How can ChildRescue protect sensitive data and how does it comply with the GDPR?
The ChildRescue Privacy and Anonymization Framework provides anonymization and pseudonymization techniques in order to protect the user profile data and data from cases of missing children. Additionally, all data that are exchanged through the ChildRescue Platform are encrypted in order to be protected from external security threats.
How can the ChildRescue Platform User be identified?
Any user that wishes to register eponymously to the ChildRescue Platform is registered via a KYC Infrastructure. A Know Your Customer Infrastructure assures the verification of the identity of each potential applicant before engaging to any transaction with her/him. Identification is a very old process and in the most common case, it involves the presentation of an official identification document (typically an id card) that is presented by the customer in person. A physical person, responsible for this operation(or an automated process) compares the visual appearance of the person to the one depicted in the picture of the id card and, if matched, confirms that the data contained in the id card are valid and the person is indeed who she/he claims to be. Accordingly, by adopting this method, ChildRescue asks the applicant for a picture of herself/himself; for the ChildRescue mobile application this can be easily done via a selfie. Then a picture of an ID is required, which typically involves taking two pictures for the two sides of the identification card. The images are uploaded in the identification database; the identification is carried out either by an automated process or by the operator, manually. The applicant is informed accordingly for the result of the identification.
Consent Form
How is that safe for the User’s data?
As aforementioned, storing and processing any kind of personal data requires the explicit consent of the data “subject” according to the GDPR, therefore, in ChildRescue platform, upon registration, the user signs a consent form. At this point, the user is clearly informed about : the identity of the data controllers and processors, the kind of personal data collected, the kind of data selected for profiling , the decision-making and statistical analysis purposes and the process that allows the data-subject to ask and be granted permission to review at any time the personal information stored, to revoke her/his consent, which will lead to the removal of their personal data from the platform within a reasonable time . Moreover, the user / data-subject will immediately be notified and requested to re-consent in case the ChildRescue makes any change to the data process, that was initially. As soon as the user signs the consent form, her/his personal data is stored by performing pseudonymisation whereas if, at any point, the consent is revoked, the user’s pseudonymised data are converted to anonymised.
Pseudonymization and anonymization
How do these procedures work for ChildRescue platform users?
The pseudonymization process is achieved by storing the pseudonymized data in an open dataset that can generally be accessed by parties in communication with ChildRescue. The re-identification data is stored in a separate database and is not publicly accessible but used and maintained by each of the data controller’s explicitly trained personnel. When re-identification is needed the pseudonymized data is transformed to the original data using these two separate databases. In case a subject is removed from the platform or a consent is revoked, the relevant re-identification data is removed from the re-identification database, and the pseudonymised data is automatically converted to anonymous data.
Anonymized security of the data is ensured by the robustness of the encryption algorithms as well as by the compliance of the dataset to the established anonymization metrics: k-anonymity, l-diversity, t-closeness and δ-presence.
Missing children case data is also pseudonymised; anonymisation in this case happens when the case is closed. Also, every interaction between the ChildRescue Platform and the user is secured and encrypted.
Pseudonyms
Can a user have a pseudonym? Or, better, be anonymous?
Pseudonyms in ChildRescue will be used to provide to the registered users the option to appear with a realistic pseudonym in the platform. Under the present process, a citizen may provide anonymous information without disclosing any personal information, not even to the call centre operators. ChildRescue will allow anonymous registration. Pseudonyms will be used in the case where the organisation and the authorities need to be able to discern the identity of the user, but the rest of the community that uses ChildRescue should not. An example of such a case is a citizen who has registered to the platform and wishes to provide evidence for an ongoing case, but feels that the knowledge that she/he provided evidence for, may endanger her/him or the case’s subject. In order to obfuscate her/his identity in evidence viewed by the ChildRescue community, the identity of the citizen may be substituted by a pseudonym that is negotiated between her/him and the ChildRescue platform.