Low-risk identifiers in Access Management

The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of "personal data" and gives examples that seem particularly relevant to identity federations.

The Information Commissioner considers that identifiers pose a higher privacy risk if they are "interoperable". Since the examples given are names, addresses and telephone numbers I think this refers to the range of additional uses to which such an identifier, once collected or disclosed, can be put. For example an e-mail address may be collected as a login name, but it can also be used to send unsolicited e-mails. Using a hash function to derive a non-interoperable identifier is given as an example of how to reduce this risk. Risk is also higher for identifiers that can be used to match information about a single individual on different systems or different organisations.

The standard identifier recommended by the UK Access Management Federation, eduPersonTargetedID (ePTID) is low risk on both counts, since the normal way to generate it involves hashing both information about the user and the particular service they are accessing. It therefore prevents matching across either services or organisations, as well as having no "interoperable" uses.

The Information Commissioner doesn’t favour multiple categories of "personal data", "pseudonyms", etc., as proposed by the European Parliament to deal with this range of different risks. Instead he recommends a single category with the regulatory burden on organisations being be proportionate for those that use lower-risk identifiers. This should provide both an appropriate level of privacy protection and an incentive for organisations to adapt their systems and processes to use lower-risk identifiers where possible.

Interestingly the Commissioner notes that using low-risk identifiers makes it more difficult – even impossible – to obtain verifiable consent because the whole point of these identifiers is to prevent direct identification (or recording) of the consenting individual. It strikes me that consent management could even be seen as a form of "interoperable" additional use that creates a higher privacy risk than the processing itself requires! Instead the Information Commissioner suggests that legitimate interests will often be a more appropriate and reliable basis for processing of this type of data. Legitimate interests can provide a justification for processing so long as the processor's interests are not overridden by the fundamental rights of the individual which, when using identifiers that are low-risk by design, is unlikely to occur.  When relying on legitimate interests, users still need to be informed what their personal data will be used for but services don’t need to insert an extra interaction to seek consent. The design of the identifier and the legal requirement to protect fundamental rights (including privacy) should give sufficient protection.