Is De-identified Information Personal Information?
Now and then, our office receives requests for review where a public body (government institution, local authority or health trustee) denied access pursuant to subsection 29(1) of The Freedom of Information and Protection of Privacy Act (FOIP), or subsection 28(1) of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) or subsection 27(1) of The Health Information Protection Act (HIPA). Therefore, I thought it may be helpful to explore if de-identified information is personal information.
To qualify as personal information, the information must: 1) be about an identifiable individual; and 2) be personal in nature. Information is about an “identifiable individual” if the individual can be identified from the information (e.g., their name is provided) or if the information, when combined with information otherwise available, could reasonably allow the individual to be identified. To be “personal in nature” requires that the information reveal something personal about the identifiable individual.
One of the most effective ways to protect the privacy of individuals is through strong de-identification. Using proper de-identification techniques and re-identification risk management procedures, remains one of the strongest and most important tools in protecting privacy.
“De-identification” is the general term for the process of removing personal information from a record or data set.
“De-identified information” is information that cannot be used to identify an individual, either directly or indirectly. Information is de-identified if it does not identify an individual, and it is not reasonably foreseeable in the circumstances that the information could be used, either alone or with other information, to identify an individual.
Subsection 2(1)(d) of HIPA defines “de-identified personal health information” as personal health information from which any information that may reasonably be expected to identify an individual has been removed. This is important as subsection 3(2)(a) of HIPA provides that HIPA does not apply to “statistical information or de-identified personal health information.”
The goal is to reduce the risk of re-identification of information once it has been de-identified. The following table shows decreasing probability of re-identification of information:
State | Description |
1. Identifiable data | The data have directly identifying variables or sufficient quasi-identifiers that can be used to identify the individual. |
2. Potentially de-identified data | Manipulations have been performed on the identifying variables but attempts to disguise the quasi-identifiers may be insufficient. The data may not be fully deidentified, partially exposed, and may represent a re-identification risk. |
3. De-identified data | An objective assessment of re-identification risk has been done and it is concluded that all directly identifying variables have been adequately manipulated and quasi-identifiers adequately disguised to ensure an acceptable level of re-identification risk. |
4. Aggregate data | These are summary data such as tables or counts, where there are no identifying variables or quasi-identifiers. |
For further explanation regarding de-identified information, please refer to our resources available on our website: IPC Guide to FOIP – Chapter 6 and IPC Guide to LA FOIP – Chapter 6.
Public bodies may find the following recent review reports issued by our office helpful on this topic:
- IPC Review Report 060-2023 – in this Review Report at paragraph [19], the Commissioner found that the “claim numbers” assigned to individuals by Saskatchewan Government Insurance (SGI) were personal information pursuant to subsection 24(1)(d) of FOIP. However, once the “claim numbers” which were assigned to particular individuals were redacted, any personal health information attached to those numbers, such as reason for doctor appointments, became de-identified information and were releasable.
- IPC Review Report 063-2023 – in this matter, the Ministry of Health denied access to a spreadsheet of 18 columns pursuant to subsections 29(1) of FOIP and 27(1) of HIPA. However, the Commissioner found that once a few columns of personal information were redacted pursuant to subsection 29(1) of FOIP, the remaining data in the spreadsheet became sufficiently de-identified, and was releasable.
Hopefully, the above will assist you in successfully de-identifying personal information or personal health information. For any questions, please contact our office at intake@oipc.sk.ca.