Watch Law Society video-Cyber Breaches through Third Parties

Australia’s privacy commissioner publishes its Digital ID regulatory strategy

5 takeaways from the Lifelabs case

Put Privacy First – Privacy Commissioner of Canada speaks about privacy risk mitigation.

Learn more about The Power of PETs: Privacy Enhancing Technologies during a panel discussion hosted by The Information and Privacy Commissioner of Ontario.

BC Commissioner issues report on how municipalities make records available. For more information check out the full news release, fact sheet, guidance document and video.

Thank you to our 800 registrants who registered for the Top of Mind webinar hosted on Jan 31. For those of you who missed the session, you can access both an English and French version of the recording here under “Top of Mind” Data Privacy Webinar 2025. Enjoy!

Blog

Is De-identified Information Personal Information?

December 21, 2023 - Deepa Pawar, Analyst

Now and then, our office receives requests for review where a public body (government institution, local authority or health trustee) denied access pursuant to subsection 29(1) of The Freedom of Information and Protection of Privacy Act (FOIP), or subsection 28(1) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) or subsection 27(1) of The Health Information Protection Act (HIPA). Therefore, I thought it may be helpful to explore if de-identified information is personal information.

To qualify as personal information, the information must: 1) be about an identifiable individual; and 2) be personal in nature. Information is about an “identifiable individual” if the individual can be identified from the information (e.g., their name is provided) or if the information, when combined with information otherwise available, could reasonably allow the individual to be identified. To be “personal in nature” requires that the information reveal something personal about the identifiable individual.

One of the most effective ways to protect the privacy of individuals is through strong de-identification. Using proper de-identification techniques and re-identification risk management procedures, remains one of the strongest and most important tools in protecting privacy.

“De-identification” is the general term for the process of removing personal information from a record or data set.

“De-identified information” is information that cannot be used to identify an individual, either directly or indirectly. Information is de-identified if it does not identify an individual, and it is not reasonably foreseeable in the circumstances that the information could be used, either alone or with other information, to identify an individual.

Subsection 2(1)(d) of HIPA defines “de-identified personal health information” as personal health information from which any information that may reasonably be expected to identify an individual has been removed. This is important as subsection 3(2)(a) of HIPA provides that HIPA does not apply to “statistical information or de-identified personal health information.”

The goal is to reduce the risk of re-identification of information once it has been de-identified. The following table shows decreasing probability of re-identification of information:

State Description
1. Identifiable data The data have directly identifying variables or sufficient quasi-identifiers that can be used to identify the individual.
2. Potentially de-identified data Manipulations have been performed on the identifying variables but attempts to disguise the quasi-identifiers may be insufficient. The data may not be fully deidentified, partially exposed, and may represent a re-identification risk.
3. De-identified data An objective assessment of re-identification risk has been done and it is concluded that all directly identifying variables have been adequately manipulated and quasi-identifiers adequately disguised to ensure an acceptable level of re-identification risk.
4. Aggregate data These are summary data such as tables or counts, where there are no identifying variables or quasi-identifiers.

For further explanation regarding de-identified information, please refer to our resources available on our website: IPC Guide to FOIP – Chapter 6 and IPC Guide to LA FOIP – Chapter 6.

Public bodies may find the following recent review reports issued by our office helpful on this topic:

  • IPC Review Report 060-2023 – in this Review Report at paragraph [19], the Commissioner found that the “claim numbers” assigned to individuals by Saskatchewan Government Insurance (SGI) were personal information pursuant to subsection 24(1)(d) of FOIP. However, once the “claim numbers” which were assigned to particular individuals were redacted, any personal health information attached to those numbers, such as reason for doctor appointments, became de-identified information and were releasable.
  • IPC Review Report 063-2023 – in this matter, the Ministry of Health denied access to a spreadsheet of 18 columns pursuant to subsections 29(1) of FOIP and 27(1) of HIPA. However, the Commissioner found that once a few columns of personal information were redacted pursuant to subsection 29(1) of FOIP, the remaining data in the spreadsheet became sufficiently de-identified, and was releasable.

Hopefully, the above will assist you in successfully de-identifying personal information or personal health information. For any questions, please contact our office at intake@oipc.sk.ca.

 

Categories: BlogTags: , ,

Back to Blog

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.