Anonymization Policy

PURPOSE 

The purpose of this policy is to provide instructions on how to assess changes, updates, or enhancements of Indivds service Indivd X. To accomplish this, Indivd has established instructions on how to assess changes, updates, or enhancements and what the action will be dependant on the outcome of the assessment.

Background

This anonymization policy is focused on the management of Indivd X and the realization that changes, updates, or enhancements can affect Indivd X ability to anonymize. To ensure that changes, updates, or enhancements of Indivd X never increase the risk that Indivd X could have a reduced ability to anonymize. The objective is also to support Indivd’s board, employees, consultants, vendors, suppliers, and partners to comply with Indivd’s internal policies as well as any legal or regulatory requirement that might be applicable when installing or deploying any changes, updates, or enhancements for Indivd X.

SCOPE

This Policy applies to everybody engaged by indivd in changes, updates, or enhancements of Indivd X. This includes the board, employees, consultants, contractors, vendors, or partners.

INSTRUCTIONS FOR CHANGES, UPDATES, OR ENHANCEMENTS 

Conduct risk analysis for the changes, updates, or enhancements

A risk analysis must be conducted and documented before installation, or deployment. The risk analysis must result in the following definitions;

(a) Will reduce the anonymity for Indivd X

(b) Has the potential to reduce anonymity for Indivd X

(c) Will not reduce the anonymity for Indivd X

Actions dependant of the risk analysis

(a) Changes, updates, or enhancements that will reduce the anonymity for Indivd X: Are strictly forbidden to be installed, or deployed.

(b) Changes, updates, or enhancements that have the potential to reduce anonymity for Indivd X: Need to be sent to the Product Owner and the Head of AI which will take a majority decision on how to deal with the change, update, or enhancement before it is installed, or deployed. A 50/50 split will result in no action.

(c) Will not reduce the anonymity for Indivd X: Are allowed to be installed, or deployed.

RESPONSIBILITIES

The Product Owner and the Head of AI – responsible for conducting a risk analysis for changes, updates, and evaluate appropriate actions in each case.

The company’s managers – responsible for ensuring that all employees or consultants within the company are familiar with this policy.

Anybody engaged in Indivd X such as Indivd’s board, employees, consultants, vendors, suppliers, and partners – responsible to follow this policy.

DEFINITIONS

“Indivd X” is as described in Indivd’s Service Summary.

“Anonymization” can be assessed based on three criteria: (i) is it still possible to single out an individual, (ii) is it still possible to link records relating to an individual, and (iii) can information be inferred concerning an individual? In its opinion WP216, Working Party 29 states: “Once a dataset is truly anonymized and individuals are no longer identifiable, European data protection law no longer applies.”

“No action” means that the change, update, or enhancement will not be installed, or deployed.

“Installed” or “Deployed” means to dispatch, upload, use, install, etc. software(s) or hardware(s) on a server where Indivd X operates.

“Strictly forbidden” means that a change, update, or enhancement is not allowed to be installed or deployed.

Version: 1.1
Date: 2020-07-24