The Protection of Personal Information Act, 2013 (“POPIA”) came into effect on 1 July 2021. This means that all entities that process personal information must abide by the statute, lest they be guilty of infringing POPIA. Section 6 and 7 of POPIA makes provision for circumstances where POPIA does not apply. These include, inter alia, processing of personal information that is related to a purely personal or household activity, personal information that has been de-identified to the extent that it cannot be re-identified, and processing by a public body for national security reasons. For purposes of this article, we are concerned with what constitutes de-identified information.

De-identification is not a new concept within the world of data privacy and data protection regulation. The European Union General Data Protection Regulation (“GDPR”) also contemplates the concept of de-identification albeit using different terms, namely “pseudonymisation” and “anonymisation”. The terms de-identification, pseudonymisation, and anonymisation are sometimes used interchangeably but there are differences between the meaning of each of the terms that affect the applicability to POPIA or the GDPR to some processing activities.

anonymised information

Under the GDPR, Recital 26 states that anonymous information refers to “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. In this instance anonymised information is not considered personal information.

pseudonomised information

Article 4 of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.

Under the GDPR, pseudonymised information is regarded as personal information and must be processed in accordance with the GDPR. Even though this method still requires the Responsible Party or Operator to comply with the GDPR, the use of pseudonymisation can reduce the risks related to data privacy and helps with showing compliance with data protection principles such as purpose limitation, data minimisation, storage limitation and integrity and confidentiality.

de-identified information

According to POPIA, the term de-identified is defined as follows, “in relation to personal information of a data subject, means to delete any information that:

  • identifies the data subject;
  • can be used or manipulated by a reasonable foreseeable method to identify the data subject; or
  • can be linked by a reasonably foreseeable method to other information that identifies the data subject.”

POPIA does not apply to de-identified information which cannot be re-identified and is not considered personal information. Under POPIA, re-identification means “to resurrect any personal information of a data subject that has been de-identified”.

considerations

While the differences between de-identification and anonymisation seem subtle, some experts believe that this makes all the difference because the de-identification process can be reversed, albeit a time consuming and resource intensive exercise, whereas this is not possible with anonymisation. However, if re-identification of the personal information that has been de-identified is not possible, then the process of de-identification under POPIA is the same as anonymisation that is contemplated under the GDPR.

To ascertain whether the information that has been de-identified under POPIA or pseudonymised under the GDPR requires the utilisation of an objective enquiry that factors elements such as such as the costs of and time required for re-identification, and the available technology to do so, and the current technological developments.

As POPIA is still in its nascent stages, the interpretation of what de-identified information is, is still open to interpretation. The Information Commissioner Office in the United Kingdom has developed the “motivated intruder” test to help determine whether information that has been de-identified is likely to be re-identified, while under the United States' Health Insurance Portability and Accountability Act, 1996 (“HIPPA”) requirements for de‑identification of personal information has been set out. Until the Information Regulator provides further guidance on this, we can look to these interpretational tools to assist us in classifying information correctly.

Besides using the motivated intruder test and the HIPPA requirements to determine whether information has been de-identified, industry bodies can also file a code of conduct regarding de-identification procedures with the Information Regulator.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.