research-article

Opening Privacy Sensitive Microdata Sets in Light of GDPR

Authors:

Mortaza S. Bargh,

Susan van Den Braak,

Sunil ChoenniAuthors Info & Claims

dg.o '19: Proceedings of the 20th Annual International Conference on Digital Government Research

Pages 314 - 323

https://doi.org/10.1145/3325112.3325222

Published: 18 June 2019 Publication History

Abstract

To enhance the transparency, accountability and efficiency of the Dutch Ministry of Justice and Security, the ministry has set up an open data program to proactively stimulate sharing its (publicly funded) data sets with the public. Disclosure of personal data is considered as one of the main threats for data opening. In this contribution we argue that, according to Dutch laws, the criminal data within the Dutch justice domain are sensitive data in GDPR terms and that the criminal data can only be opened if these sensitive data are transformed to have no personal information. Subsequently, having no personal information in data sets is related to two GDPR concepts: the data being anonymous in its GDPR sense or the data being pseudonymized in its GDPR sense. These two GDPR concepts, i.e., being anonymous data or pseudonymized data in a GDPR sense, can be distinguished in our setting based on whether the data controller cannot or can revert the data protection process, respectively. (Note that the terms anonymous and pseudonymized are interpreted differently in the technical domain.) We examine realizing these GDPR concepts with the Statistical Disclosure Control (SDC) technology and subsequently argue that pseudonymized data in a GDPR sense delivers a better data utility than the other. At the end, we present a number of the consequences of adopting either of these concepts, which can inform legislators and policymakers to define their strategy for opening privacy sensitive microdata sets, like those pertaining to the Dutch criminal justice domain.

References

[1]

M.S. Bargh and S. Choenni (2013). On Preserving Privacy Whilst Integrating Data in Connected Information Systems. In Proc. of the 1 st Int. Conf. on Cloud Security Management (ICCSM), October 17-18, Seattle, USA.

[2]

S. Kalidien, S. Choenni and R. Meijer (2010). Crime Statistics Online: Potentials and Challenges. In Proc. of the 11 th Annual Inter. Digital Government Research Conference on Public Administration (dg.o), 131-137.

Digital Library

[3]

J.E.J. Prins, D. Broeders and H.M. Griffioen (2012). iGovernment: A New Perspective on The Future of Government Digitization. In Computer Law & Security Review, 28(3), 273-282.

[4]

S.W. van den Braak, S. Choenni, R. Meijer and A. Zuiderwijk (2012). Trusted Third Parties for Secure and Privacy-Preserving Data Integration and Sharing in the Public Sector. In Proc. of the 13 th Annual Inter. Conf. on Digital Government Research (dg.o), 135-144.

Digital Library

[5]

S. Choenni, M.S. Bargh, C. Roepan and R. Meijer (2015). Privacy and Security in Data Collection by Citizens. A book chapter in Smarter as the New Urban Agenda: a Comprehensive View of the 21 st Century City, edited by J.R. Gil-Garcia, T.A. Pardo and T. Nam, Springer LNCS.

[6]

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, And Repealing Directive 95/46/EC (General Data Protection Regulation).

[7]

ARX tool. Available: http://arx.deidentifier.org, retrieved on 16 Nov 2018.

[8]

N. Netten, M.S. Bargh, S. van den Braak, S. Choenni and F. Leeuw (2018), Legal Logistics: A Framework to Unify Data Centric Services for Smart and Open Justice, In International Journal of E-Planning Research (IJEPR-SI), Special Issue: Models and Strategies toward Planning and Developing Smart Cities, S. Ae Chun, S. Malouli and Y. Arens (eds.), Volume 7, Issue 2.

Digital Library

[9]

Wob. Wet openbaarheid van bestuur (1991). Available: http://wetten.overheid.nl/BWBR0005252/2018-07-28, retrieved on 2 October 2018.

[10]

NODA letter (2015). In Dutch: Kamerbrief over Nationale Open Data Agenda 2016. 2015-0000710114, 30 November. Available: www.rijksoverheid.nl/documenten/kamerstukken/2015/11/30/kamerbrief-over- nationale-open-data-agenda-2016-noda, retrieved on 2 October 2018.

[11]

Memorandum (1986). In Dutch: Memorie van toelichting wet openbaarheid van bestuur {Explanatory Memorandum to the Open Government Act}. Tweede Kamer, vergaderjaar 1986-1987, 19859, nr. 3.

[12]

Wpg (2007). In Dutch: Wet politiegegevens. Available: http://wetten.overheid.nl/BWBR0022463/2018-05-01, retrieved on 2 October 2018.

[13]

Wjsg (2002). In Dutch: Wet justitiële en strafvorderlijke gegevens. Available: http://wetten.overheid.nl/BWBR0014194/2016-01-01, retrieved on 2 October 2018.

[14]

M. Elliot, F. Mackey, K. O'Hara and C. Tudor (2016). The Anonymisation Decision-Making Framework. A technical report by UK Anonymisation Network (UKAN). UK: UKAN. Available: http://ukanon.net/wp-content/uploads/2015/05/The-Anonymisation-Decision-making-Framework.pdf, retrieved on 2 October 2018.

[15]

K. El Emam and B. Malin (2014). Concepts and Methods for De-identifying Clinical Trial Data. Paper commissioned by the Committee on Strategies for Responsible Sharing of Clinical Trial Data.

[16]

M. Mourby, F. Mackey, M. Elliot, H. Gowans, S.E. Wallace, J. Bell, and J. Kaye (2018). Are ‘Pseudonymised’ Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK. In Computer Law & Security Review, 34(2), 222-233.

[17]

L. Sweeney (2002). k-anonymity: A model for protecting privacy. International Journal on Uncertainty, 10(5), 557-570.Available: retrieved on 2 October 2018.

Digital Library

[18]

Working Party 29 (2014). Opinion 5/2014 on anonymisation techniques, WP216. Available: https://www.parlementairemonitor.nl/9353000/1/j9vvij5epmj1ey0/vk48lqhqfwxk, retrieved on 2 October 2018.

[19]

Working Party 29 (2017). Opinion on Some Key Issues of the Law Enforcement Directive (EU 2016/680), WP258. Available: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610178, retrieved on 2 October 2018.

[20]

B.C.M. Fung, K. Wang, R. Chen and P.S. Yu (2010). Privacy-Preserving Data Publishing. ACM Computing Surveys, 42(4), 1-53.

Digital Library

[21]

L. Willenborg and Y. de Waal (1996). Statistical Disclosure Control in Practice. New York: Springer-Verlag.

[22]

L. Willenborg and T. de Waal (2001). Elements of Statistical Disclosure Control. New York: Springer-Verlag.

[23]

J. van Dijk, M.S. Bargh, S. Choenni and M. Spruit (2016). Maturing Pay-as-You-Go Data Quality Management: Towards Decision Support for Paying the Larger Bills. In C. Francalanci and M. Helfert (eds.) Data Management Technologies and Applications (DATA). Part of the Communications in Computer and Information Science (CCIS), volume 737, pp 102-124, Springer, Cham.

[24]

A. Hundepool, J. Domingo-Ferrer, L. Franconi, S. Giessing, E. Schulte Nordholt P.P. de Wolf and K. Spicer (2012). Statistical Disclosure Control. John Wiley.

[25]

Dataset ADULT. Available: https://archive.ics.uci.edu/ml/datasets/adult (retrieved on 2 October 2018).

[26]

A. Manta (2013). Publishing Privacy Sensitive Open Data, Using an Automated Decision Support Tool. Master Thesis at Delft University of Technology.

[27]

F.K. Dankar, K. El Emam, A. Neisa and T. Roffey (2012). Estimating the Reidentification Risk of Clinical Data Sets. BioMed Central (BMC) Medical Informatics and Decision Making, 12(1).

[28]

F. Prasser, F. Kohlmayer and K.A. Kuhn (2016). The Importance of Context: Risk-Based De-identification of Biomedical Data. Methods of Information in Medicine, 55(4), 347-355.

[29]

F. Prasser, R. Bild, J. Eicher, H. Spengler and K.A. Kuhn (2016). Lightning: Utility-Driven Anonymization of High-Dimensional Data. Transactions on Data Privacy, 9(2), 161-185.

Digital Library

[30]

A. Machanavajjhala, D. Kifer, J. Gehrke and M. Venkitasubramaniam (2007). l-diversity: Privacy Beyond k-Anonymity. ACM Transactions on Knowledge Discovery from Data, 1(1).

Digital Library

[31]

C. Dwork (2006). Differential Privacy. In Proc. of the 33 rd Inter. Colloquium on Automata, Languages and Programming (1-12). Berlin/Heidelberg: Springer.

Digital Library

Cited By

Rawat AJanssen MBargh MChoenni S(2021)Designing a User Interface for Improving the Usability of a Statistical Disclosure Control Tool2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00212(1581-1591)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00212
Amighi ABargh MOmar A(2021)WiP: A Distributed Approach for Statistical Disclosure Control TechnologiesInformation Systems Security10.1007/978-3-030-92571-0_9(142-153)Online publication date: 10-Dec-2021
https://doi.org/10.1007/978-3-030-92571-0_9

Recommendations

On opening sensitive data sets in light of GDPR
ICEGOV '19: Proceedings of the 12th International Conference on Theory and Practice of Electronic Governance

Disclosure of personal data is considered as one of the main threats for data opening. In this contribution we consider the data that are sensitive in GDPR terms (for example, criminal justice data within the Dutch justice domain) and discuss how they ...
The Effect of the GDPR on Privacy Policies: Recent Progress and Future Promise
Special Issue on Analytics for Cybersecurity and Privacy, Part 2 and Regular Papers

The General Data Protection Regulation (GDPR) is considered by some to be the most important change in data privacy regulation in 20 years. Effective May 2018, the European Union GDPR privacy law applies to any organization that collects and processes ...
Are We There Yet?: Understanding the Challenges Faced in Complying with the General Data Protection Regulation (GDPR)
MPS '18: Proceedings of the 2nd International Workshop on Multimedia Privacy and Security

The EU General Data Protection Regulation (GDPR), enforced from 25\textsuperscriptth May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

dg.o '19: Proceedings of the 20th Annual International Conference on Digital Government Research

June 2019

533 pages

ISBN:9781450372046

DOI:10.1145/3325112

Copyright © 2019 ACM.

© 2019 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

dg.o 2019

dg.o 2019: 20th Annual International Conference on Digital Government Research

June 18 - 20, 2019

Dubai, United Arab Emirates

Acceptance Rates

Overall Acceptance Rate 150 of 271 submissions, 55%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
249
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rawat AJanssen MBargh MChoenni S(2021)Designing a User Interface for Improving the Usability of a Statistical Disclosure Control Tool2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00212(1581-1591)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00212
Amighi ABargh MOmar A(2021)WiP: A Distributed Approach for Statistical Disclosure Control TechnologiesInformation Systems Security10.1007/978-3-030-92571-0_9(142-153)Online publication date: 10-Dec-2021
https://doi.org/10.1007/978-3-030-92571-0_9

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents