Apr 272017

Singapore’s Personal Data Protection Commission Publishes Advisory Guidelines on the Use of Anonymized Data

Yuet Ming Tham and Kayla Feld
, ,

The Personal Data Protection Act, 2012 (PDPA), Singapore’s general data protection law, governs the collection, use and disclosure of personal data. The Singapore Personal Data Protection Commission (PDPC), which enforces the PDPA, recently updated the chapter on data anonymization found in its Advisory Guidelines (Guidelines). The Guidelines are not legally binding but provide guidance on how the PDPC will interpret the PDPA. The revisions encourage organizations to incorporate into the process of anonymizing data an inquiry into the risks that the data may be re-identified and any potential negative effect on the individuals involved rather than focusing purely on the various techniques to anonymize the data.

The PDPA defines personal data as data from which an individual can be identified, on its own or in combination with other information to which that organization is likely to have access. Anonymization is the process of converting personal data to data that cannot be used to identify any particular individual, and it includes data that is reversibly or irreversibly anonymized. The amendments indicate that the PDPC would consider an organization to have anonymized data if there is no serious possibility that a data owner or recipient would be able to identify individuals from that data.

The revisions to the Guidelines encourage organizations anonymizing data to consider the possible ways in which the data could be re-identified, both at the time of anonymization and in the future, as data-recognition techniques develop. The rationale behind this inquiry is that it will enable organizations to anticipate and manage these risks as they select the anonymization technique, the nature and extent of disclosure and controls or limits placed on data recipients after such disclosure. When determining which anonymization technique to use for a specific set of data, organizations should consider the nature and type of data to anonymize and the international best practices for anonymizing that data type. The nature and type of data will affect what form of alteration the data require for proper anonymization as well as whether the level of alteration needed to anonymize the data might render the data useless for its intended purpose (i.e., alteration of a data set containing only photographs may destroy the usefulness of the data set).

When disclosing anonymized data, organizations should introduce controls to lower the risk of re-identification. Such controls include limiting the number of data recipients or imposing restrictions on their use and subsequent disclosure of the data or requiring them to implement processes to govern data use and implement processes to destroy the data when it will no longer serve any business or legal purpose. The amendments to the Guidelines also suggest that organizations implement controls to limit the data users’ or recipients’ access to “other information” that, paired with the data set, could identify the individuals. Suggested methods for limiting this access could include legally binding agreements, administrative rules or policies, organizational structures, technical measures (i.e., the use of encryption) and physical measures (restricting access to data storage areas). The PDPC indicates that in assessing anonymization and the risk of re-identification of data, it will take a holistic view, including consideration of factors relevant to the specific case.

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Kayla Feld

kfeld@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.