21 September 2017
The Uruguayan data protection authority (‘URCDP’) issued, on 18 September 2017, an updated guide on de-identification (‘the Guide’), in conjunction with the Digital Government and Information Society Agency (‘Agesic’). The Guide provides key definitions under Uruguayan law of concepts such as de-identification, anonymisation, re-identification and pseudonymisation; and an overview of the stages in the process of anonymising data, outlining how data controllers should design their anonymisation projects and the techniques they can use.
Martin Pesce Cutri, Senior Associate at FERRERE, told DataGuidance, “The URCDP is a very active body and is [known for] the adoption of up-to-date criteria on data protection, seeking to provide answers or guidelines for the most varied issues and challenges that the development of current technology poses to privacy. The Guide is a good step to begin establishing criteria and laying the foundations for the de-identification and anonymisation of personal data for the public and the private sectors that increasingly use these techniques in the generation of statistical and analytic products.”
Among its recommendations, the Guide advises defining a contingency plan during the first stage of the anonymisation process, to deal with the possibility that the data is re-identified after publication, and that agile response mechanisms to safeguard the identity of the data subject be implemented. The Guide also examines the risks associated with data anonymisation.
It is expected that changes and adjustments will be made to Law No. 18.331 on Protection of Personal Data and the Habeas Data Action […] in line with the GDPR
Pesce Cutri continued, “The Guide raises an interesting and necessary differentiation between anonymisation, pseudonymisation and de-identification that in practice can be confused and can expose companies to non-dimensioned risks. It will serve as guidance for companies when they adopt criteria and make decisions regarding data processing at a statistical level, and/or with higher levels of security. It also describes different techniques of anonymisation, with their advantages and risks, which will serve as a basis for decision making in that sense.”
In addition, the Guide notes that after anonymisation, technicians should carry out periodic checks in order to monitor emerging new technologies and methods to prevent and avoid the possible risks of re-identification. Moreover, the Guide reminds entities that the collection and processing of the data itself prior to anonymisation must comply with applicable legislation, including Law No. 18.331 on Protection of Personal Data and the Habeas Data Action (‘the Law’).
Pesce Cutri concluded, “Uruguay, as a country that has received [adequacy status by the] EU, is closely monitoring the implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and it is expected that changes and adjustments will be made to the Law, in line with the GDPR. Nevertheless, and considering that the Law was passed in 2008, it already incorporates some criteria that the EU has adopted – such as the forms of obtaining consent – and as a result, changes should not be too dramatic. Overall, there has been an increase in the number of complaints filed with the URCDP in line with the greater knowledge that citizens have acquired about their privacy rights. In the same way, companies have kept pace with these changes and there has been a strong tendency to invest in compliance with the Law as well as in cybersecurity.”
Rachael Nelson-Daley | Privacy Analyst