Joint paper of the Spanish data protection authority, Agencia española de protección de datos (AEPD), and the European Data Protection Supervisor (EDPS) on hash techniques in data processing activities as a safeguard for personal data.
Read the AEPD press release (available only in Spanish).
This essay is intended for data controllers who wish to use hash techniques in their data processing activities as a safeguard for personal data pseudonymisation. The fundamentals and properties of hash techniques are presented throughout the text. Application of such techniques may sometimes entail a high risk of identifying the message generating the hash. This document analyses the sources of risk of re-identification in application of hash techniques, and establishes the need to carry out an objective analysis of this risk in order to determine whether this pseudonymisation or even anonymisation technique is appropriate. This analysis involves both the process followed and any other elements that form the hash systems, paying special attention to message entropy and to information linked or linkable to the value represented by the hash.