Anonymisation

The anonymisation software is used to anonymise documents published by the local authority more quickly and effectively. In this way, we prevent data breaches and help to better protect the GDPR rights of data subjects.

The algorithm’s output is checked by a member of staff. The software requires the staff member to check all pages. The staff member determines whether the document has been correctly anonymised.

There is no risk of automated decision-making and the algorithm has no impact on fundamental rights, as it does not make decisions with legal consequences. It merely makes a proposal for the anonymisation of personal data. The algorithm is also used by the developer themselves, which means that errors are identified quickly. In addition, the algorithm is periodically trained. At our organisation’s request, our documents are not used to train the algorithm. If the algorithm does not perform well enough, we can make adjustments using blacklists and whitelists. A municipal employee always carries out the final check to ensure that a document has been correctly anonymised. There is a risk that staff may not carry out checks properly; we mitigate this by emphasising the importance of carefully checking the personal data identified by the algorithm. The final remaining risk is the privacy risk associated with the use of Azure. This is because Microsoft may be obliged to hand over data it processes to the US authorities under the Patriot Act. To limit these risks, the supplier has implemented ‘privacy by default’. Text sent by the API to the Azure service via synchronous or asynchronous calls may be temporarily stored by Azure for debugging purposes. However, the supplier has disabled this option, which reduces the risk. Immediately after processing by Azure, the data and the data processing records are deleted. Furthermore, the supplier is ISO 27001 certified. The risks do not outweigh the privacy benefits and the risk of inadequate anonymisation that would result from not using this software.

1. WOO 2. WDO 3. UAVG 4. WEP 5. WDO

All information contained in the uploaded documents (with the exception of the metadata) is processed by the algorithm. This may include ordinary personal data, special categories of personal data and criminal records. It may also include commercially sensitive information.

Documents are uploaded to the application by a member of staff. At that point, a copy of the original is created in the form of a PDF with a text layer, and the metadata from the original document is removed from the copy. This copy is stored on a Dutch server, where it remains for a maximum of 30 days. The text layer of the PDF is fed to the machine learning algorithm via an API. This is a Natural Language Processing algorithm (named entity recognition) from Microsoft Azure. The API returns the likely location within the analysed text where personal data is likely to occur, together with a probability score (a percentage). At that point, the text layer is immediately deleted from Azure. The probability score is used in conjunction with the supplier’s own AI models to ensure that the recognition of personal data is as accurate as possible. The models are trained using, amongst others, the following training datasets: CoNLL-2003, UD Dutch LassySmall v2.8, Dutch NER Annotations for UD LassySmall and UD Dutch Alpino v2.8. The minimum performance metrics for the accuracy of identifying personal data are as follows: Named entities (precision): 0.78, Named entities (recall): 0.76, Named entities (F-score): 0.77. Finally, a member of staff checks the document and, once they have finalised it, the data to be anonymised is permanently removed from the text layer and a black bar is inserted.