If the last year has taught us anything, it is to sanitize, sanitize, sanitize. You are probably sanitizing your hands, your house, everything you touch, but what about the personal information you process?
Laws and regulations increasingly require entities to sanitize, pseudonymize or anonymize the personal information that they collect or process. Other than defining and requiring sanitization, these legal requirements often neglect to inform regulated entities what sanitization encompasses.
Pseudonymization, Anonymization, and Sanitization Defined
The GDPR has introduced a multitude of data protection-related terms. Pseudonymization, anonymization, and sanitization are terms that are often used interchangeably.
According to GDPR Article 4, subsection 5, pseudonymization is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information […] to ensure that the personal data are not attributed to an identified or identifiable natural person”.
Anonymization relates to “a data processing technique that removes or modifies personally identifiable information; it results in anonymized data that cannot be associated with any one individual.” According to Google’s policies, their anonymization process “use[s] generalization to remove a portion of the data or replace some part of it with a common value.”
Similarly, sanitization relates to “the process of removing sensitive information from a document or other message (or sometimes encrypting it), so that the document may be distributed to a broader audience”. This process irreversibly removes or destroys personal information from a record, database, or memory device.
Each of the above definitions highlights that these processes make personal information unrecognizable. Once the initial purpose for processing is no longer necessary, organizations may continue to need other non-identifying information for other important purposes, such as internal metrics, continuing research, or transfer to other parties. These processes allow organizations to have access to this non-identifying information while minimizing the risk of breaching personal information.
What Must be Sanitized?
Most regulatory requirements relating to sanitization refer to specific regulated parties and specific types of information, typically within the realm of finance, medicine, or employment. As researchers continue to learn about the epidemiology of COVID-19, the next few years may also see an increase in personal information sanitization laws on the collection and transfer of health information. For example, California requires employers to keep a record of all COVID-19 cases. This requirement creates a caveat that personal identifying information be removed when medical information is made available to others.
In contrast, few laws relate to general data processors or categories of data processing. One such example is the Australian state of Victoria’s Privacy and Data Protection Act, which requires organizations to “take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.”
While current laws and regulations specify what information needs to be sanitized and who needs to sanitize it, organizations are left to determine where this information may be located. Some examples of where personal information requiring sanitization could be lurking are email, which may most easily be sanitized through encryption; personally-owned devices; old systems or databases; or information being transferred to third parties.
Creating and implementing a sanitization policy can be a good first step to mitigating your risk of a personal information breach. Sanitization policies identify persons or departments responsible for sanitization, as well as areas where personal information may be located. Sanitization policies also describe how and when to remove or modify personal information. Failure of organizations to create such policies may result in significant fines. For example, some of the first GDPR-related fines were for organizations retaining non-sanitized passwords which were later breached.
The next time you reach for your hand sanitizer, consider how your business could benefit from a sanitization policy for personal information as well. To learn more about regulatory requirements regarding personal information, contact Zasio today!
 Security Boulevard, “4 GDPR Violations that Multiple Companies have been Fined for”.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.