ANON: One of the technologies that people have a strong reaction to is biometrics. How can we have anonymity in a world with biometrics?

ANN CAVOUKIAN: The best way of protecting privacy in using biometrics is to give control over the use of the biometric to the individual user. For example, where the biometric is contained on a card which is read in conjunction with the individual who carries the card, and the biometric is not held in a central database, the user has more control. The biometric does not normally create anonymity, but can cut down on the extent of the privacy invasion. A biometric can be part of a system of authentication, where it is used in conjunction with other authenticators such as digital signatures. Important work is being done in cryptography to create accountable anonymity online, with a persistent anonymous relationship.

ANON: You wrote with the Dutch Data Protection Authority a ground –breaking report on Privacy Enhancing Technology, subtitled The Path to Anonymity. What has happened since you published that report?

ANN CAVOUKIAN: The Fourth Annual PETs Workshop will be held in 2004. The Workshop publishes papers on the most recent international work on Privacy Enhancing Technology, so there is continuing interest among leading scientists in work such as Identity Management Systems. There has been less interest in the development of commercial products, but IBM in Zurich has continued to develop some products such as EPAL, which will be of assistance in privacy compliance. Additionally, publications such as the Journal of Information, Law and Technology have published helpful articles about PETs.

ANON: What is the role of PETs in protecting anonymity?

ANN CAVOUKIAN: Ideally, PETs would permit user controls over personal information. Interesting work is being done in the area of continuous pseudonymity

ANON: Does current privacy legislation foster or support anonymity?

Public sector privacy acts do not explicitly foster anonymous activity. However, under the collection limitation rule of the Ontario statutes, collection of personal information must be limited to that necessary for the administration of a government institution’s lawfully authorized activity. Therefore, if the activity does not require personal information, it should not be collected. (s.38(2)) (Personal information may also be collected where expressly authorized by statute or for law enforcement.)

To some extent private sector legislation provides recognition of the importance of anonymity. For example, in Schedule 1 to PIPEDA, clause 4.5.3 (Limiting Use, Disclosure and Retention) suggests that personal information that is no longer used could be destroyed or made anonymous.

Clause 4.4.1 requires that personal information not be collected indiscriminately – the amount and type of information should be limited to that necessary for the specified purpose. If the specified purpose does not require personal information, then anonymous or anonymized data should be collected instead.

The concept of anonymity is taken further in Ontario Bill 31 – the Personal Health Information Protection Act, 2004. For example, s. 29 requires that personal information not be collected if other (anonymous) information would serve the purpose.
Further, for research purposes, a research ethics board must consider whether the research can be carried out without personal health information in identifiable form. (s. 43 (3)(a)) (a) “whether the objectives of the research can reasonably be accomplished without using the personal health information that is to be disclosed.”)
Section 45 requires that personal health information disclosed to the Minister of Health for health program analysis first be “de-identified” through a Health Data Institute.

ANON: You deal with bureaucrats all the time in your role as an independent data protection authority. Do they understand this issue do you think?

ANN CAVOUKIAN: In our view, the concept and value of anonymity is now better understood by government officials – a good example is Bill 31 above.