13 April, 2017
The Singapore Personal Data Protection Commission (PDPC) has updated its guidelines on anonymisation, and on service reminders in the healthcare sector.
The updated guidelines on using and disclosing anonymised data include considerations for assessing and managing the risks of re-identification from anonymised data, the PDPC said.
Data is often anonymised to allow it to be used in more ways than would be possible in its original state under data protection laws, the PDPC said. Personal identifiers may be unnecessary or undesired in the research, or may create the risk of disclosing personal data or causing security breaches.
The new guidelines identify five factors that organisations should take note of when considering the risk of re-identification: how data will be used and the extent of disclosure, how other information could be combined with the data to enable re-identification, how multiple datasets could be combined to re-identify individuals, the data recipient's ability and motivation to re-identify, and how a changing environment, such as new technologies, will affect anonymisation.
Practical controls can also be adopted to lower the risk of re-identification, the PDPC said, including limiting the number of recipients to whom the data is disclosed and the number of people who can access it, imposing restrictions on the recipient in how they can use and disclose the data, requiring the data recipient to implement processes governing use of the data, and requiring further processes for destruction of the data as soon as it no longer serves any business or legal purpose.
In its sector specific guidelines, the PDPC has updated its advice on the use of personal data in sending service reminders for the health sector where users may have opted out of receiving messages under 'do not call' provisions. These messages, such as reminders of upcoming medical appointments, may be considered a "specified message" under the provisions and may be allowed. The guidelines also include clarification on how to assess whether there is an "ongoing relationship" in the context of healthcare services, allowing exemption from the provisions.
Nathanael Lim of Pinsent Masons MPillay, said: "Organisations will definitely find these updates helpful given that they provide further clarity and contain practical advice which organisations can implement and take note of in better understanding their obligations under the Personal Data Protection Act.".
For further information, please contact:
Ian Laing, Partner, Pinsent Masons
ian.laing@pinsentmasons.com