Mortalityrating and GDPR
Previously our mortalityrating.com service processed a simple file format that included postcode, gender and date of birth alongside pension amount and commencement date for individuals in an occupational pension scheme. This combination of attributes when taken together is often capable of identifying "natural persons" in the language of the upcoming EU General Data Protection Regulation (GDPR). Some might choose to mitigate risk by deleting scheme data as soon as ratings complete. However, an alternative approach would be to perform ratings without requiring a combination of attributes that may be personally identifiable. How could such a thing be acheved?
An important observation is that a postcode does not, in and of itself, contain any personal data about an individual, and various statistics about existing postcodes are freely available in the UK. We therefore created a facility whereby a list of postcodes could be uploaded without any context and turned into numeric proxy values. These proxy values can then be used in any future rating operations. Proxy values do not map one-to-one onto postcodes and, crucially, cannot be reversed back to the original postcode values.
If a personal data obfuscation process is reversible, then under GDPR that data is considered pseudonymised. GDPR encourages pseudonymisation, but although advantageous in many ways, such data still carries re-identification risk via the reversal process, and is thus still subject to the regulation. However, where the process is not reversible and carries no reasonable risk of re-identification, then the data have been anonymised and no longer count as personal data.
Combining the effect of postcode proxies with the fact that mid-month dates of birth have no appreciable impact on rating percentages, we can create rating files with no postcodes or real dates of birth and still achieve accurate results. An example of such depersonalised data is shown below:
Is there any downside? Apart from a small amount of additional preparation, not really. One consideration is that without embedded postcodes the rating report cannot contain a postal district heatmap. For that reason our latest release allows the creation of any number of such a heatmaps from standalone files of postal districts and individual or aggregate pension amounts. An example of one we baked earlier is shown below!
Previous posts
Stopping the clock on the Poisson process
"The true nature of the Poisson distribution will become apparent only in connection with the theory of stochastic processes\(\ldots\)"
Feller (1950)
Add new comment