What you need to know about the new Regulation respecting the anonymization of personal information

Target period

Requirement

Requirement description

Before an anonymization process

Establishment of the purposes for which the anonymized information will be used (art. 3) 

Before beginning a process of anonymization, a body must establish the purposes for which it intends to use the anonymized information.

💡 An enterprise must ensure that these purposes are “serious and legitimate,” while a public body must ensure that the anonymized information will be used for “public interest purposes.” The Regulation does not clarify the scope of these terms.

Anonymization process

At all times during the anonymization process 

Supervision of anonymization process by a person qualified in the field (art. 4)

The body must ensure that the anonymization is carried out under the supervision of a person qualified in the field.

💡 To comply with this disposition, a body will have to select a professional qualified in the anonymization and protection of personal information to supervise the process. When the body’s own staff does not have the requisite expertise to supervise such a process, it should call on the services of an external provider who is qualified in the field.

At the beginning of the anonymization process

Removal of all personal information allowing the individual to be directly identified (art. 5)

The body must remove all personal information that allows the individual to be directly identified (e.g., name, social insurance number, unique identifier) from the information it intends to anonymize.

💡 Information which no longer allows the direct identification of the individual is considered de-identified information as defined by the ARPPIPS and the Access Act.

Preliminary analysis of re-identification risks (art. 5 par. 2)

The body must then conduct a preliminary analysis of the re-identification risks, with particular regards to:

• The individualization criterion, meaning the inability to isolate or distinguish a person within a dataset;
• The correlation criterion, meaning the inability to connect datasets concerning the same individual;
• The inference criterion, meaning the inability to infer personal information from other available information;
• The risks of other reasonably available information, in the public space in particular, being used to identify an individual directly or indirectly.
  
  ✍ The term “reasonably” was added to section 5 since the publication of the Draft Regulation.

💡 The individualization, correlation, and inference criteria are similar to those used by European data protection authorities, notably the CNIL in France. The resources published by these authorities can provide guidance for interpretation in the absence of formal guidelines by the CAI.

Establishment of the anonymization techniques to be used (art. 6)

On the basis of the re-identification risks identified, a body must establish the anonymization techniques to be used, which must be consistent with generally accepted best practices.

💡 Anonymization techniques: The European data protection authorities distinguish two main categories of anonymization techniques: randomization and generalization. The Regulation therefore invites bodies to identify appropriate techniques stemming from these two approaches to protect their datasets from the risks of individualization, correlation and inference.

💡 Generally accepted best practices: To date, the notion of “generally accepted best practices” is not clearly defined. Accordingly, as a precaution, bodies can refer to internationally recognized practices to anonymize personal information. For example, ISO/IEC 27559:2022.

Establishment of reasonable protection and security measures to reduce re-identification risks (art. 6)

The body must also establish reasonable protection and security measures to reduce re-identification risks.

✍ The term “reasonable” was added to section 5 following the publication of the Draft Regulation.

💡 Note that this provision echoes the obligation found under the ARPPIPS and the Access Act  for bodies that use de-identified information to take reasonable measures to limit the risk of anyone identifying a natural person using this information.

Implementation of anonymization techniques and security measures

After the implementation of anonymization techniques

Analysis of re-identification risks (art. 7)

After implementing anonymization techniques and security measures, the body must conduct an analysis of the re-identification risks of its dataset.

Elements to consider:

The body must consider the following elements during its analysis:

• The circumstances related to the anonymization of personal information, including the purposes for which the body intends to use the anonymized information;
• The nature of the information;
• The individualization criterion, the correlation criterion, and the inference criterion;
• The risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly; and
  
  ✍ The term “reasonably” has also been added to this paragraph, same as with section 5.
  
  
• The measures required to re-identify the persons, taking into account the efforts, resources and expertise required to implement those measures.

Results of the analysis:

The results of the analysis must show that it is, “at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly.” The Regulation specifies that this criterion does not require demonstrating that zero risk exists. However, taking into account the above elements, the results of the analysis must show that the residual risks of re-identification are very low.

✍ The notion of residual risks has been pluralized since the publication of the Draft Regulation.

💡 Pending guidelines from the CAI on anonymization, we believe that organizations can draw from the method described by the Information and Privacy Commissioner of Ontario to quantitatively assess re-identification risks.

At the end of the anonymization process and after

Periodic assessment of anonymized information (art. 8)

The body must periodically assess the information it has anonymized to ensure that it remains anonymized.

✍ The term “periodically” replaced “regularly,” which was used in the Draft Regulation. The third paragraph that was added to section 8 provides useful clarifications on the required assessment intervals.

The body must update the latest re-identification risk analysis it conducted. The update must take into account any technological advancements that may contribute to the re-identification of a person.

The results of the analysis update must show that the anonymized information remains anonymized in accordance with the criteria provided at the second paragraph of section 7 of the Regulation. Otherwise, the information is no longer considered to be anonymized.

The intervals at which a body must conduct anonymized information assessments are determined according to the residual risks identified in the latest re-identification risk analysis conducted. 

✍ This last paragraph has been added to the final version of the Regulation.

Maintenance of an anonymization register (art. 9)

Finally, the body anonymizing personal information must record the following information in a register:

• A description of the personal information that has been anonymized;
• The purposes for which the body intends to use anonymized information;
• The anonymization techniques used and the protection and security measures established;
• The date on which the re-identification risk analysis was completed and the date on which the update was completed.  

💡 In practice, the body should designate a person responsible for maintaining the register. The register should be kept for as long as is necessary to document the body’s compliance.