Psycho-Babble Administration Thread 1102144

Shown: posts 13 to 37 of 40. Go back in thread:

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 16, 2018, at 0:58:56

In reply to Re: Most recent five suggestions for more compliance, posted by rjlockhart37 on December 16, 2018, at 0:55:17

> i was making a joke, maybe the way I post jokes are not so well done, no i'm much more civil and down to earth than i used to be on babble, it used to be cried wolf, and did drama shows over something a small emotional event. I've changed and continue to change
>
>

yeah, it seems for me that you're a good guy and maybe an even better one in real life than the one here...

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 16, 2018, at 1:45:06

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 16, 2018, at 0:58:56

> > i was making a joke, maybe the way I post jokes are not so well done, no i'm much more civil and down to earth than i used to be on babble, it used to be cried wolf, and did drama shows over something a small emotional event. I've changed and continue to change
> >
> >
>
> yeah, it seems for me that you're a good guy and maybe an even better one in real life than the one here...

Personally, I do not know if Hsiung deleted any postings or archives and in particular especially for him unpleasant postings or archives. From what I have read, I know that he does not delete, however.

At least he or his deputy did not block me yet. Even though I criticized here, but IMO justified. so there also is something, little good.

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 16, 2018, at 2:00:04

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 16, 2018, at 1:45:06

I suppose, but only suppose because I do not know for sure, that Hsiung never deleted a post.

Some postings are just not indexed and do not pop up when searched with an engine.

 

Re: Most recent five suggestions for more compliance

Posted by rjlockhart37 on December 16, 2018, at 20:17:40

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 16, 2018, at 2:00:04

yeah, they may just be hiding somewhere, in the server....

there's not much blocking here anymore, the deputies used to be like police officers and blocked frequently, this old town has had it's day and lost it's sheriff and deputies, we're free to write whatever we want for now. Only at the cost of it being read on google by many many people, so no sensitive information

 

Re: Most recent five suggestions for more compliance

Posted by rjlockhart37 on December 16, 2018, at 20:22:14

In reply to Re: Most recent five suggestions for more compliance, posted by rjlockhart37 on December 16, 2018, at 20:17:40

but still Hsiung can block posters, and delete them so were not totally free. We have the sheriff but no deputies

 

Re: Most recent five suggestions for more compliance » rjlockhart37

Posted by SLS on December 17, 2018, at 9:37:06

In reply to Re: Most recent five suggestions for more compliance, posted by rjlockhart37 on December 14, 2018, at 16:40:37

> babblers vs the Hsiung


What makes you say thia?


- Scott

 

Re: Most recent five suggestions for more compliance » rjlockhart37

Posted by SLS on December 17, 2018, at 9:40:35

In reply to Re: Most recent five suggestions for more compliance, posted by rjlockhart37 on December 16, 2018, at 0:46:16

> yeah he's a mastermind mind - we must revolt and and post as many obnoxious posts possible for him to keep deleting - no wonder i couldn't find my other posts

Who will this benefit?

I think you should announce to the Medication board your idea. Let's see how many people agree with you and would favor the permanent shutdown of this website.


- Scott

 

Re: Most recent five suggestions for more compliance » rjlockhart37

Posted by SLS on December 17, 2018, at 9:44:55

In reply to Re: Most recent five suggestions for more compliance, posted by rjlockhart37 on December 16, 2018, at 20:22:14

> but still Hsiung can block posters, and delete them so were not totally free. We have the sheriff but no deputies

So, you would like to see the return of deputies? What sorts of things would you like to see them do?


- Scott

 

Re: Most recent five suggestions for more compliance » ert

Posted by SLS on December 17, 2018, at 9:48:53

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 15, 2018, at 16:53:43

> Unpleasant postings or archives that could be used against him he deletes but phrases and postings that is to someones detriment he wont delete

Gosh. I didn't know that. How did you come upon this information? Interesting.


- Scott

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 17, 2018, at 12:27:07

In reply to Re: Most recent five suggestions for more compliance » ert, posted by SLS on December 17, 2018, at 9:48:53

> > Unpleasant postings or archives that could be used against him he deletes but phrases and postings that is to someones detriment he wont delete
>
> Gosh. I didn't know that. How did you come upon this information? Interesting.
>
>
> - Scott

rjlockhart37 wrote that he thinks the ruler deletes posts or archives. However, I think that when he searched the archive, the engine maybe didn't catch everything.

I don't know myself. Maybe he has never deleted a post.

Obviously, the ruler and mastermind is still here and lives. Good. He removed the social network (facebook, twitter...) buttons. Likely, his psychologist coworker told him that this could upset participants, since the could not have had that idea.

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 17, 2018, at 12:29:51

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 17, 2018, at 12:27:07

no. the buttons are still there. I err. on android I didn't see it.

 

Re: Most recent five suggestions for more compliance » SLS

Posted by rjlockhart37 on December 17, 2018, at 18:11:07

In reply to Re: Most recent five suggestions for more compliance » rjlockhart37, posted by SLS on December 17, 2018, at 9:40:35

it was a joke, not litterly.....like we just need post things to get dr-bob's attention, it was sarcasm. But it wanst in a joke format, that's why it sounded literal

 

Re: Most recent five suggestions for more compliance

Posted by rjlockhart37 on December 17, 2018, at 18:15:27

In reply to Re: Most recent five suggestions for more compliance » rjlockhart37, posted by SLS on December 17, 2018, at 9:44:55

the deputies were like moderators, and yeah that would be good to see them back, they could do restart what they used to be doing, babble kinda went vacant and there not here anymore, so ... any type of offensive comments are not moderated, but that's not good....so i apologize for anything that seemed offensive

 

Re: Most recent five suggestions for more compliance

Posted by sigismund on December 18, 2018, at 1:09:52

In reply to Re: Most recent five suggestions for more compliance » rjlockhart37, posted by SLS on December 17, 2018, at 9:44:55

I can't recall how many types of control I have seen here. 5? 10?

It reminds me (only a little) a little of what was said about the citizens of the USSR. The government fought them, and eventually the government won.

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 20, 2018, at 7:48:04

In reply to Re: Most recent five suggestions for more compliance, posted by sigismund on December 18, 2018, at 1:09:52

sigismund,

I think that the ruler should not be a smaller version of Putin.

The rulers brain obviously thinks in a way that he could loose legal implications, maybe he should do something. But his brain does not think in a way that it should be done lawfully from the beginning on, so that nobody gets hurt and everyone can realize the will over her/his own sensitive property.

Has the ruler ever thought that someone may not like it, when her/his sensitive property gets stolen?

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 21, 2018, at 4:53:04

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 20, 2018, at 7:48:04

I think telegram could be a viable option.

-own posts can be exported or the whole chat (and then further processed e.g. merged to pdf files). With adobe dc, freecommander (plug in) or totalcommander (plug in) it can also be searched inside multiple doc files like pdf files
-It can be set a description for a user name. When someone changes the user name it can be used the same or similar description so that the person will be recognized.
-it can be made two people chats
-it can be checked who is online
-it can be called someone but also blocked from calling
-it can be uploaded media or also blocked from uploading when it disturbs too much
-it can quickly searched through the chat with terms like lithium
-it can be jumped back to a specific date e.g. one week back and then read through all new postings.
-It can be used an avatar e.g. a pet as a face replacement
-Interesting posts can be quickly saved by forwarding them to saved messages
-Available even for linux
-The posts get deleted after an set time of inactivity (up to 1 year)
-They would be less anxious to post and therefore more open minded and honest
-Short blocks for rogue users are possible
-The problem is finding the groups. Therefore it must be made links to the groups on a websites.
-There is a learning curve but the software easy to understand and lightweight
-Everyone can delete or edit her/his posts
I try to help a bit because if nothing happens soon or later it will have negative implications for the ruler

article 27 of the gdpr also requires an eu representative that has oversight over the data processed. Therefore an independent person who has oversight and deletes data.


Portuguese DPA imposes 400,000 fine on hospital for two violations of the GDPR
Must read

fines

Holiday Special, 17 December 2018 Issue
The Portuguese data protection authority Comissão Nacional de Protecção de Dados or CNPD imposed two separate penalties amounting to a 400,000 fine on a hospital for two violations of the EU General Data Protection Regulation.
The CNPD found the Barreiro Hospital had granted access to patient data to too many users of the hospitals patient management system. There were 985 users registered for doctor-level access, even though there were only 296 physicians working at the hospital in 2018. The DPA applied a 300,000 fine for this failure to respect patient confidentiality and to limit access to patient data. The CNPD imposed the second fine of 100,000 for the hospitals inability to ensure data security and data integrity in the system.
Read more about this news here.
Provided by: Access Now

First UK GDPR enforcement action is against Canadian firm with apparently no EU presence

17TH DECEMBER 2018 BY FRANK FINE IN NEWS

On 24 October 2018, the UK data protection enforcement body, the Information Commissioners Office (ICO), issued an Enforcement Notice against Canadian data services firm, AggregateI Q (AIQ). This was the first Enforcement Notice issued by the ICO under the General Data Protection Regulation (GDPR). The Notice specifies several breaches of the GDPR and gives AIQ 30 days to put itself into compliance or face a fine of 20 million or 4% of global group turnover, whichever is greater.
AIQs breaches of the GDPR relate to its use of personal data of UK individuals in connection with its business of providing data services to political organisations. Specifically, AIQ used this data to target individuals with political advertising on social media.
The specific GDPR breaches were as follows:
1 .AIQ breached Articles 5(1)(a)-(c) and Article 6 by processing personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing. Moreover, the processing was incompatible with the purposes for which the data was originally collected.
2 .AIQ also breached Article 14 in that it failed to provide data subjects with the information set out in Articles 14(1) and (2), and none of the exceptions set out in Article 14(5) apply. Article 14 deals with the situation in which a company obtains the personal data from one or more third parties rather than from the data subjects directly. If Article 14 applies, the controller of the data must communicate to the data subject, among other things, the category of the data collected, the purpose(s) of the data processing, and its legal basis.
3 . Although it is not alleged in the Enforcement Notice, AIQ was also probably in breach of Article 27 in that non-EU companies that process the personal data of EU residents must designate an EU representative, which is obviously intended to provide regulators with an easy means of imposing jurisdiction. The failure to comply with Article 27 alone can result in a fine of 10 million or 2% of a companys global group turnover, whichever is higher.
The GDPR provides detailed guidance to companies on how the collection of personal data may be legally justified and the steps that must be taken with regard to the privacy of the data and the disclosures and/or authorizations that must be made to, or obtained from, the individuals affected. This is a complex exercise that should normally require the assistance of outside legal counsel. AIQ was either ignorant of how GDPR may affect its business or, what is more likely in view of the wide publicity GDPR has generated around the world, totally indifferent to its GDPR legal obligations.
The GDPR breaches by AIQ are so serious and wide ranging that it will be nearly impossible for it to fully comply with the Enforcement Notice within 30 days. It should be kept in mind that AIQ must carry out its compliance steps with regard to all UK individuals affected (i.e. with regard to all those in the UK whose data was collected). If AIQs measures are only piecemeal, the ICO will probably deem AIQ to be non-compliant.
If AIQ fails to comply with its GDPR obligations within 30 days, and a fine is imposed, the fine may be enforced in a UK court. If AIQ fails to make a court appearance and a default judgment is entered, AIQ may well have to defend itself in an action to enforce a foreign judgment. Moreover, with a UK judgment entered, AIQ may be effectively barred from establishing itself within the EU for fear of its EU assets being subject to a seizure action for the collection of the fine.
The situation for Chinese companies could not be clearer. Even those not established in the EU could face the sort of risks identified above. Those Chinese companies taking a relaxed position or preferring to see how things develop before they take GDPR compliance measures could find themselves unpleasantly surprised. Keep in mind that AIQ is a small consultancy, but its business depends on assembling a massive database of personal data.
Now, imagine how much personal data a large Chinese manufacturer of consumer goods or electronic products, a Chinese airline or hotel chain, or a Chinese internet selling platform is able to collect from/on EU consumers, and how much time it would need to comply with the GDPR. A 30-day window would be laughable. And it should be considered that the GDPR did not require the ICO to provide a 30-day windowthat was the ICOs decision, or if you prefer, English hospitality.

 

Re: Most recent five suggestions for more compliance

Posted by ert on December 21, 2018, at 16:06:53

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 21, 2018, at 4:53:04

one drawback with telegram is that there could be a bit less response because here it has 16 posts * 30 days = approx. 500 posts per month. to catch all posts someone has to jump back a month and the scroll through all postings until the present.

but the telegram also has advantages, because when someone is found who has the same disorder or takes the same drug it can be done private chats or if desired it can be called someone.

the psycho-babble that is originally based on the code by Matt Wright requires fairly little bandwidth but telegram also is efficient, whereas other software could require more. That problem however is less prevalent since almost all people do have a bandwidth of at least 128 kbps/s.

nevertheless, this website with the present policy in the faq's was and is currently illegal and must be compliant in the future.

for me it seems that the psycho babble has been to a great extent an ego project.

 

Re: telegram

Posted by ert on December 23, 2018, at 6:44:04

In reply to Re: Most recent five suggestions for more compliance, posted by ert on December 21, 2018, at 16:06:53

I find telegram fairly smart software. With the newest version (there also is a web version for people who do not want additional software) it can be conducted polls. Such a poll can be pinned on chat room and notified the members.

When there would be too much postings in a chat room like psycho babble medication this could be split into Psycho babble medication and psycho babble health

But with the number of posts that psycho babble possess now, it could be quickly scrolled through the messages week or month wise (scrolled by jumping a month back or vice versa from the present to the past) or later dated back searched a particular participants postings or a term.

Media upload is by default disabled. For the main group media could be disruptive.

 

Re: telegram

Posted by ert on December 23, 2018, at 6:48:48

In reply to Re: telegram, posted by ert on December 23, 2018, at 6:44:04

> I find telegram fairly smart software. With the newest version (there also is a web version for people who do not want additional software) it can be conducted polls. Such a poll can be pinned on chat room and notified the members.
>
> When there would be too much postings in a chat room like psycho babble medication this could be split into Psycho babble medication and psycho babble health
>
> But with the number of posts that psycho babble possess now, it could be quickly scrolled through the messages week or month wise (scrolled by jumping a month back or vice versa from the present to the past) or later dated back searched a particular participants postings or a term.
>
> Media upload is by default disabled. For the main group media could be disruptive.
>

eternal bans would be possible but still it could be circumvented by changing the (prepaid) sim card.

but overall the interface needs a bit a learning curve to use it effectively.

 

Re: telegram

Posted by ert on December 23, 2018, at 14:42:00

In reply to Re: telegram, posted by ert on December 23, 2018, at 6:48:48

What is seen on the medication board is 420 datasets in a timespan of approx. 2 months.

That would signify 420 posts / 60 days approx. up to 10 posts a day.

I think it could be possible to handle with telegram.

 

Re: telegram

Posted by ert on December 23, 2018, at 15:19:44

In reply to Re: telegram, posted by ert on December 23, 2018, at 14:42:00

> What is seen on the medication board is 420 datasets in a timespan of approx. 2 months.
>
> That would signify 420 posts / 60 days approx. up to 10 posts a day.
>
> I think it could be possible to handle with telegram.
>

420 datasets or rows on one screen is quite a lot.

In contrast, thats a bit the drawback with telegram.

Even though there is less oversight on a particular screen, it could be searched for ones own name with the search function and from those posts on searched for the answers by scrolling down.

 

SLS

Posted by ert on December 24, 2018, at 8:59:32

In reply to Re: telegram, posted by ert on December 23, 2018, at 15:19:44

thanks for your voluntary commitment SLS, obviously the ruler is a reticent mastermind. and the other helpers obviously went to Alaska.

 

Re: SLS

Posted by ert on December 25, 2018, at 14:34:33

In reply to SLS, posted by ert on December 24, 2018, at 8:59:32

why didn't you block me, dear scotty ?

 

Re: gdpr

Posted by ert on December 29, 2018, at 9:18:16

In reply to Re: SLS, posted by ert on December 25, 2018, at 14:34:33

it must be appointed someone who controls the data processing and deletes data. Especially because of article Art. 9 GDPR Processing of special categories of personal data

https://gdpr-info.eu/art-37-gdpr/
https://gdpr-info.eu/art-9-gdpr/
https://gdpr-info.eu/art-10-gdpr/

many laws are violated, but especially EU and adjacent countries laws.
US law too.

 

Re: gdpr and recitals

Posted by ert on December 29, 2018, at 10:43:50

In reply to Re: gdpr, posted by ert on December 29, 2018, at 9:18:16

> it must be appointed someone who controls the data processing and deletes data. Especially because of article Art. 9 GDPR Processing of special categories of personal data
>
> https://gdpr-info.eu/art-37-gdpr/
> https://gdpr-info.eu/art-9-gdpr/
> https://gdpr-info.eu/art-10-gdpr/
>
> many laws are violated, but especially EU and adjacent countries laws.
> US law too.

http://www.privacy-regulation.eu/en/recital-26-GDPR.htm

http://www.privacy-regulation.eu/en/r28.htm

The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens data to undertake major operational reform.

This is the eighth in a series of articles addressing the top 10 operational impacts of the GDPR.

GDPR encourages pseudonymization of personal data
The concept of personally identifying information lies at the core of the GDPR. Any personal data, which is defined as information relating to an identified or identifiable natural person data subject, falls within the scope of the Regulation. The Regulation does not apply, however, to data that does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.

The GDPR introduces a new concept in European data protection law pseudonymization for a process rendering data neither anonymous nor directly identifying. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Pseudonymization, therefore, may significantly reduce the risks associated with data processing, while also maintaining the datas utility. For this reason, the GDPR creates incentives for controllers to pseudonymize the data that they collect. Although pseudonymous data is not exempt from the Regulation altogether, the GDPR relaxes several requirements on controllers that use the technique.

""

What is pseudonymous data?
The GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. To pseudonymize a data set, the additional information must be kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person. In sum, it is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution.

Although Recital 28 recognizes that pseudonymization can reduce risks to the data subjects, it is not alone a sufficient technique to exempt data from the scope of the Regulation. Indeed, Recital 26 states that [p]ersonal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person (i.e., personal data). Thus, pseudonymization is not intended to preclude any other measures of data protection (Recital 28).

GDPR creates incentives for controllers to pseudonymize data
The Regulation recognizes the ability of pseudonymization to help protect the rights of individuals while also enabling data utility. Recital 29 emphasizes the GDPRs aim to create incentives to apply pseudonymization when processing personal data and finds that measures of pseudonymization should, whilst allowing general analysis, be possible (emphasis added). These incentives appear in five separate sections of the Regulation.

Pseudonymization may facilitate processing personal data beyond original collection purposes.
The GDPR requires controllers to collect data only for specific, explicit and legitimate purposes. Article 5 provides an exception to the purpose limitation principle, however, where data is further processed in a way that is compatible with the initial purposes for collection. Whether further processing is compatible depends on several factors outlined in Article 6(4), including the link between the processing activities, the context of the collection, the nature of the data, and the possible consequences for the data subject. An additional factor to consider is the existence of appropriate safeguards, which may include encryption or pseudonymization (Article 6(4)(e)). Thus, the GDPR allows controllers who pseudonymize personal data more leeway to process the data for a different purpose than the one for which they were collected.

Pseudonymization is an important safeguard for processing personal data for scientific, historical and statistical purposes.
The GDPR also provides an exception to the purpose limitation principle for data processing for scientific, historical and statistical research. However, Article 89(1) requires controllers that process data for these purposes to implement appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Specifically, controllers must adopt technical and organizational measures to adhere to the data minimization principle. The only example the Regulation provides is for controllers to use pseudonymization so that the processing does not permit or no longer permits the identification of data subjects.


Pseudonymization is a central feature of data protection by design.
The GDPR for the first time introduces the concept of data protection by design into formal legislation. At the conceptual level, data protection by design means that privacy should be a feature of the development of a product, rather than something that is tacked on later. Thus, Article 25(1) requires controllers to implement appropriate safeguards both at the time of the determination of the means for processing and at the time of the processing itself. One way that controllers can do this is by pseudonymizing personal data.

Controllers can use pseudonymization to help meet the GDPRs data security requirements.
Under Article 32, controllers are required to implement risk-based measures for protecting data security. One such measure is the pseudonymization and encryption of personal data (Article 32(1)(a)). The use of pseudonymization potentially has profound implications under this provision. Controllers are required to notify a data protection authority any time there is a security incident that presents a risk to the rights and freedoms of natural persons (Article 33(1)). They must, moreover, notify the concerned individuals anytime that risk is high (Article 34(1)). Since pseudonymization reduces the risk of harm to data subjects, controllers that use it may be able to avoid notification of security incidents.

Controllers do not need to provide data subjects with access, rectification, erasure or data portability if they can no longer identify a data subject.
A controllers may employ methods of pseudonymization that prevent it from being able to re-identify a data subject. For example, if a controller deletes the directly identifying data rather than holding it separately, it may not be capable of re-identifying the data without collecting additional information. Article 11 acknowledges this situation and provides an exemption from the rights to access, rectification, erasure and data portability outlined in Articles 15 through 20. The exemption applies only if "the controller is able to demonstrate that it is not in a position to identify the data subject" and, if possible, it provides notice of these practices to data subjects. The GDPR does not require a controller to hold additional information "for the sole purpose of complying with this Regulation." If, however, a data subject provides the controller with additional information that allows her to be identified in the data set, she must be permitted to exercise her rights under Articles 15 through 20.

The GDPR encourages controllers to adopt codes of conduct that promote pseudonymization.
The GDPR encourages controllers to adopt codes of conduct that are approved by the Member States, the supervisory authorities, the European Data Protection Board or the Commission. Among other provisions outlined in Article 40, these codes of conduct should promote the use of pseudonymization as a way to comply with the Regulation (Article 40(2)(d)). As will be explored in a later article in this series, using codes of conduct allows controllers and processors to demonstrate adherence to the principles of the Regulation, and they may even be used as a mechanism for transferring personal data to third countries.

Pseudonymous data is not anonymous
Much debate surrounds the extent to which pseudonymized data can be reidentified. This issue is of critical importance because it determines whether a processing operation will be subject to the provisions of the Regulation. The GDPR adopts a more flexible approach than the traditional binary of the Data Protection Directive, focusing on the risk that data will reveal identifiable individuals. Thus, the key distinction between pseudonymous data, which is regulated by the GDPR, and anonymous data, which is not, is whether the data can be reidentified with reasonable effort.

To illustrate the concept of reidentification risk, it is important to distinguish between direct and indirect identifiers. The International Organization for Standardization (ISO) defines direct identifiers as data that can be used to identify a person without additional information or with cross-linking through other information that is in the public domain. They are data points that correspond directly to a persons identity, such as a name, social security number or contact information.


Indirect identifiers are data that do not identify an individual in isolation but may reveal individual identities if combined with additional data points. For example, one frequently-cited study found that 87 percent of Americans can be uniquely identified by combining three indirect identifiers: date of birth, gender and ZIP code. In other words, while no individual can be singled out based on just a date of birth, when combined with gender and ZIP code, the lens focuses on a specific identity.

Pseudonymization involves removing or obscuring direct identifiers and, in some cases, certain indirect identifiers that could combine to reveal a persons identity. These data points are then held in a separate database that could be linked to the de-identified database through the use of a key, such as a random identification number or some other pseudonym.

As a result of this process, pseudonymized data, unlike anonymous data, faces the risk of reidentification in two ways. First, a data breach may permit an attacker to obtain the key or otherwise link the pseudonymized data set to individual identities. Alternatively, even if the key is not revealed, a malicious actor may be able to identify individuals by combining indirect identifiers in the pseudonymous database with other available information.

The GDPR addresses the first concern in Recital 75, which instructs controllers to implement appropriate safeguards to prevent the unauthorized reversal of pseudonymization. To mitigate the risk, controllers should have in place appropriate technical (e.g., encryption, hashing or tokenization) and organizational (e.g., agreements, policies, privacy by design) measures separating pseudonymous data from an identification key.

In Recital 26, the GDPR recognizes the second type of reidentification risk by considering whether a method of reidentification is reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. Such an analysis is necessarily contextual and account should be taken of all the objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

The GDPR acknowledges that reidentification must be reasonably likely
Under the Directive, the Article 29 Working Party found that pseudonymization is not a method of anonymization because some risks of reidentification remained, even if those risks were very small. Thus, even when controllers deleted all identifying information and could not themselves reidentify a data set, the Working Party found that the data was still covered by the Directive if any third party could conceivably reidentify the data sometime in the future. A controller could escape regulation only by not collecting identifying information in the first place.

In contrast, by focusing on whether reidentification is reasonably likely, the GDPR may provide greater flexibility than the Directive. For example, where the controller deletes the identification key and the remaining indirect identifiers pose little risk of identifying an individual, the controller may be able to argue that there is no reasonable risk of reidentification. Recital 57 addresses this situation in relation to the data subjects right to access personal data held by the controller. In cases where the personal data processed by the controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purposes of complying with any provision of this Regulation.

Conclusion
The GDPR introduces a novel concept into European data protection law, pseudonymization as a means of protecting the rights of individuals while also allowing controllers to benefit from the datas utility. Although pseudonymized data still falls within the scope of the Regulation, some provisions are relaxed to encourage controllers to use the technique. Thus, controllers that pseudonymize their data sets will have an easier time using personal data for secondary purposes and for scientific and historical research, as well as meeting the Regulations data security and data by design requirements.

https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/


Go forward in thread:


Show another thread

URL of post in thread:


Psycho-Babble Administration | Extras | FAQ


[dr. bob] Dr. Bob is Robert Hsiung, MD, bob@dr-bob.org

Script revised: February 4, 2008
URL: http://www.dr-bob.org/cgi-bin/pb/mget.pl
Copyright 2006-17 Robert Hsiung.
Owned and operated by Dr. Bob LLC and not the University of Chicago.