The purpose of this policy is to provide instructions on how to assess changes, updates, or enhancements of Indivd's patented anonymization method. To accomplish this, Indivd has established instructions on how to assess changes, updates, or enhancements and what the action will be dependent on the outcome of the risk analysis.
Background
This anonymization policy is focused on the management of Indivds patented anonymization method (“The Method“) and the realization that changes, updates, or enhancements can affect The Method's ability to anonymize. This policy ensures that changes, updates or improvements to the Method never increase the risk that the Method may have a reduced ability to anonymize. This policy also supports Indivd's board, employees, consultants, vendors, suppliers, and partners to comply with Indivd's internal policies as well as any legal or regulatory requirement that might be applicable when installing or deploying any changes, updates, or enhancements for The Method.
Scope
This Policy applies to everybody engaged by indivd in changes, updates, or enhancements of The Method. This includes the board, employees, consultants, vendors, suppliers, and partners.
Instructions for changes, updates or enhancements
A risk analysis must be conducted and documented before installation, or deployment. The risk analysis must result in the following definitions;
- Will reduce the anonymity of The Method
- Has the potential to reduce anonymity for The Method
- Will not reduce the anonymity of The Method
Actions dependent on risk analysis
- Changes, updates, or enhancements that will reduce the anonymity of The Method: Are strictly forbidden to be installed, or deployed.
- Changes, updates, or enhancements that have the potential to reduce anonymity for The Method: Need to be sent to the Product Owner and the Head of AI which will make a majority decision on how to deal with the change, update, or enhancement before it is installed, or deployed. A 50/50 split will result in no action.
- Will not reduce the anonymity for The Method: Are allowed to be installed, or deployed.
Responsibilities
The Product Owner and the Head of AI - responsible for conducting a risk analysis for changes, and updates and evaluating appropriate actions in each case.
The company's managers - are responsible for ensuring that all employees or consultants within the company are familiar with this policy.
Anybody engaged in The Method such as Indivd's board, employees, consultants, vendors, suppliers, and partners - is responsible for following this policy.
Definitions
The Method is as described in Indivd’s Service Summary.
“Anonymization” can be assessed based on three criteria: (i) is it still possible to single out an individual, (ii) is it still possible to link records relating to an individual, and (iii) can information be inferred concerning an individual? In its opinion WP216, Working Party 29 states: “Once a dataset is truly anonymized and individuals are no longer identifiable, European data protection law no longer applies.”
“No action” means that the change, update, or enhancement will not be installed, or deployed.
“Installed” or “Deployed” means to dispatch, upload, use, install, etc. software(s) or hardware(s) on a server where The Method operates.
“Strictly forbidden” means that a change, update, or enhancement is not allowed to be installed or deployed.
Revision history
- Version 1.1: 24 July 2020 - Updated descriptions of anonymization (Author: Fredrik Amréus Hammargården)
- Version 1.0: March 21, 2020 - Initial version (Author: Fredrik Amréus Hammargården)