media Protection and Freedom of Law - Cologne University of
Law - Cologne University of Technology Information (BfDI) Technology
Member of the Data Ethics Commission Nicolas Goß Jonas Postneek
of the Federal Government eco - Association of the Internet Industry Federal Office for Information
Coordination: Security
Michael Herfert
Steffen Weiß, LL.M. Fraunhofer-Society for the Promotion Frederick Richter, LL.M.
German Society for Data of Applied Research Data Protection Foundation (Stiftung
Protection and Data Security Datenschutz)
Maximilian Hermann
(GDD) Contact:
Cologne Research Centre for Media Dr. Sachiko Scheuing
Members: Law - Cologne University of Technology Acxiom Germany GmbH Steffen Weiß
Prof. Dr. Christoph Bauer Dr. Detlef Houdeau Irene Schlünder German Society for Data
ePrivacy GmbH Infineon Technologies AG Technology and Method Platform for Protection and Data Security
Patrick von Braunmühl Networked Medical Research (TMF) Heinrich-Böll-Ring 10
Angelika Hüsch-Schneider
Bundesdruckerei GmbH Deutsche Telekom AG Sebastian Schulz 53119 Bonn, Germany
Dr. Guido Brinkel Clemens John Federal Association for E-
Microsoft Germany GmbH Commerce and Distance Selling Phone: +49 228 96 96 75 00
United Internet AG
Germany (bevh) Email: info@gdd.de
Susanne Dehmel
Annette Karstedt-Meierrieks www.gdd.de
Federal Association for Association of German Dr. Claus D. Ulmer
Information Technology, Chambers of Industry and Deutsche Telekom AG
Telecommunications and Commerce (DIHK) Dr. Winfried Veil
New Media e.V. (BITKOM)
Federal Ministry of the Interior German Society for Data
Daniel Krupka Protection and Data Security
Philip Ehmann e.V.
German Informatics Society (GI) Dr. Martina Vomhof
eco - Association of the Internet Industry
German Insurance Association
Version 1.0, 2018
(GDV)Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
Foreword
Pseudonymisation as a bridge between informational and
entrepreneurial self-determination
Machines should make life safer, lighter, more pleasant and longer. The human being, In 2018, the Focus Group continued its work and presents this working paper. It stipulates
respectively his/her intelligence is the starting point of the AI. The technology is intended requirements for the use of pseudonymisation solutions in compliance with data protection
to imitate human behaviour through mechanical work and understanding in order to apply regulations. At the same time, it represents a necessary intermediate step from the
it independently on this basis, if necessary. For this purpose, huge amounts of data are whitepaper on the way to a proposal for a code of conduct for pseudonymisation which
processed with the aim of identifying patterns from the data, evaluating them and drawing the Focus Group intends present at the Digital Summit in 2019 and which will help industry
conclusions from them. to achieve greater investment security.
"Artificial intelligence - a key to growth and prosperity." This is the title of the 2018 Digital My sincere thanks is owed to to all the members of the Focus Group for their intensive,
Summit of the Federal Government. Germany is strong in the digital economy and should constructive and efficient work. Special thanks go to Mr Steffen Weiß for coordinating the
become a leader in the AI. The strategy is right. However, it is bound by legal guidelines. Group's work so expertly and prudently.
The General Data Protection Regulation (GDPR) provides a reliable legal framework for
innovative technologies and applications, including in the field of AI. It lays down rules on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data. “The revision of the e-privacy regulation is intended to
complement this protection concept.” This is the clear commitment of the Federal
Government within its Key Issues Paper as part of Germany’s digital strategy.
In order to make personal data economically usable, the GDPR relies on
Cologne, November 2018
pseudonymisation. Pseudonymisation serves two functions – one that it is intended to
Professor Dr. Rolf Schwartmann
protect personal data, the other to facilitate its economic use at the same time. The core
Head of the Data Protection Focus Group of the Platform Security, Protection and Trust for Society and
of pseudonymisation is to replace a person's identity data with a specific string, as it is Business at the Digital Summit 2018 and member of the Federal Government's Data Ethics Commission
the case with a vehicle registration number. Disclosing a person’s identity from the
pseudonym takes place according to fixed rules.
The Focus Group on data protection of the Platform Security, Protection, and Trust * Available at: https://bit.ly/2FjLnVd.
For Society and Business has already published a white paper which presents guidelines
for the legally secure use of pseudonymisation solutions, taking into account the GDPR.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
Table of contents
A. Introductory remarks................................................................................... 8
B. Legal classification of pseudonymisation ....................................... 8
C. Requirements for pseudonymisation ................................................. 9
D. Technical-organisational requirements for
the pseudonymisation .............................................................................. 12
E. Best practices ............................................................................................... 26Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
whitepaper on pseudonymisation above. serves primarily to reduce risks within the a processing.
A. introductory remarks Following the presentation of the legal meaning of Art. 32 GDPR. In view of the
The aim of this guideline is to support classification of pseudonymisation legal requirements pursuant to Art. 25 C. Requirements for
(Section B.), this guideline elaborates GDPR for "Privacy by Design",
those responsible for data processing in pseudonymisation
the legally compliant implementation of (Section C.) the prerequisites for a legally pseudonymisation ensures that personal
pseudonymisation measures by means of secure pseudonymisation process as well information can be decoupled from other
Every pseudonymisation must comply with
corresponding specifications. Already in as the requirements that a data at an early stage. certain conditions in order to be legally
the whitepaper for the Digital Summit pseudonymisation must typically fulfil compliant in the sense of the GDPR.
20171 the "Data Protection Focus Group of (Section D.). 2. Pseudonymisation to facilitate
a processing or the processing 1. Assignment of responsibilities
the Platform Security, Protection and Trust
for another purpose For the monitoring of the
for Society and Business” has stressed the pseudonymisation process, a person,
importance of pseudonymisation.
B. Legal classification of According to the GDPR, pseudonyms can
e.g. a specialist manager should be
An essential characteristic of a pseudonymisation also enable certain data processing
appointed. the person should be able
pseudonymisation is that pseudonyms can because of the associated risk reduction.
to provide the necessary technical and
no longer be assigned to the person Pseudonymisation alone does not make These are in particular the cases of a so-
legal understanding of
specifically concerned without the data processing lawful. It is merely a called “compatible further processing” in pseudonymisation. The role of this
involvement of additional information. In building block to ensure that a data accordance with Art. 6 para. 4 GDPR, person is to take responsibility for
this respect, pseudonymisation protects processing is in accordance with the meaning that a subsequent change of important decisions. He/she should be
citizens whose personal data are GDPR. It is therefore always necessary to purpose regarding the processing of involved in the in a position to create a
processed from unwanted identification. In have a legal basis for processing personal personal data is considered compatible uniform approach of
contrast to anonymisation2, pseu- data. The requirements of Art. 6 GDPR with the initial purpose of processing. pseudonymisation at the data
donymised data can be traced back to the ("lawfulness of processing") must be Whether a new processing purpose is controller/processor. Besides, he/she
complied with, as in the case of special compatible with the original purpose and should have the opportunity to draw on
individual (re-identification). The strength
categories of personal data those of Art. 9 whether further processing can therefore know-how from within or outside the
of pseudonymisation depends on how
GDPR ("processing of special categories be based on the original legal basis is the organisation. The controller/processor
high the risk, the costs and the time
of personal data"). result of weighing different criteria remains responsible for fulfilling the
required for a direct or indirect
Essentially, pseudonymisation can be mentioned in Art. 6 para. 4 GDPR. One tasks and duties of the GDPR.
identification by third parties are to be
estimated. applied in two instances: criterion in favour of compatibility of
purposes is the existence of suitable 2. Applicability and legal
The pseudonymisation of data is useful
1. Pseudonymisation as a guarantees, which may include admissibility
when compiling statistics in conformity
technical protective measure encryption or pseudonymisation (Art. 6 Depending on the application of
with the law, for the implementation of
research projects, as well as for the Pseudonyms are necessary, for example, para. 4 lit. e GDPR). Even in the context
if critical data processing needs to be of a balancing of interests pursuant to Art. pseudonymisation, different conditions must
implementation of advertising measures.
specially protected against inadmissible 6 (1) lit. f GDPR, a pseudonymisation be observed.
Special application scenarios for
pseudonymisation are listed in the access. In this case, pseudonymisation may have a positive effect and legitimise
1 https://bit.ly/2FjLnVd. 2 Anonymisation is a different procedure.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
concerned about the purpose, the controller will inform the data
a. In the case of pseudonymisation as a legitimate interest of the controller must be pseudonymisation carried out. In subject accordingly, if possible. The
measure for the realisation of an examined in particular. addition, the data subject must be information must at least include a
appropriate protection of personal data informed in this context, if necessary, reference to the origin of the data and to
The type and quality of the of his right to object with which he/she possible identification if the data subject
within the meaning of Art. 32 GDPR,
pseudonymization is of particular can prevent his originally collected provides the information required for its
importance in both case variants. data from becoming part of a identification (see Art. 11 para. 2 GDPR).
compatible further processing (Art. 6
para. 4 lit. d)).
the requirement for pseudonymisation
4. Rules for merging with
will, as a rule, result from a risk
c. If a responsible party has received individual information of
assessment including the criteria 3. Information of data subjects -
pseudonymised data from a third party certain persons (re-
specified in Art. 32 GDPR (state of the transparency - and possibilities
and the responsible party can no identification)
art, implementation costs, type, scope, to object
longer easily identify the data subject, If the results of the pseudonymous data
circumstances and purpose of The data subject should also be informed
the responsible party shall at least processing are to be merged with the
processing as well as level of risk for the adequately when processing of his/her
provide the general information via its individual data of data subjects or are to be
rights of the person concerned). data based on pseudonyms. This can be
own website that pseudonymous data traced back to the data subject (re-
Especially critical data processing must done, for example, via data protection
are being processed. The origin of the identification), this can either be part of the
be provided with a strong notices or policies. The legal options
data and the existence of the right of originally planned processing or an
pseudonymisation (see D. for technical regarding the data subject’s rights, such as
access have to be named. additional service based on the evaluation
and organisational requirements). the right to object or the right of access are
of the compatible further processing.
to be granted to him.
d. The data subjects' rights under
b. If pseudonymisation is to be used to
Chapter III of the GDPR (right of a. If pseudonymisation is used as a
enable the processing or further a. In the case of pseudonymisation for
access, rectification, deletion, protective measure within the framework
processing of personal data, this can be protection purposes, the general
restriction of processing, data of legitimate data processing, which is
done either by compatible further information provided during data
portability and objection) have to be basically also permissible with plain data
processing in accordance with Art. 6 para. collection will be sufficient. Objection
fulfilled in full by the controller - also in of the data subjects, no further
4 GDPR or by balancing the interests in rights or consent requirements are
relation to the stored pseudonym - if permission is required to trace
accordance with Art. 6 para. 1 lit. f GDPR. determined here in accordance with the
the controller can identify the natural pseudonyms back to individuals in
In the case of further processing pursuant legal conditions for the originally
person linked to a pseudonym. The addition to the original legitimation for
to Art. 6 para. 4 GDPR, the legal planned processing.
controller, however, consults the data data processing.
requirements of the article must be
subject whether a re-identification
cumulatively examined and balanced. b. If a pseudonymous further processing, related to the pseudonym is desired. b. If pseudonymisation is a measure to
Depending on the characteristics of the for example for compatible purposes,
individual test points (lit. a) to e)), further make a further processing possible, the
takes place, the data subject should be If a data subject requests access and the
processing may or may not be permissible. legitimation according to Art. 6 para. 4
informed about it in principle. The controller cannot identify the data subject GDPR extends only to the further
other purpose and its scope should be using the pseudonym, because it does processing of the data, but not to re-
When balancing the interests within the explained to him/her. In this case, it is not know certain information about the identify a data subject with a pseudonym.
meaning of Art. 6 para. 1 lit. f GDPR, the advisable to inform the person data subject which is necessary for this In these cases, the re-identificationRequirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
therefore requires the provision of a D.1.2 Discoverability D.1.5 Data collection D.1.10 Entropy
consent mechanism for the data A pseudonym is discoverable if it is Data material consisting of several data A measure of the indeterminacy of a
subjects which meets the requirements possible to deduce the identity data of the sets from possibly different sources or sequence. For example, ten independent
of Art. 7 GDPR. This also applies to associated person from the pseudonym. years, which is to be evaluated for coin tosses (head/number) provide ten bits
processing on the basis of a balancing This may require a secret cryptographic statistical purposes and for this reason is of entropy. If a sequence is calculated from
of interests pursuant to Art. 6 para. 1 lit. key that is only available to certain users. to be pseudonymised. an initial value ("seed") using a pseudo-
f GDPR. random number generator, it can never
D.1.3 Enumeration/brute-force attack D.1.6 Dataset reach a higher entropy than the initial value.
5. documentation If all details (including the cryptographic An information belonging to a person A cryptographic key should have an entropy
The prerequisites for a legally secure keys used) of a pseudonymisation process which contains identity and content data of at least 100 bits.
pseudonymisation as well as the process are known, the corresponding identity data and which must be pseudonymised.
steps for carrying out a pseudonymisation can be determined from an existing
must be documented. This can be done pseudonym by an enumeration/brute-force D.1.7 Data trustee
either by an independent attack (also "complete exhaustion" or "trial See Trusted Third Party.
pseduonymisation concept or by a general encryption"). For this purpose, all relevant
description when documenting technical- identity data is subjected to D.1.8 l-diversity
organisational measures for a processing. pseudonymisation and compared with the A (pseudonymised) data collection offers l-
existing pseudonym. diversity, if there are at least l different
D. Technical- For example, if f is a crypto-graphic forms of content data for each group of
organizational hash function and the value y = f(name) is identical identity data contained in it. l is a
requirements for known, but ‘name’ is unknown, the value natural number.
pseudonymisation f(name) can be calculated for all names in
question and compared with y in order to D.1.9 One-way function
D.1 Definitions determine ‘name’. Function f, which is easily calculable but
difficult to reverse; it should be practically
The following terms are used in the
D.1.4 Block cipher impossible to draw conclusions from a
following sections. The short explanations
Block cipher is an encryption method function value y to x with f(x) = y.
of the terms serve to explain their use in
the following and may not satisfy the which transforms a data block of fixed
length (e.g. 128 bits) into a block of the Remark:
requirement of complete definitions.
same length depending on a For a one-way function it is necessary that
cryptographic key. The most common the definition range of f is very large,
D.1.1 k-Anonymity
block encryption method today is the AES otherwise the value f(x) could be
A (pseudonymised) data collection offers
(Advanced Encryption Standard), which calculated and compared with y for all
k-anonymity if the identity data of each
encrypts 128-bit blocks using a 128-,192- possible x. For an example see:
individual person still contained therein
bit or 256-bit key. Enumeration attack/brute-force attack.
matches at least k - 1 other persons. K is a
natural number here.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
D.1.11 HMAC D.1.18 Cryptographic key D.1.23 Record Linkage
See: Cryptographic checksum. A character string that is used to transform In specialist literature, the merging of data
D.1.15 Control number
a set of data using a cryptographic function records of a pseudonymised data collection
See: Pseudonym.
D.1.12 Homonym error (encryption or signature). Depending on on the basis of linkable pseudonyms is
A homonym error occurs when the application, the key must be kept referred to as record linkage.
D.1.16 Cryptographic
pseudonymisation procedures that provide secret.
hash function
linkability falsely lead to the same D.1.24 Re-identification
A hash function is a function that assigns a
pseudonyms from different persons. D.1.19 Pseudonym See Discoverability.
string of any length to a string of fixed
A character string that replaces the
length (about 256 bits). A cryptographic
D.1.13 Identity data identity data of a person and thus D.1.25 Synonym error
hash function also has the property of a
All data relating to a person that make it represents this person. The identity data Occurs when, in a linkable
one-way function. If, in addition, it is
possible to identify the person in more of a pseudonym should, if at all, only be pseudonymisation procedure, identity data
practically impossible to find two different
detail. inferred under strictly defined conditions of the same person incorrectly lead to
input values that provide the same function
(see Discoverability). different pseudonyms, although this was not
value, one speaks of a collision-resistant
D.1.14 Content data intended.
hash function. Internationally standardized
In a data collection, essentially all data that cryptographic hash functions are MD5,
D.1.20 Pseudonymisation list
do not belong to the identity data. A list that compares identity data and D.1.26 Linkability of pseudonyms
SHA256 or SHA-3.
Nevertheless, a personal reference can be pseudonyms. A pseudonymisation list A pseudonymisation procedure ensures
established from content data if they are, can be used to determine a person's the linkability of pseudonyms if identity data
D.1.17 Cryptographic
for example, unique and this information pseudonyms directly from an individual's for the same person generally lead to
checksum
can be linked to a person. identity data and vice versa to determine identical or similar pseudonyms. The ps-
A bit sequence of fixed length (about 256
an individual's identity data from an eudonym, respectively the data records of
bits) that is calculated from a character
Remark: individual's pseudonym. the person are then "linkable": Identical
string of any length using a cryptographic
Sometimes there may be overlaps pseudonyms can usually be used to identify
key. If the key is known, the checksum can
between content data and identity data, be used to determine the integrity of the
D.1.21 Pseudonymisation stages identical persons.
e.g. in the data collection for a study to string. Without knowledge of the key, it is If a pseudonym is not created directly
investigate statements about dependency from the identity data, but in mutually Remarks:
impossible to create a valid cryptographic
on age or occupation on certain checksum for a character string. An independent stages, one speaks of The linking of pseudonymised data with
characteristics. In this case, age and internationally standardized cryptographic pseudonymisation lstages. persons without knowledge of the
occupation would (also) be counted checksum is calculated using the HMAC Remark: pseudonymisation procedure or the
among the content data. algorithm ((Keyed- Hash Message A pseudonymisation in several stages pseudonymisation table is not meant and
Authentication Code). takes place, for example, with the must be avoided.
participation of one or more trust bodies.
In the case of linkable pseudonyms,
D.1.22 Pseudonymisation procedure homonym or synonym errors can
A procedure which generates a nevertheless occur.
pseudonym from the identity data of a
person.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
implementation of a pseudonymisation
D.1.27 Encryption d. Pseudonyms only if there is a need for requires various process steps, which D.2.2.1 Pseudonymisation lists
A method which converts a plaintext into a them; otherwise anonymization typically are: A pseudonymisation list is used to assign
ciphertext depending on a cryptographic Depending on the context, different types pseudonyms to identity data using a table.
key. The inversion, i.e. to restore the of pseudonyms can be used: D.2.2 Creation of a pseudonym The pseudonyms have no relation to the
plaintext from the encrypted text, is called (pseudonymisation of the identity data, neither from functional nor a
decryption. ▪ Personal-pseudonyms, which are data record) content perspective.
used instead of identity data such as Every pseudonymisation begins with the
D.1.28 Trusted third party name, ID number or mobile phone creation of pseudonyms that connect data Example 1:
A body which is independent of the data number are displayed sets with associated natural persons. The Pseudonyms are
controller in terms of space and ▪ Role-pseudonyms, where one or pseudonym may be used to re-identify a numbered
organisation. The only task of the trusted more persons are assigned to a data set, must be kept separately and consecutively.
third party is to support the conversion of pseudonym (e.g. IP number) protected by technical and organisational
identity data into pseudonyms. ▪ Relationship-pseudonyms, in which measures. Identity data Pseudonym
Remark: a person uses a different With the data to be pseudonymised, a
Peter Müller
If necessary, several trust authorities can pseudonym for each distinction is made between identity data
born 2022917
be involved in a pseudonymisation (communication) relationship, e.g. of the persons involved and content data.
31.01.1965
process, which create the pseudonyms in different nicknames A strict separation between the two types
in Cologne
several pseudonymisation stages. ▪ Role-relationship-pseudonyms, of data is not possible in all cases, so that Maria Schulze
which are a combination of the two content data can also contain information born 2022918
D.1.29 Allocation table pseudonym types about a person (e.g. gender, occupational 03.05.1959
See pseudonymisation list. ▪ Transaction-pseudonyms, in which group and year of birth) and thus an in Hürth
Max KIein
a new pseudonym is used for each identification of a data subject is possible.
born 31.10.1967 2022919
D.2 Measures transaction, which is used, for The type of pseudonymisation chosen
in Bornheim
example, in online banking. can have a fundamental influence on the
D.2.1 General information user's scope of action. With a strong
In the case of pseudonymisation, basic In general, the linkability of personal pseudonymisation, more critical data
principles are to be observed which must pseudonyms is considered higher than processing can usually be sufficiently
be observed for every procedure: that of role or relationship pseudonyms. protected than with a weak
Even less is the linkability of role- pseudonymisation. It is also true in the
a. Knowledge, only if necessary relationship pseudonyms and trans- area of compatible further processing that
action pseudonyms; in principle they with stronger pseudonymisation a given
b. Delete data, whenever possible cannot be linked. Basically, the less compatibility of the intended further
pseudonymisation can be linked, the processing with the original purpose can
c. Avoiding the accumulation of too much greater is the possible anonymity of the be assumed.
knowledge in one place (e.g. plain text data for third parties. A low linkability There are basically two procedures
data and pseudonymised data about a increases the strength of the available for creating a pseudonym:
person) pseudonymisation at the same time. In Pseudonymisation lists and pseudonyms
addition, the technical-organisational by calculation methods.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
4. If several data suppliers are involved in Formation of a cryptographic
Example 2: that with n possible pseudonyms, a the pseudonymisation process and if a checksum:
Pseudonyms are generated collision occurs after the square root of Pseudonym = HMACK(ID).
randomly or pseudo- n formed pseudonyms with a re-identification of the data supplier on HMAC = a Keyed Hash Message
randomly. probability of 50%. So, if the the basis of a pseudonym should be Authentication Code, like RFC2104.
pseudonyms are chosen as ten-digit possible, the identity of the data supplier
Identity data Pseudonym decimal numbers, after 10000 can also be pseudonymised and placed Comments:
randomly generated pseudonyms with in front of the pseudonyms of the
Peter Müller 1. The entropy of K should be at least 100
a probability of 50%, two identical persons.
born 2184578 bits.
pseudonyms are created (keyword
31.01.1965
"birthday paradox"3). D.2.2.2 Pseudonyms through
in Cologne 2. To calculate the pseudonym, not all
Maria Schulze calculation methods
born 3654425 3. The random function offered by a Another possibility is to calculate the identity data need to be used. In general,
03.05.1959 programming language should not be pseudonyms from identity data using an it is sufficient to make a selection of the
in Hürth used as the source of randomness algorithm. identification data so that the person can
Max Klein
(e.g. the function rand() in the The transformation process has to be identified in the data collection to be
born 31.10.1967 8745124
programming language C). For consider a state-of-the-art procedure (e.g. pseudonymised. See also section E.2.
in Bornheim
example, the iterated output of a the Federal Office for Information
cryptographic hash function can be Security’s guideline TR- 02102-11 or the 3. The entire output of the calculation is not
Comments: used as a random source: ENISA guideline on crypto procedures) in needed to generate the pseudonym. See
order to avoid weak points of an encryption note 2 from section D.2.2.1.
1. When the pseudonyms are numbered A1 = Hash(A0), which could lead to the disclosure of a
consecutively, it may be possible to Pseudonym1 = Bit 1 to 40 of A1 person. 4. Although a cryptographic hash
draw conclusions about the identity In order not to be able to deduce the function is a one-way function, it is not
data. For example, if the output data is A2 = Hash(A1), identity data (ID) from the pseudonym, the sufficient to calculate the pseudonym
sorted alphabetically. Or at what time Pseudonym2 = Bit 1 to 40 of A2 calculation must depend on a certain exclusively using the hash function, for
the pseudonyms were created parameter, a so-called cryptographic key. example via
(example: Spanish registration plates A3 = Hash(A2), Calculation methods can be the ▪ Pseudonym = Hash(PID)
provide information about the initial Pseudonym3 = Bit 1 to 40 of A3 following:
registration of the vehicle). If a pseudonym is present, the PID whose
Encryption with an encryption hash value gives the pseudonym could be
2. With random pseudonyms, the length A0 is a genuine random value to be method: determined by an exhaustive search of all
of the pseudonyms should not be too chosen by the pseudonymisation Pseudonym = EK(ID). possible values for PID. In Germany,
short, otherwise collisions and authority with an entropy of at least 100 Here EK refers to the encryption with a depending on the composition of PID, this
homonym errors can occur. The rule of bits. For the selection of the number of block cipher algorithm, such as AES, with search would be limited to a maximum of 80
thumb is, bits (here 40) see note 2. the key K. million hash value calculations.
3 https://en.wikipedia.org/wiki/Birthday_problem.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
5. In a data collection, the identity data
may be replaced by several
pseudonyms that are calculated from
different attributes of the identity data.
Example:
Pseudonym1 =
EK(health insurance number)
Pseudonym2 =
EK(Name | Birthday | Place of birth)
Pseudonym3 = EK(birth name |
birthday | place of birth)
6. The generation and administration
(e.g. distribution, storage, use,
deletion) of secret parameters
(cryptographic keys) must be realized
by state-of-the-art technical and
organisational measures.
7. The security of the chosen pseudo-
nymisation procedure can be
increased by defining suitable intervals
- depending on time or data volume -
in which a secret parameter
(cryptographic key) is exchanged.
Depending on the type of procedure
chosen and the risk for those affected,
several pseudonymisation stages can
also be built in to exclude detectability
(so-called "over-encryption").Requirements for the use of pseduonymisation solutions 23
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
D.2.2.3 Multi-stage and mixed D.2.2.4 Advantages and disadvantages of different pseudonymisation methods
pseudonymisation
procedures
5. V forwards the data records with the Method Advantages Disadvantages
The security of a pseudonymisation
procedure can be increased if the creation new pseudonyms P2 to a collector C.
1. No key management 1. Poor scalability (table can
of pseudonyms is carried out by several required become very large)
independent bodies. Both 6. C uses the pseudonyms P2 to merge 2. Table must be protected
pseudonymisation lists and calculation the received data records by means of permanently
methods can be used. record linkage. 3. Pseudonymiser needs permanent
access to the whole table
7. The data are to be evaluated at points 4. Discoverability requires access to
Example:
Assignment the entire table
X, Y and Z (from different points of
tables 5. Linkability requires access to the
1. A, B and C collect data from individuals view). For this purpose, C filters the data entire table
(A, B and C can be, for example, collection and compiles the necessary 6. Access to the table implies
medical practices that collect patient data records for X, Y and Z from the linkability and discoverability
data collection. (linkability and discoverability are
data). not separately controllable)
7. Access based on roles
2. A, B and C form data sets with the help 8. From the (partial) data collection for X requires role-specific table
of a calculation method and a (and also for Y and Z) the pseudonyms copies
cryptographic key K1 (which is available P2 are removed and replaced by new 1. Key management required (if
1. Good scalability, no table
at all data collection points). pseudonyms P3, which result from a management necessary further secret or public
pseudonymisation list LX, which 2. Control of knowledge of secret parameters are needed)
assigns the pseudonyms P3 to the parameters allows access control
3. A, B and C deliver the pseudonymised
to calculation rules
data records to a trusted third party. pseudonyms P2. The pseudo-
3. Different parameters for
nymisation lists LX, LY and LZ for X, Y
pseudonymisation, linkability and
and Z are different and independent of Calculation
4. V forms new pseudonyms P2 from the discoverability are possible,
each other. method therefore separately controllable
obtained pseudonyms P1 using a
4. Only the cryptographic keys need to
calculation method and a cryptographic
be securely protected
key K2 for the data records and Remark:
5. Role-based access via roll-
replaces the obtained pseudonyms P1 By generating different lists it is ensured
specific parameters is easily
with the new pseudonyms P2. that not several data evaluators can merge possible
the data collections made available to them 6. Purpose limitation via technical
on the basis the pseudonyms contained in parameters provides linkability
and discoverability based on
these collections.
specific purposesRequirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
D.2.4 Documentation of technical D.2.6 Loss of purpose for
D.2.3 Separate storage of the It should be avoided that a person is and organisational measures processing
cryptographic key assigned to multiple roles. This also for non-assignability The purposes and duration of the
applies to administrators. Any exceptions Technical-organisational measures to pseudonymisation procedure shall be
D.2.3.1 Access control must be justified and documented. ensure that a pseudonym cannot be determined in advance and the measures
(authorization concept) Access to a cryptographic key must be assigned to identity data, for example in for the termination of the procedure,
A separate storage of the cryptographic restricted to an absolute minimum of the case of missing legitimation, must be including the technical implementation of a
key requires a documented authorization trustworthy persons (need-to-know documented. This can be done in a data deletion, be documented.
concept. At least two different roles must principle). pseudonymisation concept. The concept If the purpose for a pseudonymisation
be defined: The possibility of re-identification must be integrated into an IT security no longer applies, e.g. the data is no
1) The role with access authorization to should not exist in the department of an management system (e.g. ISO/IEC longer needed, pseudonymised data must
the key for re-identification; organisation in which content data 27001). The IT security management be deleted or anonymised in accordance
2) The role with access to the belonging to a pseudonym are processed. system has to be documented and its with data protection regulations. Such
pseudonymised content data. Any exceptions must be justified and effectiveness regularly reviewed. anonymisation cannot usually be achieved
documented. by deleting the pseudonyms, but must take
It is recommended to define the D.2.5 Rules for disclosure place as an independent procedure for
following roles for a pseudonymisation D.2.3.2 Four-eyes principle Since a re-identification of identity data which special requirements apply which
procedure: Any access to a cryptographic key for the may be possible during cannot be dealt with in detail here. In the
re-identification of identity data must pseudonymisation, a planned disclosure case of anonymisation, it must also be
1. Provide data follow the four-eyes principle. This can be of a pseudonym must be regulated. To this checked at regular intervals whether the
solved technically or organisationally. end, a documented definition of cases of a data can still be classified as anonymous.
2. Pseudonymise data and re-identify Furthermore, none of the persons desired disclosure is needed. The process If a data subject has a right to delete
it, if necessary involved should have access rights to both of re-identifying the data subject must also his/her data, this right refers to personal
the cryptographic key, the pseudonym be logged. The record must show which data and pseudonymised data, not to
3. Collect data and merge them and the associated content data. If the persons carried out the re-identification. anonymous data. Legal retention periods
using pseudonyms ("record four-eyes principle is not possible, at least No conclusions about the identity data on must be observed.
linkage") the access to the cryptographic key must which a pseudonym is based may be
be logged individually. drawn from the recording. Therefore, the
4. Evaluate data scope of the logging must be restricted.
Log data may only be stored for a limited
It is mandatory that roles 2 and 4 exist time.
separately from each other.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
E.2 Selection of identity data ▪ Writing and typing errors or
3. treatment methods. Data suppliers All attributes relating to a person that allow transposed numbers
E. Best practices the person to be more closely identified ▪ Change of name due to wedding or
include doctors, hospitals and death
belong to the identity data of the person. divorce
E.1 Linkable
registers. Some of the data extend over These could be for example: ▪ Different spellings of the first name
pseudonymisation methods
long periods of time and may even (e.g. Hans/Johannes, Inge/ Ingrid)
A pseudonymisation process provides
originate from different federal states, ▪ First name, family name and maiden ▪ Change of residence
linkable pseudonyms if identical or similar
as the patients may have changed their name ▪ Change of name of a locality due to
pseudonyms are generated for persons
place of residence. Meaningful studies ▪ Gender a territorial reform
with the same or similar identity data. In
can only be created on the basis of ▪ Date and place of birth ▪ Ignorance of an attribute
this case, data records can be merged
linkable pseudonyms. ▪ Place of residence (e.g. place of birth)
using pseudonyms. Linkable methods are
and nationality ▪ and much more.
important for long-term studies, for
Note: ▪ Number of siblings
example, or if the data sets come from
▪ Occupation or If the case occurs that a person is assigned
different sources and are to be merged for
If there are several pseudonyms in the occupational group different pseudonyms at different times or
one study. The process of merging by
data collection for a data set (see note 5 in ▪ Health insurance or identity card from different places, one speaks of a
means of linkable pseudonyms is referred
Section D.2.2.2), the data sets can be number synonym error. In this case, the
to in specialist literature as record linkage.
linked if only one of the pseudonyms ▪ and much more. pseudonym can no longer be linked to this
matches. person.
Examples:
E.2.1 Identity data for the The synonym error rate can be reduced
calculation of pseudonyms by the following measures:
1. For studies on the legal probation of
offenders, the content data (offence, The identity data of a person can be used,
as described in Section D.2.2.2, to ▪ Omission of an attribute when
sentence, age, etc.) are collected in a
calculate the pseudonym to the person. calculating the pseudonym, for
database. For data protection reasons,
It has to be taken into account that example, only the year of birth is used
the entries may not have any personal
when using a cryptographic function to instead of the complete date of birth.
reference. Authorities are regularly
obliged to delete data on previous calculate the pseudonyms, the same ▪ Restriction of the name to the initial
convictions of persons after legally identity data will provide the same letter or letters (i.e. the first three)
prescribed periods of time. However, in pseudonyms, but even minor deviations in ▪ Use of a name or phonetic code
order to carry out long-term studies on the identity data will lead to completely instead of the name (see for example
the recidivism of offenders, the data different pseudonyms. Reasons for a de.wikipedia.org/wiki/Kölner_Phoneti
material could be analysed using change of the pseudonyms can be: k)
linkable pseudonyms. ▪ Use of the municipality code number
instead of place of residence or birth
2. The German epidemiological cancer ▪ and much more.
registries collect pseudonymised data
sets on cancer patients in order to If, on the other hand, different people
investigate the success of different receive the same pseudonym at differentRequirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
Comments:
Comments: For example, it is conceivable that there is
times or from different places, this is
only one floor tiler in the postal code area 1. Larger values for k and l represent a
referred to as a homonym error. If the
1. In the case of a high synonym error rate, 65432. This would then undoubtedly be greater anonymity in this context.
pseudonyms are calculated from the
values are generally underestimated identifiable in the data collection. However, 2. k-Anonymity and l-Diversity can be
identity data, homonym errors always
(e.g. the relapse rate in a legal even if there are several floor tilers with the achieved by aggregating the attributes in
occur if the identity data from which the
probation study or the mortality rate in a postal code 65432, it would have to be the identity data.
pseudonyms are calculated match for both
specific treatment method). ensured that these do not all have a
persons.
The homonym error rate can be 2. With a high homonym error rate, values certain characteristic in common, for Examples:
are generally overestimated. example a certain illness, because
reduced by the following measures:
3. A reduction of the synonym error rate otherwise one would immediately know ▪ Instead of "tiler", "craftsman" is
usually results in an increase of the from a person of whom one knows that he indicated as the occupation.
▪ Adding additional attributes for the
homonym error rate - and vice versa. is a floor tiler by profession and has the ▪ All postal codes in the data collection
calculation of the pseudonym, e.g.
4. A compromise between synonym error postal code 65432 that he suffers from this that begin with 654 are added
the complete date of birth can be
rate and homonym error rate strongly illness. together. Instead of 65432, 654xx is
used instead of only the year of birth.
depends on the underlying or expected For a pseudonymised data collection then stored in the data collection.
▪ Use of long-lasting unique
data collection. Accordingly, the k-anonymity and l-diversity must therefore
characteristics for calculating
attributes of the identity data to be used be guaranteed. 3. k-anonymity and l-diversity shall be
pseudonyms, such as the pension
for the calculation of the pseudonyms A data collection offers k-anonymity if established by the pseudonymising
insurance or health insurance
are to be selected. the identity data of each individual person body (see Section D.2.3.a). For this
numbers
contained in it overrides at least k - 1 other purpose, the pseudonymising entity
▪ and much more.
E.2.1 Identity data in the persons. must have access to the attributes of the
content data A data collection offers l-diversity if identity data contained in the content
In pseudonymised data collections, the there are at least l different forms of data.
content data may still contain identification content data for each group of identical
data, provided that this can be of identity data contained therein.
significance for the intended research k and l are natural numbers.
using the data collection. For example,
gender, age, place of residence (as a five-
digit postal code) or occupation may be of
interest. In certain cases, however, it may
be possible to identify individuals solely on
the basis of the identity data contained in
the content data.Requirements for the use of pseduonymisation solutions
in compliance with data protection regulations
A working paper of the Data Protection Focus Group of the Platform Security,
Protection and Trust for Society and Business at the Digital Summit 2018
a separate transmission path from the
E.3 Involving a trusted third If the pseudonym was created from the
data suppliers directly to the data
party identity data by a pseudonymisation list,
collection entity. The separate
The security of pseudonymisation transmission path can be of a physical it is necessary for the discoverability
procedures is generally increased if the nature; however, the content data can that the pseudonymisation list used was
roles mentioned in Section D.2.3.a are also pass through the trusted third party not deleted.
separated organisationally and locally. A and be encrypted using an encryption For multi-stages and mixed processes,
trusted third party receives the data procedure in which only the data collection all cryptographic keys and
collection of the data supplier(s), entity is able to decrypt the data. pseudonymisation lists used for
generates the pseudonyms and forwards creation are required for discoverability.
them to the data collection entity. The data E.3 Discoverability of In the example scenario from section
collection entity then merges the data pseudonyms/re-identification D.2.2.3, a re-identification of a
received using the pseudonyms. The data Under certain circumstances, it may be pseudonym P3, which is present at the
collection entity then passes them on to necessary to trace the associated person data evaluator X, would be possible as
the data evaluator(s). In this way, neither or his or her identity data from a follows:
the data collection entity nor the data pseudonym.
evaluator come into contact with the In the event that the pseudonym has 1. X returns the pseudonym P3 to S
identity data at any time. been created by a calculation procedure
2. S determines the pseudonym P2
After pseudonymisation at the trusted from the identification data, it is necessary
from P3 using the list LX.
third party, the trusted party may be for discovery that the cryptographic keys
obliged to delete the identity data used have not been deleted. If the 3. S returns the pseudonym P2 to V
irretrievably if there is no need to re- formation of the pseudonyms was based 4. V calculates the pseudonym P1 from
identify the pseudonyms (see sections on an encryption process, the pseudonym P2 using the key K2.
D.2.5 and E.4). After completion of the can be decrypted immediately in order to
entire procedure, the trusted third party access the identity data. If the pseudonym 5. V returns the pseudonym P1 to an
may be obliged to delete the cryptographic was formed by a crypto-graphical authorized authority that has
keys used. checksum, it is not possible to discover knowledge of the key K1.
For the trust third party there is no need the identity data directly. However, if the
to know the content data, but only the key K used has not been deleted, the
The authorized authority determines
identity data in the case of a linkable identity data can be determined by a
the associated identity data from P1
pseudonymisation procedure. It is complete exhaustion of all relevant
using the key K1.
therefore advisable to set the content data identity data (see comment 4 in Section
to D.2.2.2).You can also read
