Anonymization of personal data: the main points of the law, responsibility for the disclosure of personal data

Work with personal data of citizens and legal entities in Russia is regulated by law. This information is the property of its sole owner. Use of personal data is possible only with the consent of its owner. Many subjects of civil turnover anonymize information to reduce its priority. We will understand in the article what this procedure is.

General information

Currently, methods of anonymization of personal data recommended by Roskomnadzor are used. This government agency controls and coordinates the activities of operators. The key regulatory document fixing the main methods for anonymizing personal data is Order No. 996, approved by Roskomnadzor in 2013. Special Methodological Recommendations have been drawn up for their effective implementation.

Methods of anonymization of personal data approved by Roskomnadzor

The methods and tools for processing personal information are subject to special requirements. In particular, they should possess such properties, the presence of which would facilitate their effective application in different software environments, the solution of problems posed to operators.

The methods of depersonalization of personal data recommended by Roskomnadzor are the following methods:

1. The introduction of identifiers. It involves replacing part of the data (their values) with special codes. In this case, a table of correspondence of identifiers to the initial information is generated.
2. Changing the semantics or composition of information. As indicated in the explanations of Roskomnadzor, the depersonalization of personal data in this way is carried out by replacing them with the results of statistical conversion, generalization, processing or deletion of part of the data.
3. Decomposition. Using this method of anonymizing personal data involves dividing an array of information into several parts. These subsets are stored separately.
4. Stirring. This method of depersonalizing personal data involves rearranging the values ​​of attributes or their groups in an array of information.

Using any method allows you to get information with different properties. As a result of depersonalization of personal data, the operator is able to apply various types of processing. In this regard, the description of the methods indicates the conditions by which the implementation of the established requirements and certain properties is ensured.

It should be noted that there are such tasks of information processing in which the presence of all properties is optional. An example is static processing. Therefore, the methods of anonymization of personal data are effective if, in a specific situation, they provide the implementation of the properties necessary to solve the tasks.

Identifier Introduction

When anonymizing personal data in this way, you can get information that has the following properties:

1. Fullness. This means that the information by which subjects can be identified is not deleted, but entered into the correspondence table.
2. Structured. Each identifier after the processing (depersonalization) of personal data has a corresponding set of information.
3. Semantic integrity. This means that the presentation of information remains unchanged. Information is only transferred to the table.

With a certain procedure for selecting an identifier and the data replaced by it, it is also possible to ensure anonymity of the information. Anonymization of personal data in this way creates a threat of attacks on directories. At the same time, increasing the amount of information does not increase the stability of the method.

However, the introduction of identifiers ensures the applicability of the information. The operator gets the opportunity to process individual records and all anonymized information without de-depersonalization.

The information obtained as a result of using this method is not relevant. This is due to the fact that in the request and response to it, the presentation of the data replaced by the corresponding codes changes.

The value of introducing identifiers

Anonymization of personal data by replacing it with special codes allows you to maintain the relationship between the attributes of the information received and personal information.

The introduction of identifiers is advisable with a small number of elements and a small array size. The fact is that the size of the directories will depend on this.

With frequent adjustments, the effectiveness of the method decreases.

Change semantics or composition

Anonymizing personal data in this way involves adjusting the attributes of the information or deleting part of the information that allows you to identify the subject. As a result of using this method, you can get data:

1. Structured. This means that after the depersonalization of personal data, the relationship between certain values ​​of their attributes remains unchanged.
2. Anonymous The generalization or deletion of part of the information entails ambiguity in identification.

Application Nuances

When isolating personal data components, the possibility of depersonalization with their use should be taken into account. In the case of a simple change in values, only the composition of the information is adjusted. Under such conditions, depersonalization may not occur.

Correction of semantics and composition is advisable when there is an opportunity for this, and de-depersonalization is not required to fulfill the tasks assigned to the operator. This is due to the fact that this process is irreversible. For de-depersonalization in such cases, it is necessary to use additional data.

Correction of the semantics and composition of information is also advisable with the autonomous use of anonymized information, when compatibility with the data of other operators is not needed.

Decomposition

As mentioned above, this method involves dividing an array of information attributes into several subsets. In this case, tables are compiled that establish the relationship between them. Records are subsequently stored separately in accordance with the subsets.

When using decomposition, you can get data that has:

1. Fullness. In this case, it is provided by transferring information to another repository.
2. Structured. Between the records located in different storages, communication remains. This allows you to uniquely match the data.
3. Semantic integrity. The type of presentation of information and their semantics remain unchanged.

Anonymity of information can be ensured only if there are complex links between the repositories and protect them from unauthorized access. The fact is that the decomposition method is not resistant to attacks against indirect de-depersonalization and de-depersonalization by analyzing information from different repositories.

In addition, it provides:

1. Relevance. It is achieved by the fact that when applying decomposition, it is possible to achieve semantic correspondence between the search query and the answer to it.
2. Applicability. The operator has the opportunity to process information located in one repository independently, and when using data in conjunction with other entities without de-depersonalizing the entire mass of information.

The use of decomposition ensures the preservation in the records of relations between the attributes of anonymized and personal data. This method is advisable to apply with a sufficiently large number of elements, but with a rare adjustment of their value and composition of information.

Stirring

This method is implemented by interchanging individual values ​​of data elements or their groups. With stirring, you can get information that has:

1. Completeness, since all information about data carriers is stored.
2. Structured. It is provided due to the fact that the relationship between the information during de-depersonalization is fully restored.
3. Semantic integrity.
4. Relevance
5. Applicability.

Stirring, however, does not ensure the preservation of the relationship between the attributes of anonymized and personal data.

This method is advisable with a large number of information elements, a large array of information. This is due to an increase in the resistance of the method to attacks with an increase in these parameters. Moreover, the amount of additional data is little dependent on the amount of information.

Shuffling is very effective with complex processing, frequent changes in attribute values.

Processing anonymized information

There are a number of rules that are binding on all operators. First of all, the joint storage of anonymized and personal data is prohibited.

Information should be changed before entering it into the system.

The operator may process anonymized information received from third parties.

In the process of working with information, the operator can carry out de-depersonalization in necessary cases. The processed personal data obtained after this procedure are subject to destruction.

Work with information before depersonalization and after de-depersonalization should be carried out in the manner prescribed by applicable law. Information processing is carried out using software and hardware corresponding to the type of presentation and the form of data storage.

Work with personal information of organizations that do not have qualified employees or the necessary material and technical means is allowed with the involvement of third-party entities - operators. The interaction of these persons is carried out on a contractual basis. When using cloud technologies, one operator can process anonymized data of several such organizations.

Features of the process organization

During the processing of anonymized information, the areas of responsibility of each operator, entities / organizations that have instructed them to work with data should be highlighted. Algorithms for the implementation of procedures and software should be such that information can be transferred to any hardware platform.

Additions and changes to anonymized data are made in the transaction mode. Each such action is reflected in the corresponding journal. In addition, you must enter information in the query archive.

The subject of personal information should have access to the composition of his personal information held by the operator.

Additionally

Storage and protection of additional (service) data, which contains the parameters of the methods and procedures of de-depersonalization / depersonalization, is provided through the implementation of the privacy mode established by the operator. In this case, it is necessary to comply with the rules for providing users with access to stored information, backup copying and the possibility of its restoration (updating).

Depersonalization / de-depersonalization should be integrated into the data processing as integral elements. In their implementation, the operator's infrastructure should be used as efficiently as possible.

Required Documentation

Operators are encouraged to develop and use in their activities documents that include:

1. Description of software and procedures used during the work.
2. Instructions for de-depersonalization and depersonalization.
3. Rules for processing anonymized information.
4. The order of interaction with other operators.
5. Instructions for protecting additional (service) data containing parameters of procedures and methods of de-depersonalization / depersonalization.
6. Operational and technical documentation included with the software.

Recommendations for operators

Individuals processing anonymized information should ensure that the procedures comply with the requirements of the law and the methods approved by Roskomnadzor, the goals and processing conditions. Operators should also make sure that the rights of their owners are not violated during work with data.

If the operator carries out processing on behalf of a third party, he must comply with all the requirements presented by this entity.