Privacy through Anonymisation in Large-scale Socio-technical Systems: The BISON Approach

Privacy through Anonymisation
in Large-scale Socio-technical Systems
The BISON Approach
Claudia Cevenini Enrico Denti Andrea Omicini Italo Cerno
{claudia.cevenini, enrico.denti, andrea.omicini, italo.cerno}@unibo.it
Dipartimento di Informatica – Scienza e Ingegneria (DISI)
Alma Mater Studiorum – Universit`a di Bologna
DMI, Universit`a di Catania
Catania, Italy, 25 July 2016
Cevenini, Denti, Omicini, Cerno (UniBo) Privacy through Anonymisation DMI, Catania, 29/07/2016 1 / 38

Outline
1 Scope & Goals
2 Legal Framework
3 Socio-Legal-Technical Analysis
4 Anonymisation Process
5 Anonymisation Process in BISON
6 Conclusion & Further Work

Scope & Goals
Outline
1 Scope & Goals
2 Legal Framework

Scope & Goals Context & Motivation
Scope and Purpose
the research focusses on contact centres (CC) as relevant examples of
knowledge-intensive sociotechnical systems (STS)
we discuss the articulate aspects of anonymisation
individual and organisational needs clash
only an accurate balancing between legal and technical aspects could
possibly ensure the system eﬃciency
while preserving the individual right to privacy
we discuss ﬁrst the overall legal framework, then the general theme of
anonymisation in CC
we overview the technical process developed in the context of the
BISON project

Contact Centres as STS
Typical technology issues of CC as STS
basic speech data mining technologies with multi-language capabilities
business outcome mining from speech
CC support systems integrating both speech and business outcome
mining in user-friendly way
Scaling up to big data processing clearly scales up also the privacy and
data protection issues

Goal of the Research
to assess how complex legal issues at both national and international
level can be dealt with while building a complex software
infrastructure for CC—both in the development and in the subsequent
business phases
to investigate how complex software infrastructures for CC may be
developed and marketed in the full respect of the data protection
legal framework
to focus on anonymisation as a fundamental concept and tool to deal
with the potential conﬂict between opposite rights and needs,
especially in the research and development phase of a large-scale,
knowledge intensive STS

Law and IT: A Focal Point
Privacy vs. efficiency
the need for a suitable compromise between law-abidingness and
privacy and system / process efficiency is a relevant goal
not just for the legal analysis
but for the whole engineering process that leads to the construction of
the CC infrastructure
a potential conflict of interests should become composition of
interests
the requirement of legal compliance can be exploited as a success
factor instead of a source of delays and overheads
an issue going well beyond the CC case study

Legal Framework
Outline
1 Scope & Goals
2 Legal Framework

Legal Framework
Data Protection Directive (DPD)
DPD the EU Data Protection Directive (Dir 1999/95/EC) [DPD95] sets
key principles for the fair and lawful processing of personal data and
the technical and organisational security measures designed to
guarantee that all personal data are safe from destruction, loss,
alteration, unauthorised disclosure, or access, during the entire data
processing period
data processing requires even more care when it involves large
amounts of personal and/or sensitive data
in particular, people should be able to manage the ﬂow of their data
across massive, third-party analytical systems, so as to have a
transparent view of how information data will be used, or sold
data transfer from and outside the EU and cloud services is also a
particularly hot topic, since non-EU countries might provide an
insuﬃcient level of protection to personal data.

Legal Framework
Personal Data
What is personal data?
any information relating to a natural person, who can be identiﬁed,
either directly or indirectly, by reference to one or more factors
speciﬁc to his/her physical, physiological, mental, economic, cultural,
or social identity
if the link between an individual and personal data never occurred or
is somehow broken and cannot be rebuilt in any way (such as with
anonymised data), the DPD rules no longer apply

Legal Framework
Roles in Personal Data Processing
Data controller vs. data processor
the data controller is in charge of personal data processing and takes
any related decision
e.g., selection of data to be processed, purposes and means of
processing, technical and organisational security, . . .
the data processor is a legally separate entity that processes personal
data on behalf of a controller, in force of a written agreement and
following speciﬁc instructions
in other words, the controller processes data on its own behalf, while
the processor always acts on behalf of a controller, from whom it
derives its power and range of activity
for instance, a company acts as a controller in processing its own
customers data, whereas the CC entrusted with the same processing
acts as a processor on behalf of the company

Legal Framework
How to Process Personal Data According to the DPD
Processing personal data
Personal data must be
processed fairly and lawfully
collected for specified, explicit, and legitimate purposes and not
further processed in a way incompatible with those purpose
further processing of data for historical, statistical or scientific purposes
may not be considered as incompatible, with appropriate safeguards
adequate, relevant and not excessive in relation to the purposes
accurate and, where necessary, kept up to date; inaccurate or
incomplete data should be erased or rectified
kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes.

Legal Framework
Accountability
According to the accountability principle
data controllers must implement adequate technical and
organisational measures to promote and safeguard data protection in
their processing activities
controllers are responsible for the compliance of their processing
operations with data protection law and should be able to
demonstrate compliance with data protection provisions at any time.
They should also ensure that such measures are effective
in case of larger, more complex, or high-risk data processing, the
effectiveness of the measures adopted should be verified regularly,
through monitoring, internal and external audits, etc.

Legal Framework
Security Measures
Technical and organisational security measures should be adopted
to protect personal data
during all the processing period
against the risks related to the integrity and conﬁdentiality of data
The level of data security requested by the law is determined by diﬀerent
elements, such as
the nature (sensitive/non-sensitive) of the collected data
the concrete availability in the market of adequate security measures
at the current state of the art
their costwhich should not be “disproportionate” with respect to the
necessity

Legal Framework
Big Speech Data Issues I
Speech
A large-scale STS infrastructure involves speech recordings, i.e. it
processes biometric data (tone, pitch, cadence, and frequency of a persons
voice) to determine the identity of a person.

Legal Framework
Big Speech Data Issues II
from a data protection perspective, biometrics is linked to physical,
physiological, behavioural, or even psychological characteristics of an
individual, some of which may be used to reveal sensitive data
biometric data may also enable automated tracking, tracing, or
proﬁling of persons: as such, their potential impact on privacy is high
biometric data are by nature irrevocable
→ the processing of biometric data is not only subject to the informed
consent of the data subject, but may also imply
authorisations/notiﬁcations from/vs. Data Protection Authorities and
is submitted to strict rules on security measures that must be adopted
to protect data

Legal Framework
Big Speech Data Issues III
Big Data
big data analytics can involve the repurposing of personal data
if an organisation has collected personal data for one purpose and then
decides to start analysing it for another one (or to make it available for
others to do so), data subjects need to be informed and a new, speciﬁc
consent is needed
big data may in themselves contrast with the principle of data
minimisation and relevancy
the challenge for organisations is to focus on what they expect to learn
or be able to do by processing big data before the beginning of
processing operations, thus verifying that these serve the purpose(s)
they are to be collected for, and, at the same time, that they are
relevant and not excessive in relation to such aim(s)

Socio-Legal-Technical Analysis
Outline
1 Scope & Goals
2 Legal Framework

Relevant Principles I
the current legal framework foresees a set of essential principles that
should inspire the design and development of any law-abiding
information system processing personal data
while some of such principles directly derive from the DPD – namely,
from the “Principles relating to data quality” –, others concern the
security measures that should be adopted, particularly with reference
to the “Security of processing”
these principles are further strengthened and detailed in the “General
Data Protection Regulation” (GDPR) [GDP16]

Relevant Principles II
Categories for principles
(a) principles about data processing
(b) principles about security measures
(c) other relevant principles

Principles of Data Processing
1 principle of lawfulness and fairness
2 principle of relevance and non-excessive use
3 principle of purpose
4 principle of accuracy
5 principle of data retention

Principles of Security Measures
1 principle of privacy by design
2 principle of appropriateness of the security measures
3 principle of privacy by default

Other Relevant Principles
1 principle of least privilege
2 principle of intentionality in performing any critical action

Technological Requirements for Anonymisation
Resulting requirements
personal data may be processed only to the extent they are needed to
achieve specific purposes: whenever identifying data are not
necessary, only anonymous data should be used
the DPD does not apply to data rendered anonymous such that the
data subject is no longer identifiable: it does not set any prescriptive
standard, nor does it describe the de-identification processjust its
outcome, which is a reasonably-impossible re-identification

Anonymisation Process
Outline
1 Scope & Goals
2 Legal Framework

How Should Data be Anonymised?
the DPD does not apply to data made anonymous in such a way that
the data subject is no longer identifiable
however, it is difficult to create a truly anonymous dataset, and at the
same time to retain all the data required for a specific
(organisational) task
on the other hand, irreversibly-preventing identification requires data
controllers to consider all the means which may likely reasonably be
used for identification, either by the controller or by a third party

Article 29 Working Party
the Article 29 Working Party – Opinion on Anonymisation Techniques
(Art. 29 WP henceforth) [Dir14] is an important reference for
compliance in anonymisation issues
the criteria on which Art. 29 WP grounds its opinion on robustness
focus on the possibility of
singling out an individual
linking records relating to an individual
inferring information concerning an individual.

Anonymisation Process in BISON
Outline
1 Scope & Goals
2 Legal Framework

Anonymisation in BISON
Fundamental distinction
research phase — when software and technologies are being developed
and tested, but are not yet in actual production
business phase — the subsequent, foreseeable, when they actually deal
with real customers data
anonymisation is seen as the fundamental tool to set the industrial
research phase free from the complex requirements imposed by the
Data Protection rules, given that the DPD does not apply to
anonymised data
at the same time, in the business phase that will follow the research
project, the tool will have to deal with real user data, in compliance
with applicable laws

The BISON Anonymisation Process: General Overview
Figure: Anonymisation during the Start-up stage and Research stage in BISON

The BISON Anonymisation Process: Stages
in the first stage of the BISON research, anonymisation is performed
mostly with manual procedures, because of the limited data size and
of the initial lack of automatic tools
in the second stage, huge amounts of speech data need to be
processed: automatic transcription – for all the supported languages –
has to be put in place
automatic anonymisation is performed on the original audio file and
may not be 100% effective
any effort should be made to reduce these errors to the minimum: the
automatic anonymiser should be designed, trained, and tested
according to the best available practices
the subsequent feature extraction helps to deal with this issue,
because the extracted statistics make it (mostly) impossible to
reconstruct the original audio file.

Technological Requirements
the BISON tool should adhere to strict security requirements: users
roles, rights, and restrictions should be tuneable on a fine-grain basis,
and be further detailed case-by-case based both on the actual needs
and the applicable national legal framework.
on-the-fly anonymisation should be available to deal with the case
that some unexpected personal data are heard by the CC agent
in the final state of the system (ready-to-market), users will need to
be enabled to anonymise personal data whenever not needed for the
specific purposes of the processingand they should be able to do so in
a highly customisable way
the key challenge from this viewpoint is also to make anonymisation
future-proof both with respect to a continuously-evolving legal
scenario, as well as to the technology improvement, evolving even
faster

Conclusion & Further Work
Outline
1 Scope & Goals
2 Legal Framework

Conclusions I
the practices of contemporary software engineering have to be
extended to include non-computational issues such as normative,
organisational, and societal aspects
this holds in particular for large-scale STS: for instance, the
law-abidingness of complex software systems including both human
and software agents is quite an intricate issue, to be faced in the
requirement stage of any reliable software engineering process
in this work we have speciﬁcally addressed the anonymisation of
speech data in CC, discussing the need for an accurate balancing
between legal and technical aspects in order to ensure the system
eﬃciency while preserving the individual right to privacy, and showing
how the legal framework can actually translate into requirements for
the software engineering process

Conclusions II
by discussing the BISON approach, we show how the anonymisation
process can be structured during the industrial research phase to
enable the resulting system to deal with the amount of data actually
required in the business operation phase

References
References I
Article 29 Data Protection Working Party – Opinion 05/2014 on anonymisation
techniques.
http://ec.europa.eu/justice/data-protection/article-29/, 18 April 2014.
0829/14/EN WP216.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data.
Oﬃcial Journal of the European Communities, 38(L 281):31–50, 23 November 1995.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation) (text with EEA relevance).
Oﬃcial Journal of the European Communities, 59(L 119):1–88, 4 May 2016.

Extras
URLs
Slides
on APICe
→ http://apice.unibo.it/xwiki/bin/view/Talks/BisonCatania2016
on SlideShare
→ http://www.slideshare.net/andreaomicini/
privacy-through-anonymisation
Related paper
on APICe
→ http://apice.unibo.it/xwiki/bin/view/Publications/BisonInsci2016
on Springer
→ ?

Privacy through Anonymisation
in Large-scale Socio-technical Systems
The BISON Approach
Claudia Cevenini Enrico Denti Andrea Omicini Italo Cerno
{claudia.cevenini, enrico.denti, andrea.omicini, italo.cerno}@unibo.it
Dipartimento di Informatica – Scienza e Ingegneria (DISI)
Alma Mater Studiorum – Universit`a di Bologna
DMI, Universit`a di Catania
Catania, Italy, 25 July 2016

Privacy through Anonymisation in Large-scale Socio-technical Systems: The BISON Approach

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to Privacy through Anonymisation in Large-scale Socio-technical Systems: The BISON Approach (20)

More from Andrea Omicini (20)

Recently uploaded (20)

Privacy through Anonymisation in Large-scale Socio-technical Systems: The BISON Approach