IP - 07120-1/2020/25

From GDPRhub
IP - 07120-1/2020/25
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 4(5) GDPR
Article 6 GDPR
Article 9 GDPR
Article 28 GDPR
Article 58 GDPR
Article 49 Personal Data Protection Act
Article 43 Information Commissioner Act
Article 37 of the Constitution of the Republic of Slovenia
Article 38 of the Constitution of the Republic of Slovenia
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: n/a
Published: 30.03.2020
Fine: None
Parties: n/a
National Case Number/Name: 07120-1/2020/25
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SI)
Initial Contributor: n/a

The Slovenian DPA issued an advisory opinion on the establishment of a temporary information system for the combat against the SARS-CoV-2 pandemic to the government of the Republic of Slovenia and the Jozef Stefan Institute.

English Summary

Facts

The Slovenian government seeks to establish a temporary information system as a measure against the spread of the SARS-CoV-2 pandemic in Slovenia. The system is supposed to enable the analysis of non-personal and anonymized data from the fields of health care activity, of financial and economic flows, electronic communications, public services, transport and other activities, which appear to be related to the planning and implementation of the COVID-19 epidemic control measures.

Questions raised

The IP was asked under what condition the lawfulness of such a system can be adhered to. The central legal question was whether there will be a processing of personal data or merely anonymised data. The IP assessed the situation from a GDPR standpoint as well as under national Slovenian telecommunication and constitutional law.

The IP's Opinion

The IP reiterated that it understands the need for effective coronavirus epidemic measures, but that this time should not be used to curtail fundamental human rights and freedoms. It pointed out that the measures envisaged must be effective, necessary and reasonable in a democratic society.

The IP emphasized that understanding anonymization requires special care and that the possible use of anonymous data should take precedence over the use of personal information, especially in the area of locations and individuals' communications and their health information. In this regard, the IP pointed out that i.a. solely statistical, non-personal and anonymized data on the daily consumption of funds or medicines or the overall assessment of medical conditions in relation to the COVID-19 epidemic and not to individuals’ health information are not to be considered personal data.

As regards the transmission of data to the planned system and the further processing, the IP raised doubts as to whether it was assured that that the processing would actually only concern anonymous data. In the event that the planned processing of data cannot be asserted (with adequate statistical certainty) as anonymous data, the IP emphasized that the processing requires an adequate legal basis (under Article 6 and 9 GDPR) for the controller.

According to the IP, the question to ask is only not whether individuals can be identified from the data but rather whether the controller knows how to identify them. The look at determinability needs to be broadly - whether it is possible, whether other entities have the knowledge, capabilities and data that can lead to the determinability of data. When it comes to merging of data from different sources, a set of data may allow for new links between them that make it possible for individuals to be identifiable, especially when the location and traffic of electronic communications are also included.

Furthermore, the IP explained the difference between encryption, pseudonymisation and anonymisation and advised caution when it comes to anonymisation: Really anonymous data is only obtained through the use of specific anonymisation methods and techniques (such as noise addition, permutation, differentiated privacy, aggregation, k-anonymity, l-diversity and t-similarity) and not simply by encoding, encryption or other mappings 1:1.

Concerning the act of anonymisation, the IP stated, in essence, that this also constitutes a processing activity and requires a legal basis under the GDPR. Regarding data from telecommunication providers (such as traffic data and location data), that usually means that the anoymisation should be conducted by these providers themselves as the "originator" of the data.

The IP pointed that certain answers concerning the spread of SARS-CoV-2 cannot be answered without processing personal data, such as the exact movements, whereabouts, interactions and timestamps regarding certain individuals.

Lastly, the IT stated that it does not "see the COVID-19 epidemic in the current legal framework", as it was an interference with the constitutionally protected right to communication privacy, which is protected by Article 37 of the Constitution of the Republic of Slovenia. Such interference as an "emergency measure" is only possible when it is (i) prescribed by law, (ii) conducted based on a court order, (iii) limited for the duration of the declared epidemic and (iv) necessary for the initiation or course of criminal proceedings or for the security of the state.

Comment

It is remarkable, that the Slovenian government apparently intends to run the system without processing any personal data. It remains to be seen if this - privacy friendly - approach truly prevails or if the processing of personal data is considered necessary to fulfil the purposes of the system.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

The Information Commissioner (hereinafter: IP) received your letter asking us for an opinion on the foreseen assistance of the Jozef Stefan Institute and offered the Government of the Republic of Slovenia assistance in establishing a temporary information system that will enable the analysis of non-personal and anonymized data from the fields of health care activity of financial and economic flows, electronic communications, public services, transport, transport and other activities, which appear to be related to the planning and implementation of the COVID-19 epidemic control measures. As you explained, the purpose of this system is to enable the Government to better assess the current situation, predict developments in the COVID-19 epidemic and prepare the ground for action to curb the COVID-19 epidemic.

You have prepared a proposal for a Government decision and an agreement between the MoD, MoH and the Institute and ask us for an opinion on the appropriateness of the legal basis for data collection. This is non-personal and anonymized information of health care providers, the Financial Administration of the Republic of Slovenia, electronic communications operators and others. Data originators will provide the data voluntarily. This includes location data, but it will only be processed for statistical purposes, e.g. to check that measures related to COVID-19 are being followed and to analyze population movements, with a view to establishing daily migration within and outside Slovenia (Article 3, paragraph 4 of the Arrangement), such as "45 checkpoints with Italian operator's mobile number were crossed by checkpoints between 8am and 10pm".

Would you like to know whether the originators of the data need to have a legal basis for statistical analysis and analytical evaluation of these data for the Institute and the parties to the agreement (MO, MoH and Institute) for statistical analysis and analytical evaluation of this data? In addition, we would like to check whether it is necessary to adopt an emergency law, in case it turns out that the state authorities of this location
Would you like to use your data for different purposes (e.g., tracking groups of people)?

On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.

The IP reiterates that it understands the need for effective coronavirus epidemic measures, but that this time should not be used to curtail fundamental human rights and freedoms, and points out that the measures envisaged must be effective and necessary in the context of what is reasonable. in a democratic society. We understand that with certain anonymous data, it is possible to better plan and implement epidemic control measures, but special care is needed in understanding anonymization, and the possible use of anonymous data should take precedence over the use of personal information, especially in the area of ​​locations and individuals' communications and their health information. In a democratic society, it is impermissible to interfere with the information and communication privacy of individuals, if the pursued goals can be achieved with actually anonymized data, and interventions in communication and information privacy must respect the provisions of the Constitution of the Republic of Slovenia.

IP clarifies that the legal question is whether the processing of personal data is a case in point or not. The decision you are making, the intended processing of the data, as well as the types of data that are to be used for these purposes are described very generally. Notwithstanding the assurances you make that all categories of data are considered to be anonymized data, the Information Commissioner considers that at least in some categories there is reasonable doubt as to whether such data can be transmitted to the planned system and processed in a way that would ensure that the processing would actually concern anonymous data. Below, we explain our concerns in more detail, especially regarding communications and location data that we would obtain from electronic communications operators. We believe that it is difficult to achieve anonymization standards for this type of data, which would mean that no specific legal basis is required for processing them. We particularly emphasize that the anonymisation process must also take into account the risk that the identification of an individual may occur even after the allegedly anonymized data of different originators are combined into a large database. A set of data may allow for new links between them that make it possible for individuals to be identifiable, especially when the location and traffic of electronic communications are also included. In the event that the planned processing of data cannot be asserted (with adequate statistical certainty) as anonymous data, IP emphasizes that the processing requires an adequate legal basis for the controller to determine precisely the set of data to be processed and the purposes of processing , to comply with the basic principles of processing, including proportionality, and to implement any other obligations laid down in the General Regulation (including with regard to the preparation of the impact assessment on the protection of personal data referred to in Article 35). With regard to electronic communications traffic and location data, we would like to emphasize separately that these are data protected by Article 37 of the Constitution of the Republic of Slovenia. Below, we explain our concerns in more detail.

1. Processing of anonymized data from different originators

Although it is not possible to determine from the documentation exactly what kind of data by individual originators are to be used, in view of the content of the proposed Government decision and agreement, we find that the data set referred to in Article 3, paragraphs 3 and 5, of the agreement is most likely not personal data. , since it is a state of sales or inventory information of the state of the food, fuel and medicines business entities - unless, of course, any data on purchasers of natural persons will be processed, but only the state of sales and stocks; similarly, personal data from healthcare providers or pharmacy activities referred to in paragraph 1 of the Arrangement are not just as they relate solely to statistical, non-personal and anonymized data on the daily consumption of funds or medicines or the overall assessment of medical conditions in relation to the COVID-19 epidemic and not to individuals ’health information. To the extent that such information can be directly or indirectly linked to identifiable individuals, even if it may be done by a third party and not by the controller itself (as we explain below), this is personal data or, depending on the source, sensitive personal data.

Particular caution is also required in the data referred to in Article 3, paragraph 4 of the Arrangement, which stipulates that the data of electronic communications operators referred to in the first paragraph of this Article shall refer to those non-personal data that enable the daily amount or frequency of electronic communication to be shown on certain locations and data that enable the analysis of population movements for the purpose of establishing daily migration within and outside Slovenia.

This data cannot be obtained without the processing of the original personal data from the electronic communications traffic and this processing in the sense of anonymization can only be performed by those who have this legal basis, which means that the anonymization should already be carried out by the operators themselves and the PIS or other entities only anonymized information and in no way personal information. Here, we also draw attention to the restrictions laid down in paragraph 5 of Article 151 of ZEKom-1 regarding the processing of traffic data, which defines a specific set of persons who, under the control of an operator, may process data only for specific purposes. Thus, the provision in question falls within the scope of the Agency's control over the communications networks and services of the IJS, so that the data on the traffic and the locations of individuals must be anonymised by the originator. Only insofar as the IJS would process personal data for the purpose of anonymization only within the powers and instructions of the operator, in accordance with Article 28 of the General Regulation, could the contractual processing of personal data be discussed. Likewise, processing for the purpose of anonymization should not be misused for other purposes, as this would be in breach of the principle of purposefulness and in breach of the General Regulation and the Electronic Communications Act (ZEKom-1).

No more specific assurances can be drawn from your materials to ensure that only anonymized data is transferred from the operators to the new information system, since it is not defined either from which operator's database the anonymization data would be extracted, used, or by any methods, to anonymize them. In the following, we therefore explain in more detail what it means for the data to be anonymized, that is, that the individual cannot be identified directly or indirectly.
 
In view of the aforementioned IP, it particularly emphasizes the inadequacy of the provisions of Article 4, paragraphs 1 and 2 and Article 5, paragraphs 1 and 2 of the Arrangement, since, as stated, the JSI independently has no basis for any anonymization procedures or other processing of personal data by originators, but at most, the originators of the data may do so themselves, unless their sectoral legislation specifically restricts this.

We also propose to include explicit safeguards in the agreement that forbid all but the originators the processing of data that is not actually anonymized and on the duty of users to immediately alert the originators if they were to receive data from which individuals could be identified, such data but they destroy themselves.

2. Identifiability of the individual and legal basis for the processing of traffic and location data

In the event that the planned processing of data cannot be asserted (with adequate statistical certainty) as anonymous data, IP emphasizes that the processing of personal data by entities other than originators and / or outside the legitimate purposes of the originators , the legal basis is given, where the principle of proportionality in the narrower and broader sense should be respected, as well as the exact purposes of processing, the subjects involved, the datasets and the duration of processing, and the other conditions according to the provisions of the Constitution of the Republic of Slovenia, as explained below.

Here, we draw attention to the correct understanding of the determinability of the individual. It is important for us to be aware that personal data refer to identifiable individuals, but we must ask ourselves "whether individuals can be identified from the data" rather than "whether we know how to identify them". We need to look at determinability broadly - whether it is possible, whether other entities have the knowledge, capabilities and data that can lead to the determinability of data. At the same time, caution should be exercised when dealing with smaller groups (eg less than 5 people), especially when it comes to location and communication data (!), Since this is where the individual's identifiability increases dramatically. Anonymization procedures should also take into account the risk that the identification of an individual may occur even after the allegedly anonymized data of different originators have been merged into a large database. A set of data may allow for new links between them that make it possible for individuals to be identifiable, especially when the location and traffic of electronic communications are also included.

We also point out the need to differentiate between encrypted and anonymized data - proper encryption prevents unauthorized persons from becoming aware of the content, but does not mean that the data is impersonal and that identification is no longer possible. Encrypted personal data are pseudonymised personal data and thus still personal data (see Article 4, point 5 of the General Regulation), and thus not anonymous data, so that the processing of purely pseudonymised personal data also requires an appropriate legal basis. The fact that one-way thickening or encryption is used in encryption. encryption algorithms do not mean that source data can never be restored - this is especially possible if we know what kind of source data was, and even more so if the source data is specifically structured, such as. IDS or individual tax ID. The same LSMS will always generate the same encrypted value. However, finding the source data is much more difficult if we do not know what the structure of the input data was (number, word, longer text, image). If unauthorized persons get into the hands of pseudonymized personal information, it is the same as if they received raw personal data, only a little longer will be allowed to identify individuals. Really anonymous data is only obtained through the use of specific anonymization methods and techniques (such as noise addition, permutation, differentiated privacy, aggregation, k-anonymity, l-diversity and t-similarity) and not simply by encoding, encryption or other mappings 1: 1.

To help you understand anonymization techniques, the EDPB Opinion on Anonymization Techniques and Methods can be accessed at:

https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf

We recommend that you familiarize the originators and the IJS with these guidelines, if they are not already familiar with them, so that they are properly adhered to.
 
We would also like to point out that certain questions cannot be answered or answered in a non-personal way.

Such are potential questions to operators such as: "Where is the particular infected person (s) moving or moving?", "Was person A at time t in a location with or. near person B? "," What individuals were at location x at time t? "and the like. The acquisition of this kind of information, which is certainly personal data, requires the interference with the constitutionally protected databases in the traffic of electronic communications, and any such interference and the answer to such questions are also considered to be an interference with both the communication and information privacy of the individual, even if the answer is yes or no. Such questions cannot be answered without the aforementioned interventions and without the processing of personal data, for which the operators should have an adequate legal basis for the processing of the mass data of their users; j. the COVID-19 epidemic is not seen by the Information Commissioner in the current legal framework. Namely, it is an interference with the constitutionally protected right to communication privacy, which is protected by Article 37 of the Constitution of the Republic of Slovenia, which stipulates that interference with it is possible only if all constitutional conditions are cumulatively respected:
 
(1) only law can prescribe it,

(2) that pursuant to a court order

(3) fails to consider for a limited period the protection of the secrecy of letters and other media and the inviolability of human privacy,

(4) if this is necessary for the initiation or course of criminal proceedings or for the security of the State.
 
***
 
Finally, we emphasize that when processing the data you propose, it is absolutely essential to ensure that the intended processing is limited to (actually) anonymized data, and we point out that there is reasonable doubt that this may be possible for the purposes you are highlighting. .
 
In the event that the processing of the data in the manner you propose cannot be properly anonymised, we should point out that the processing requires an appropriate legal basis. Regarding the creation of potential new legal bases for data processing managed by electronic communications operators, we would like to point out that it is crucial that such measures last only for the duration of the declared epidemic, since we need to be aware that electronic communications data processing is and the processing of personal data in the constitutionally protected category under Articles 37 and 38 of the Constitution of the Republic of Slovenia, and that interferences with these rights must be limited to what is necessary in a democratic society; any emergency measures in emergency situations should not be used as a mechanism to interfere with fundamental human rights.

With respect,

Mojca Prelesnik, univ. dipl. right.,

Information Commissioner

Prepared:
Mag. Andrej Tomsic,
Deputy Information Commissione