When direct identifiers are removed or pseudonymised, data subjects are no longer identifiable using only the resources available in the dataset p. 36itself. However, if an adversary brings auxiliary knowledge to the dataset, then such knowledge can provide more context to allow identifications. For instance, suppose a spreadsheet of hospital admissions is formally anonymised. Auxiliary knowledge about a particular individual of interest (for example, their age, when they entered and left hospital, etc.) may allow an adversary to single out the medical record of that individual in the dataset. Because data controllers can never know in advance what auxiliary knowledge an intruder might possess, it follows that no perfect anonymisation process is possible.
A particular type of auxiliary information is the key to a cipher. Possession of the key enables the decryption of an encrypted message.
See also: RESPONSE KNOWLEDGE
Elliot, M., Mackey, E. and O’Hara, K., 2020. The Anonymisation Decision-Making Framework: European practitioners’ guide, 2nd edition. United Kingdom Anonymisation Network, https://ukanon.net/framework/.
Narayanan, A. and Shmatikov, V., 2010. Myths and fallacies of ‘Personally Identifiable Information’. Communications of the ACM, 53(6), 24–6, https://doi.org/10.1145/1743546.1743558.
Elliot, M., Mackey, E. and O’Hara, K., 2020. The Anonymisation Decision-Making Framework: European practitioners’ guide, 2nd edition. United Kingdom Anonymisation Network, https://ukanon.net/framework/.
Narayanan, A. and Shmatikov, V., 2010. Myths and fallacies of ‘Personally Identifiable Information’. Communications of the ACM, 53(6), 24–6, https://doi.org/10.1145/1743546.1743558.