Anonymise

The anonymisation software is used to anonymise documents published by the Twente Safety Region faster and better. In this way, we prevent data leaks and contribute to better protection of the AVG rights of data subjects.

Safety region Twente increasingly has to make information public. Therefore, privacy- or business-sensitive information needs to be varnished out. Before the algorithm was deployed, varnishing was done manually, which was time-consuming and carried a significant risk of incomplete anonymisation. The advantage of anonymisation software is that anonymisation is faster and better. The disadvantage is that the text layer of the document is analysed by a Microsoft Azure server. The content is not stored on this server, so the privacy risk of using the algorithm does not outweigh the privacy benefit of reducing the number of data breaches due to improper anonymisation.

The outcome of the algorithm is checked by an employee. The clerk is required by the software to check all pages. The clerk determines whether the document is correctly anonymised.

There is no risk of automated decision-making and the algorithm has no impact on fundamental rights because the algorithm does not make decisions with legal consequences. It only suggests anonymising personal data. The algorithm is also used by the developer himself, so errors are quickly found. In addition, the algorithm is trained periodically. If the algorithm does not work well enough, we can make adjustments with black- and whitelists. The employee of Safety Region Twente always does the final check whether a document has been anonymised correctly. There is a risk that employees do not check properly; we mitigate this by paying attention to the importance of carefully checking the personal data found by the algorithm. The last remaining risk is the privacy risk of using Azure. Because Microsoft may be required to hand over data it processes to US authorities because of the Patriot Act. To mitigate these risks, the vendor has implemented privacy by default. Text sent by the API in synchronous or asynchronous calls to the Azure service may be temporarily stored by Azure for debugging. But the vendor has disabled this option. This limits the risk. Immediately after being processed by Azure, the data and data processing is deleted. Furthermore, the supplier is ISO 27001 certified. The risks do not outweigh the privacy benefits and the risk of poor anonymisation by not using this software.

1. WOO 2. WCO 3. UAVG 4. WEP 5. WDO

Safety Region Twente used xxllnc's DPIA.

What data is processed varies from one document to another. It often involves personal data such as e-mail addresses, names, phone numbers, bank account numbers, address details and signatures.

Documents are uploaded to the application by an employee. At that point, a copy is made of the original in the form of a PDF with text layer and the metadata of the original document is removed from the copy. This copy ends up on a Dutch server and remains there for a maximum of 30 days. The text layer of the PDF is offered to the machine learning algorithm through an API. This is a Natural Language Processing algorithm (named entity recognition) from Microsoft Azure. The API returns at which location in the analysed texts a personal data is likely to occur, along with the probability score (a percentage). At that point, Azure immediately removes the text layer. The probability score is used along with vendor-developed proprietary ai models to make the recognition of personal data as accurate as possible. The models are trained using, among others, the following trained datasets as CoNLL-2003, UD Dutch LassySmall v2.8, Dutch NER Annotations for UD LassySmall and UD Dutch Alpino v2.8. Minimum key figures for the accuracy of identifying personal data are as follows: Named entities (precision): 0.78, Named entities (recall): 0.76, Named entities (F-score): 0.77. Finally, a staff member checks the document and when it completes the document, the data to be anonymised is permanently removed from the text layer and a black bar is placed.