Data re-identification

Canopy Publishes Research at 2023 American Society of Clinical Oncology Meeting Demonstrating the Impact of ePROs in Identifying Patients at Risk of Early Treatment Discontinuation

Retrieved on: 
Wednesday, May 31, 2023
Shadow King, Data re-identification, IO, American Society of Clinical Oncology, Clinical trial, Lung cancer, Oncology, Research, Immunotherapy, JCO Oncology Practice, ASCO, National Association Medical Staff Services, Journal, MD, Patient, Risk, Identification, Society, Medical imaging, Nursing, Pharmaceutical industry, Canopy

—Michael Kolodziej, MD

Key Points: 
  • —Michael Kolodziej, MD
    The results of the multi-site study of 172 patients were selected for online publication at the American Society of Clinical Oncology (ASCO) annual meeting in Chicago, Illinois on June 2-6, 2023.
  • The study analyzed reports submitted by lung cancer patients through Canopy's ePRO platform across three community oncology practices.
  • Enable care teams to identify at-risk patients earlier: The presence of early symptoms may indicate a patient population at high risk of early treatment discontinuation.
  • Canopy presented research at the 2022 ASCO Meeting demonstrating up to 45% higher treatment persistence and a 22% reduction in ER visits and hospitalizations for patients utilizing ePROs.

Infutor Joins the Karlsgate Identity Exchange to Offer Secure Data Enhancement Services

Retrieved on: 
Tuesday, March 30, 2021
Data management, Security, Technology, Software, Networks, Internet, Articles, Privacy, Identity documents, Health informatics, Data management, Anonymity, Social issues, Pseudonymization, Internet privacy, Personal data, Identity management, Data re-identification, Karlsgate, Infutor:

Karlsgate , a secure data collaboration company, today announced that the full suite of Infutors industry leading consumer identity management solutions is now accessible via Karlsgate Identity Exchange .

Key Points: 
  • Karlsgate , a secure data collaboration company, today announced that the full suite of Infutors industry leading consumer identity management solutions is now accessible via Karlsgate Identity Exchange .
  • Karlsgate enables companies to match and append data from Infutor without disclosure of their Personally Identifiable Information (PII).
  • We evaluated a number of options to meet this client need and Karlsgate presents a simple and elegant approach to secure data sharing with Infutor.
  • Karlsgate Identity Exchange ensures the highest level of data security and privacy compliance by using Cryptoidentity encrypted, single-use pseudonymized tokensand a distributed network architecture to match two data sets without sharing or exposing Personal Data identifiers.

Singapore’s Personal Data Protection Act Shifts Away from a Consent-Centric Framework

Retrieved on: 
Thursday, November 19, 2020
Data security, Articles, Data protection, Privacy law, Security breaches, Digital rights, General Data Protection Regulation, Data breach, Data protection (privacy) laws in Russia, Medical privacy, Information privacy, Data re-identification

Some of the key changes include:a shift away from the consent-centric paradigm of the previous law by adding new exceptions to consent-based processing, including legitimate interests; the introduction of a right to data portability; new obligations to report data breaches; and changes in the sanctions regime to increase penalties for individuals and organizations that breach the law, including prison sentences, and to enhance the enforcement powers of the Commission.  Authors: Caroline Hopland, Hunter Dorwart and Gabriela Zanfir-Fortuna The Singapore Parliament passed amendments to its Personal Data Protection Act 2012 (PDPA) on November 2, 2020, making it the first comprehensive review and change of this law since its enactment in 2012, as it was announced by the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (Commission) in Singapore.

Key Points: 
  • Some of the key changes include:
    1. a shift away from the consent-centric paradigm of the previous law by adding new exceptions to consent-based processing, including legitimate interests; 
    2. the introduction of a right to data portability; 
    3. new obligations to report data breaches; and 
    4. changes in the sanctions regime to increase penalties for individuals and organizations that breach the law, including prison sentences, and to enhance the enforcement powers of the Commission. 
    • Authors: Caroline Hopland, Hunter Dorwart and Gabriela Zanfir-Fortuna The Singapore Parliament passed amendments to its Personal Data Protection Act 2012 (PDPA) on November 2, 2020, making it the first comprehensive review and change of this law since its enactment in 2012, as it was announced by the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (Commission) in Singapore.
    • The Amended Act will only enter into force once the President assents to it and a notification is published in the Government Gazette.
    • Experts expect it to come into force before the end of 2020.

    1. “Derived Personal Data”: Newly Defined and Exempted from Correction and Portability Requests

      • The Act was amended to include new definitions, such as derived personal data, and a set of definitions that are relevant in the context of the new right to data portability user activity data, user-provided data, data porting request, and ongoing relationship.
      • Derived personal data is akin to inferred personal data as defined by the European Data Protection Board (EDPB)[1], and it refers to personal data about an individual that is derived by an organization in the course of business from other personal data about that individual or another individual in the possession or under the control of the organization.
      • In addition, similarly to the right to data portability under the EUs General Data Protection Regulation (GDPR), a porting organization is not required to transmit any derived personal data following a data portability request (see the new Twelfth Schedule).

    2. New Rules to Define “Deemed Consent” and to Shift from the Consent-Centric Framework of the PDPA

      • In addition to expanding the meaning of deemed consent, the amended PDPA (2.3.)
      • also adds legitimate interests and business improvement purposes as downright exceptions from obtaining consent for collection, disclosure, or use of personal data.
      • Deemed Consent by Contractual Necessity to Allow Data Sharing Section 15 of the PDPA has been modified to introduce deemed consent by contractual necessity, whose purpose is to facilitate data sharing.
      • The third organization should apply the rules as if the original organization had disclosed the personal data provided by the individual to it directly.
      • If the individual does not notify the organization within a determined period of time that they do not consent, then they will have provided valid deemed consent.
      • Some legitimate interests are specifically enumerated in the First Schedule, such as recovering a debt from an individual or paying a debt to an individual.
      • The organization must provide the individual with reasonable access to information about its collection, use or disclosure of the individuals personal data.
      • This exception is limited by data minimization requirements and by a reasonableness test.

    3. Enhanced Accountability 

      • The amendments aim to strengthen the accountability of organizations with respect to the processing of personal data.
      • Part III of the PDPA, originally titled General Rules With Respect to Protection of Personal Data, is amended to: General Rules With Respect to Protection of and Accountability For Personal Data.
      • Most notably, however, are the additional mandatory assessments for deemed consent by notification, legitimate interests, and data breaches, that create accountability measures for organizations to implement.
      • Two other requirements further highlight the amendments aim to strengthen accountability: Preservation of Copies of Personal Data: New Section 22A, which covers access to and correction of personal data, now requires an organization who refuses an individuals request to provide the individual with their personal data that the organization possesses or controls, to preserve a copy of the personal data concerned.

    4. Introduction of a Right to Data Portability 

      • The amended PDPA introduces a right to data portability, and corresponding obligations (Sections 26F and 26J to Part VIB of the amended PDPA).
      • To this end, the amendments introduce a handful of terms such as data porting request, porting organization, and receiving organization to denote the various actors involved in the portability and transfer of data.
      • An individual may request a porting organization to directly transmit applicable data about the individual to a receiving organization.
      • The amendments regulate instances where transferring applicable data about one individual results in the transmission of personal data about another individual.
      • In addition to general portability obligations, porting organizations must preserve a complete and accurate copy of any applicable data specified in a data porting request for a prescribed period of time.
      • Finally, the updated provisions stipulate that data portability obligations apply to applicable data regardless of whether a porting organization stores, processes, or transmits data in Singapore or a country or territory outside of Singapore.

    5. Mandatory Data Breach Notification Requirements

      • New Part VIA requires an organization to assess data breaches affecting personal data in its possession or control, and to notify the Commission, as well as the affected individuals, of the occurrence of a notifiable data breach.
      • According to the amended law, a data breach results in significant harm to an individual 1) if the data breach is in relation to any prescribed personal data or class or personal data relating to the individual; or 2) in other prescribed circumstances.
      • A data breach is not notifiable when the breach relates to the unauthorized access, collection, use, disclosure, copying or modification of personal data within the organization only.
      • An organization must conduct a data breach assessment when it has reason to believe that a breach affecting personal data in its possession or control has occurred.
      • Data intermediaries, after conducting an assessment and determining a notifiable data breach occurred, are also required to notify the organization or public agency for whom they are processing the personal data for.

    6. Penalties and Enforcement: Increased Fines, Personal Criminal Liability and Alternative Dispute Resolution 

    • The amended Act imposes new criminal penalties on individuals who mishandle personal information. Under the amendments, an individual may be criminally liable for three separate offenses, related in principle to security breaches and to re-identification of data sets:
      1. knowing or reckless unauthorized disclosure of personal data in the possession of an organization or public agency to another person;
      2. knowing or reckless unauthorized use of personal data in the possession of an organization or public agency that results in a gain for the individual or third party or causes harm to an individual; or
      3. knowing or reckless unauthorized re-identification of anonymized personal data in the possession of an organization or public agency.
      • Individuals found guilty of each offense could face up to a SGD 5,000 fine or two years imprisonment, or both.
      • Apart from these offenses, the amendments increase the financial penalties on organizations for intentional or negligent breaches of the law.
      • The new regime sets maximum penalties to 10% of an organizations gross annual turnover in Singapore if its turnover exceeds SGD 10 million or SGD 1 million otherwise, whichever is higher.
      • In addition, the amendments authorize the Commission to establish alternative dispute resolution mechanisms to handle complaints brought by individuals against an organization by mediation.
      • The Commission may order a dispute resolution without the consent of the individual or the organization.

    7. Conclusions

      • The changes brought to the Personal Data Protection Act of Singapore are underlined by a shift from a consent-centric legal regime for collecting and processing personal data to accountability of organizations and risk-based processing.
      • This change, however, came as complementary to increasing individuals control over their personal data, through the introduction of the new right to data portability, which is also a nod to the influence of EUs GDPR over data protection and privacy laws around the world.
      • [1] See, for example, the European Data Protection Board Guidelines 8/2020 on the targeting of social media users.

    • India: Proposed Data Regulation Overhaul Includes New Draft Rules for Processing Non-Personal Data

    Retrieved on: 
    Friday, August 7, 2020
    Data security, Anonymity, Information privacy, Data protection, Information, Privacy, Data management, Data re-identification, Data anonymization, Personal data, Personal, Inc., Pseudonymization

    ‘Non-personal data’ has been defined in the Report as any data that is not personal data[4], or is without any personally identifiable information. This includes personal data that has been anonymized[5] and aggregated data in which individual specific events are no longer identifiable, apart from data that was never personally identifiable. The Report classifies non-personal data into:Public non-personal data: collected or generated by government agencies and in execution of all publicly funded works;Private non-personal data: collected by entities or persons other than the Government and includes derived or observed data collected through private efforts, through use of algorithms or proprietary knowledge; andCommunity non-personal data that relates to any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions (Community), including information collected by ride-hailing platforms, electricity units, municipal corporations, telecommunication companies and e-Commerce entities.The Report contemplates three broad purposes for data sharing:a) Non-personal data shared for sovereign purposes may be used by the Government, regulators and law enforcement authorities, inter alia, for cyber security, crime and investigation, public health and in sectoral developments.b) Non-personal data shared for core public interest purposes may be used for general and community use, research and innovation, delivery of public services, policy development etc.c) Non-personal data shared for economic purposes may be used by business entities for research, innovation and doing business. It may also be leveraged as training data for AI/ML systems.This contribution will set out the general background of data related regulatory efforts in India (1), and then it will look closely to the proposed rules for processing non-personal data: (2) its definition and classification, (3) the data localization requirement for sensitive and critical non-personal data, (4) guidance on anonymization, and (5) proposed data sharing obligations for organizations.

    Key Points: 
  • ‘Non-personal data’ has been defined in the Report as any data that is not personal data[4], or is without any personally identifiable information. This includes personal data that has been anonymized[5] and aggregated data in which individual specific events are no longer identifiable, apart from data that was never personally identifiable. The Report classifies non-personal data into:
    • Public non-personal data: collected or generated by government agencies and in execution of all publicly funded works;
    • Private non-personal data: collected by entities or persons other than the Government and includes derived or observed data collected through private efforts, through use of algorithms or proprietary knowledge; and
    • Community non-personal data that relates to any group of people that are bound by common interests and purposes, and involved in social and/or economic interactions (Community), including information collected by ride-hailing platforms, electricity units, municipal corporations, telecommunication companies and e-Commerce entities.
  • The Report contemplates three broad purposes for data sharing:
    1. a) Non-personal data shared for sovereign purposes may be used by the Government, regulators and law enforcement authorities, inter alia, for cyber security, crime and investigation, public health and in sectoral developments.
    2. b) Non-personal data shared for core public interest purposes may be used for general and community use, research and innovation, delivery of public services, policy development etc.
    3. c) Non-personal data shared for economic purposes may be used by business entities for research, innovation and doing business. It may also be leveraged as training data for AI/ML systems.
    • This contribution will set out the general background of data related regulatory efforts in India (1), and then it will look closely to the proposed rules for processing non-personal data: (2) its definition and classification, (3) the data localization requirement for sensitive and critical non-personal data, (4) guidance on anonymization, and (5) proposed data sharing obligations for organizations.
    • The government recognizes the need for a data governance framework to act as a catalyst for the growth of data economy in India.
    • It also makes a clarion call for a comprehensive non-personal data regulation in India, to complement the future law dedicated to personal data.
    • The Report recognizes natural persons, entities and communities to whom non-personal data (prior to anonymization or aggregation) relates as data principals and entities which undertake collection, storage and processing of non-personal data as data custodians.
    • Private non-personal data is, thus, categorized into sensitive non-personal data and critical non-personal data.
    • Sensitive personal data[6] and critical personal data[7] which have been anonymized will be considered to be sensitive non-personal data and critical non-personal data respectively.
    • The Report recommends localization of sensitive non-personal data and critical non-personal data, in line with the requirements applicable to localization[8] of sensitive personal data and critical personal data under the PDP Bill.
    • 5) Data sharing and registration obligations The Report recognizes data businesses as a horizontal category of businesses involved in data collection and processing.
    • It also includes guiding principles for a technology architecture to digitally implement rules for data sharing, ranging from mechanisms for accessing data through data trusts, standardized data exchange processes, techniques to prevent re-identification of anonymized information and distributed storage for data security.
    • The PDP Bill may also be relevant in setting context for the forthcoming non-personal data framework, given the ability of the Government to solicit non-personal and anonymized personal data.

    • INVESTOR ALERT: Law Offices of Howard G. Smith Continues Its Investigation of Conn’s Inc. (CONN) on Behalf of Investors

    Retrieved on: 
    Friday, April 24, 2020
    Legal, Professional services, Anonymity, Privacy, Information governance, Data security, Information technology management, Conn's, Social issues, Personal data, NASDAQ, Data re-identification, Computer security

    Law Offices of Howard G. Smith continues its investigation on behalf of Conns Inc ("Conns" or the Company") (NASDAQ: CONN ) investors concerning the Company and its officers possible violations of federal securities laws.

    Key Points: 
    • Law Offices of Howard G. Smith continues its investigation on behalf of Conns Inc ("Conns" or the Company") (NASDAQ: CONN ) investors concerning the Company and its officers possible violations of federal securities laws.
    • On December 10, 2019, before the market opened, Conn's reported its third quarter 2020 financial results in a press release.
    • Therein, the Company reported retail revenues of $280.3 million, compared to $284.1 million in the prior year period.
    • This press release may be considered Attorney Advertising in some jurisdictions under the applicable law and ethical rules.