MétaCan
Menu
Back to cohort
Record W4405523379 · doi:10.1093/idpl/ipae017

Perspectives of Canadian privacy regulators on anonymization practices and anonymized information: a qualitative study

2024· article· en· W4405523379 on OpenAlex

Why this work is in the frame

A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.

affAt least one author lists a Canadian institution in the pinned OpenAlex snapshot.
fundA Canadian funder is recorded on the work.
aboutThe title or abstract carries a Canadian signal from the geographic lexicon.

Bibliographic record

VenueInternational Data Privacy Law · 2024
Typearticle
Languageen
FieldComputer Science
TopicPrivacy-Preserving Technologies in Data
Canadian institutionsToronto Metropolitan UniversityAgricultural Research Institute of OntarioUniversity of Ottawa
FundersCanadian Institutes of Health ResearchCanada Research ChairsDeutsche Forschungsgemeinschaft
KeywordsInternet privacyData anonymizationInformation privacyComputer scienceComputer securityBusiness

Abstract

fetched live from OpenAlex

There is a lack of precision and consistency across Canada in regulating anonymization practices, in defining anonymized information, and there is no generally accepted national guidance on how to anonymize data. This has resulted in an environment that impedes the ability to have national technical and policy solutions for anonymization, to share anonymized data across jurisdictions, and to provide certainty for organizations that operate across jurisdictions. To understand the perspectives of privacy regulators on anonymization practices and how to regulate anonymized data, we performed a qualitative interview study with 93 per cent of privacy regulators in Canada. Despite heterogeneity in perspectives, the main findings where there is consensus are: specific consent is not required for the process of anonymization, although transparency is important; proper anonymization should be ensured in a proactive way through, for example, Codes of Practice; and anonymized data should not be free of oversight. But there is variation in views on the degree of oversight needed, as well as on the need for and approaches to restrictions on the purpose for processing anonymized data. Because some fundamental anonymization issues are open to interpretation by an incumbent regulator, this increases uncertainty and results in inconsistencies across the country. Our recommendations are to implement a national Code of Practice to ensure properly anonymized data (with possible sector-specific adaptations), incentivize anonymization through reduced regulatory obligations on process and output, explicitly address key anonymization parameters in legislation and regulation, and incorporate ethical considerations into anonymization practices. Training artificial intelligence and machine learning (AIML) models requires large datasets.1 However, access to data for AIML projects has been problematic in practice. Both the US Government Accountability Office2 and the McKinsey Global Institute3 note that difficulties in accessing data for building and testing AIML models are an impediment to their adoption more broadly. A Deloitte analysis concluded that data access issues are ranked in the top three challenges faced by companies when implementing artificial intelligence (AI).4 Getting access to data is a challenge due to privacy concerns. One survey highlighted the privacy concerns of companies adopting machine learning models, with more than half of companies experienced with AIML checking for privacy issues.5 As a further example, in the case of health data, privacy concerns by patients and regulators have acted as a barrier to the sharing of health data.6 A recent review of health data infrastructure in Canada concluded that (mis)interpretations of privacy laws and a general ‘privacy chill’ incentivize risk-averse behaviour among data custodians, stifling data access.7 One approach to enable data sharing and data access is to anonymize the data. However, the regulatory definition of concepts, such as anonymization, identifiability, and personal information, as well as their translation into technical standards varies across national, sub-national, and local levels, making it difficult for organizations to determine how to assess re-identification risk and anonymize information consistently. Canada exemplifies the complex dynamics of privacy regulatory governance, reflecting the division of powers between the federal and provincial governments. Federally regulated governmental institutions and businesses are regulated by the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA also applies to provincially regulated businesses apart from Alberta, British Columbia, and Quebec. In June of 2022, the federal government introduced the Digital Charter Implementation Act, 20228 (known as Bill C-27) which, among other matters, would substantially amend PIPEDA. Outside the private sector, the landscape is even more fragmented with some provinces having separate health or employment-related privacy regulations. In addition, there are numerous privacy requirements that are within (non-privacy) sector-specific laws. The Supplementary Materials summarize the quite different ways in which the concepts of personal information, anonymization, and identifiability have been defined in these statutes for the private sector (Supplementary Table S1), health sector (Supplementary Table S2), and public sector (Supplementary Table S3). Recent opinions from the Ontario regulator9 and the federal privacy commissioner10 provide some specific examples of what are deemed to be acceptable anonymization practices, and current Canadian guidelines consist of the Ontario guidance from 201611 and the recent Quebec regulations.12 Yet, these are not aligned with each other on key parameters and are imprecise on important criteria. For example, in Ontario’s Personal Health Information Protection Act (PHIPA), anonymization is a permitted use, but not under PIPEDA. In Quebec’s private sector law anonymization must be performed according to generally accepted best practices, but not under Ontario’s PHIPA,13 and the federal privacy commissioner has argued against incorporating ‘generally accepted best practices’ in the definition of anonymization in Bill C-27.14 Furthermore, the Quebec regulations respecting the anonymization of personal information15 define three anonymization criteria modelled after an opinion from the European Article 29 Working Party on Anonymization Techniques,16 but these do not exist in other Canadian regulations: correlation, individualization, and inference. Both the current state of Canadian privacy laws and the recent amendments to PIPEDA proposed in federal Bill C-27, do not provide the country’s privacy regulators with precise and consistent direction for interpreting and applying the legislative provisions regarding anonymization. This means that the regulation of anonymization practices and anonymized information can vary by Canadian jurisdiction, which impedes the ability to: have national technical and policy solutions for anonymization, share anonymized data across these jurisdictions, and provide certainty for organizations that need to operate across jurisdictions or nationally. Such challenges are not unique to Canada and have been documented in the general literature and in non-Canadian jurisdictions.17 To understand this regulatory landscape and how Canadian privacy regulators (commissioners and ombudspersons) currently regulate anonymization practices and anonymized data, and the changes they would like to see, we conducted a qualitative interview study with them in the first quarter of 2022. These interviews aimed to collect and organize information on anonymization in general and were not explicitly tailored towards a particular sector. Based on the findings, we developed pan-Canadian anonymization recommendations that can reduce friction in using and disclosing data for secondary such as AIML For the of this we the and and their to information for which there is no in the that it be with an The and be when information, such as or are by a that have been are personal performed a qualitative study to perspectives on anonymization to access to data for secondary The highlighted the need for sharing of anonymized The study conducted the of the which ensured that the for data and the privacy concerns were also examples were from the health and private sector, the interviews were not tailored towards a specific sector. The interviews were to Canada has provinces and of which have their privacy commissioner or for the privacy The of the Privacy of Canada is the federal privacy of the privacy regulators in Canada were or through their to in the of and privacy or within Canada to the in there were in One privacy to and the 93 per cent of privacy important in a qualitative study is it a of considerations in the on on the of the and on the of on the of the is the which there is to be on the is further interviews are no or A of is by the ability to and understand the As must be to to the of the and to they a particular there is a to the of that the be to in For that this would be between and that is a of to we have it the of This is in with the The a of the as a of the and in for the and the of The interviews were conducted by and an interview developed by the The information the interview of the and each interview with general of the of the study on data as a it the that the not from the and the main the anonymization and regulating the anonymized data The interview to the the privacy have with anonymization and the of in their jurisdiction, through privacy or the process of anonymized data data and should it be regulated or in other the anonymized data be regulated or AIML models be regulated they were using personal information or anonymized The interview were the in different This to a more to recommendations on how to regulate anonymization practices and anonymized data. The of each interview between and The interviews were and an approach by to the interview data. The of the analysis to understand perspectives on the and of using anonymization to access to data for secondary and analysis were in to the interviews and a of each the conducted a analysis of the and to determine changes to the interview were required in for the be or as the we developed a that the in the data. experienced in qualitative the using an the their they their and it to to an the be or as required to the of the The results are into the unique that from the interviews to the to the from the are to or a particular of The with and of anonymization practices and anonymized data. The anonymization such as and There with such as One such where in a against and the of data for and an in on that with the privacy The that they not have case or on the of the results on anonymization in general and The of anonymized data from data is a processing of the data. this particular there Our further such processing of personal information requires or should the consent of the data The consent of the data would be the of data or data would be for consent when the data to anonymize There were perspectives on the need to consent for the of anonymization under the current The legislation it that the of is a permitted is the case under Ontario’s and no consent is A case can be that the of anonymization, which further the of the data by data, should be and the would be with that as as the anonymization best In such a consent to anonymize data is not the for which the anonymized data be or are consistent with the consent for which the no consent is a purpose is consistent or not to be on a consent is required to anonymized The opinions the However, the of were of the opinion in or there is a consensus that specific consent is not required for properly there not A of for not consent were also by some anonymization or by health would not in anonymization by on further such as The of further for the anonymized data One of the concerns by the is that public and private sector have to implement anonymization But in it difficult to ensure that they practices for anonymization. There have been examples of organizations the of data and that the data are However, the of is in and data, but it is to in that of anonymized data. The would that anonymization practices were when there is a or a that it is to have an on these practices, and there be or to the data through privacy the regulators generally that a more proactive process would be they would provide organizations with guidance on how to proper anonymization as a way to the of practices and also to the regulators in regulators further that more and than guidelines should be required to address the of that the of in that some of the should be how to do it properly that consistent that they a of the data, and of that is the key what standards to in a case or the some of the were how to ensure that these practices are and further by One approach that Codes of In the the Code of Practice for a of guidelines or that the standards and that are within a with and for The were would be explicitly by a public and would have a an implement Codes of Practice would have a or to ensure that the practices are would for proactive approach that proposed to standards with or companies that can against these of the that in the general would be of by the public to be of the a Code of for a to have a defined of it would be to would have to a it even be in the the but the to not to but what would would be in health and other is that and are checking to are the way to be having some standards and guidelines in to that a against which that process is or against a and that should be in There should be for Codes of or even regulators the of such public the federal or provincial proposed that Codes of Practice should be by that the privacy regulators would be to or they would not or the of practices, and also them as that would be a of standards were proposed to be developed through national or standards or through The would be separate from the standards and they provide these as a This is the for example, for In regulators in provinces that they do not have the to guidance have to on by the jurisdictions, or other national or guidance and the Ontario has a guidance on there are recent regulations on the anonymization of personal information from the Government of and an on has been However, there is no national guidance in in Canada. In the to the of anonymized data should be regulated on the anonymization that would be the in the for this that the anonymized data would be or for a secondary There were no specific in the between different for or such were to open data, public sector or to for there are some that are for open data, these are in the regulators that there should be a way to anonymized data. the need for regulation in of the ethical properly anonymized data do not even they are and they that some regulation of anonymized data would be But there should be some in some regulation, that a free for of are ethical in but this not and a a different deemed anonymized data to privacy there should not be obligations or on the processing of anonymized data, as it is not information To the that is there is a of and the is is that regulators should There a general consensus that such as a on to or anonymized data, are This would be as a of regulation of anonymized data. a of legislation can it for and no can it for how would against that of the of The obligations of organizations processing anonymized data should be than the obligations of organizations processing some obligations on anonymized data would be difficult to in such as and access the anonymized be to a specific In we introduced the of for anonymized data. For example, under Bill C-27, information can be to organizations an or consent it is for the of as a to anonymized data. to the on purpose should be and such as the they their concerns that and uncertainty in for anonymization. In the the would determine that particular purpose on a that concepts that are defined a of but the is consent or information the way of the purpose that would not be that data is for a different to there there should be some purpose there be some for but that would have to practices were such as to data that their information would be anonymized and how their anonymized data would be The general that transparency and a on how data are the of complex transparency that required by data but for example, on the that is to and to have no for the of that not to as not to do not that an acceptable public policy to be in by the that there is a of that the of more than The information should on the of to the is of the key concepts and that public is way of also to with the and the data they have that to is and there should be that transparency should but it to be lack of is that of are than to the The Canadian for is the Canadian policy of the three federal is a of to with this and review is for anonymized data. that do not from the three federal of the private sector, to the or a different ethical such as the for Practice by the for or the for and of by the There are also that an to with in case of for and such as Health the and in the and the European for although these would not be for the processing of anonymized data. a of such as for exemplifies a to address ethical like other has ethical by but a to ensure consistent ethical oversight of data processing and for anonymized data for in privacy regulations be the for regulators in interviews that there is a for projects the of the privacy regulations address privacy concerns and data they do not ethical The processing of anonymized data can to even they are not In this to ensure that the for processing the anonymized data are not or to the data There also the that this be where there is some oversight anonymized data, but a that for projects should be of the of obligations and also the of we need to be it from a as can that that important to be having ethical of the of this data, where in the public To have a review on is a should be it be but a with are and and are using it for or there is some or it also which is that review public would that an review would be way for an to the that their processing is and ethical but we would be that of data has to through an review AIML models are to be to that can information the in the means that sharing AIML models that were on information to different of making AIML models to the although that has been in the of the that a has information or some that can be and the to personal information, it should be as However, a machine learning on anonymized information and even an is the risk is the considerations as for anonymized data would to the can that in a way and data from a that that personal highlighted further of models but were of how and where to address them is the the is it by how we would be to to that the there consensus on key the perspectives were not and this resulted in in to the issues we were general can be from the interviews as There are different perspectives on regulating anonymized data not regulating anonymized with different on key across the country. This means that there be some jurisdictions where it be to anonymization and where this be more This is not the heterogeneity in the of personal information and information across the and across and how these as in Supplementary and Furthermore, it to be the Quebec regulation respecting the anonymization of personal and to Ontario’s Canadian privacy approach to this The between and is difficult to As in Supplementary and the is In identifiability can be as a risk have been proposed for an acceptable risk of identifiability that the of identifiability are not to the Canadian regulatory For this in the of the However, the of privacy regulations not for data that is are as that would for an processing of these data. the on the that the risk in anonymized data is not can other important by the public sector, for example, open data and can for anonymization. For national organizations that regulated in jurisdictions, the lack of consistency can a In jurisdictions across key of anonymization and are not explicitly in privacy legislation or in a of uncertainty which to and on how they are for issues where there such as the of anonymization requires this on than in legislation or regulation (with such as Ontario’s The on the interpretation by the incumbent increases the uncertainty with and for in projects anonymization. there is Canadian guidance in and the Ontario guidance in not the the Ontario and the Quebec anonymization regulations were after study and is this not of the explicitly Codes of they more and guidelines that enable a proactive or for These requirements would be by standards and Codes of that there should be a on to or anonymized data. There no opinion on what further should some regulators the that anonymized data should be for this due to the uncertainty introduced by such results in for in anonymization and have for organizations to data for and for such as transparency or were generally but were not as Based on the results of the interviews and by the of uncertainty and for the adoption of anonymization, we can the In the the Code of Practice to to an of guidelines or by privacy guidance to on proper anonymization. Such guidance would it for these to implement anonymization, provide some to regulators that anonymized data were and would the and by the to in such a would be the definition of precise for privacy and for interpreting as well as guidance on the ethical of anonymized data, such as an oversight within an for data they ability to that such practices have been through the to specific and through or of practices, would be an important in the There is currently no national Canadian privacy legislation in that to the oversight by the privacy of Codes of Practice to the anonymization of personal This would the provisions of Bill to what the of Practice and were to be However, it that the a Code of Practice they determine that the the criteria in the it for the regulators to determine the definition of of than a Code of Practice from which would be a there are a of that be to the Canadian privacy For example, the US federal health information privacy the Health and Accountability Act Privacy for of of health and The US of Health and has guidance for organizations to on the and approaches to in with the Privacy more recent guidance on anonymization by the Personal Protection an and to the There are also standards such as that have standards to the of personal the data in with the data and of a and technical for the anonymization of personal A is should such a Code of There with among Canadian some of public sector for such a Code of Practice is the that would be deemed be a approach to have Codes of Practice be sector-specific than which would enable the and of guidelines and as well as by and of be sector-specific such as standards or the other a A approach with a and tailored sector-specific the of approaches for consistency and to be developed and through a process and This it more difficult to but the more and accepted in the that are to Canadian privacy These are and in to their oversight have accepted and to anonymize personal There Canadian privacy laws that an to a to the privacy for review not address in the is and anonymization to an Code of Practice that best practices are the data have a that it would be for the obligations in statutes that to data to be reduced for properly anonymized data. This an to anonymization and their the obligations are the of how anonymization is identifiability, there would be to the to and statutes across the are not precise on some key of regulating anonymization practices and anonymized information, regulators a approach that privacy with the of using data in a However, this state of is on the incumbent the of statutes and how they are precision within the statutes certainty to organizations what the to and in this would be for of data. this means the of anonymization requires should be from the of the data the data or other and transparency the risk of be concerns re-identification and there is some risk with anonymized data, some regulators were more such as purpose or consent on the of these they For example, the and of anonymized data to or would be these are However, the uncertainty and this would also open data a data that these be properly anonymized data have there is that be more and not to the privacy of the but to the to a This can be as or In this can from where are of be health and A by British of the that information and it can also the that and are to for their by them as in some way or that are in than making them as examples of information that be to address the risk of such as per cent of or reduced per cent of in have or than per cent of are This information have been from anonymized data. In this regulators that ethical considerations are to privacy are of ethical but there is a for projects that do not explicitly within the of This should be to ensure and ethical processing of information, which be through a required and oversight or an ethical a of review can substantially to and a among privacy regulators in we a of their perspectives on recommendations that enable the of anonymization practices and the and of anonymized data in Canada. there are in the study and of it to we to the and to to information for which there is no in the that it be with an these are to different across and provinces which have to of the interview recommendations are specific to current Canadian legislation and are on interviews with Canadian regulators the the interviews were conducted and not be to other regulatory even we have the interview it is possible that we have due to the jurisdiction, and interpretation of qualitative data by but and have been by the and The of anonymized information and the process of anonymization are and on key parameters among privacy and guidelines across Canada. conducted interviews with 93 per cent of Canadian privacy regulators to understand their views on how anonymized data and anonymization currently and should some important of such as there no to consent for the of anonymization and the need for of Practice; of such as purpose on processing anonymized and of such as how to regulate AIML models on information anonymized were to the of consensus and to of and This study by the The performed in with for in Canada. would like to the privacy and in these as well as their also and were in for the Supplementary is Privacy This by from the of the Privacy of and by the Canada from Canadian of Health is by the the of the a of a from the of is the the of the Information and Privacy of

Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.

Full frame distilled prediction

Teacher imitation

Not calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.

metaresearch head score (Codex)0.001
metaresearch head score (Gemma)0.022
Version: codex-gemma-dda1882f352aValidation status: machine_predicted_unvalidated
Candidate categoriesMetaresearch, Open science
Consensus categoriesOpen science
DomainCandidate signal: none · Consensus signal: none
Study designCandidate signal: Theoretical or conceptual · Consensus signal: none
GenreCandidate signal: Empirical · Consensus signal: none
Teacher disagreement score0.596
Threshold uncertainty score0.988

Codex and Gemma teacher scores by category

CategoryCodexGemma
Metaresearch0.0010.022
Meta-epidemiology (narrow)0.0000.000
Meta-epidemiology (broad)0.0000.000
Bibliometrics0.0010.001
Science and technology studies0.0000.000
Scholarly communication0.0010.010
Open science0.0190.029
Research integrity0.0000.000
Insufficient payload (model declined to judge)0.0000.000

Machine scores (provisional)

The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.

Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.

Opus teacher head0.075
GPT teacher head0.381
Teacher spread0.306 · how far apart the two teachers sit on this one work
Validation statusscore_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it