anonymization → de-identification

[DimitriPapadopoulos]

Fixes #106.

[CPernet]

@yarikoptic this merging should not happen -- de-identification is the term used by the US Health Insurance Portability and Accountability Act (HIPPA) and as such you can retain patients ID which akin to pseudonymization (to make it clear US-deidentified data as defined in HIPPA remains personal under GDPR)

by contrast anomymization as a clear-cut data status

[DimitriPapadopoulos]

@CPernet

by contrast anomymization as a clear-cut data status

The meaning of "anomymization" differs widely between the US and the EU. I'm not sure what you mean by "clear-cut data status". I do understand "de-identification" has a specific meaning under HIPAA,, but so does "anonymization" under GDPR.

I do not view the fact that de-identified data under HIPAA data remains personal data under GDPR as a problem. It's almost impossible to anonymize data under GDPR, almost any interesting data will remain personal (pseudnymized instead of anonymized) under GDPR. The idea here is precisely to pseudonymize data, not to "anonymize" data, therefore "de-identification" is the proper term.

[CPernet]

then psedonymized is the proper term, de-identified is HIPAA specific

[DimitriPapadopoulos]

To make things clear:

• "Anonymization" has a specific and very restrictive meaning meaning under GDPR:
  • Opinion 05/2014 on Anonymisation Techniques
  • AEPD-EDPS joint paper on 10 misunderstandings related to anonymisation
• On the other hand, "de-identification" under HIPAA and "pseudonymization" under GDPR are similar.
• The idea here is to "pseudonymize" or "de-identify" data, as it is often unfeasible to "anonymize" neuroimaging data in the GDPR sense.
• Hence I recommend you use the term "de-identification", as in "pseudonymization", because the term "anonymization" (as in the GDPR) is misused here.

[CPernet]

I agree with all the above :-) except 'Hence I recommend you use the term "de-identification", as in "pseudonymization", because the term "anonymization" (as in the GDPR) is misused here.' why? to be american centric?

[DimitriPapadopoulos]

I find "pseudonymization" too specific. The idea is to use a term that covers attempts to de-identify data, ranging from simple peudonymization to anonymization. The only term that comes to mind is "de-identification". I acknowledge the term has been hijacked by HIPAA to mean something specific, but that's certainbly less specific than "anonymization" under GDPR. I cannot find an alternative term to de-identification in its broad (not HIPAA) sense.

[CPernet]

ok but then we must define first de-identification to make sure people understand what you mean (I would actually copy/paste the points you made above since they are correct)

[DimitriPapadopoulos]

I totally agree. We need a glossary with some basic terms:

• de-identification (in the broad sense)
• de-identification (as in HIPAA)
• pseudonymization: may involve more than changing names to pseudonyms but I do not think the term is precisely defined
• anonymization (as in the GDPR)
• anonymization in the broad sense?

[CPernet]

what about

• anonymization: a process that involves removing sufficient
  elements so that a natural person can no longer be identified (ISO 29100:2011)
• de-identification: concept from the US Health Insurance Portability and Accountability Act (HIPPA) which does not involve irreversibility as anonymization does
• pseudonymization: is defined by GDPR as a process that removes information about identity which may or may not change the status of data from personal to anonymous (it does not for brain imaging data, because the EU court of justice indicated that the possibility of identification is enough to consider data as personal)

Unless specifically mentioned, we used here de-identification in the generic sense, meaning removing obvious features leading to identification (names, addresses, maybe facial information from MRI).

[DimitriPapadopoulos]

Yes, looks good.

Is ISO 29100:2011 equivalent to the G29 opinion on anonymization techniques? I haven't read ISO 29100:2011 as I cannot find the PDF on the web site of the ISO/IEC Information Technology Task Force.

By the way, do you have a link to this decision: the EU court of justice indicated that the possibility of identification is enough to consider data as personal?

[CPernet]

sure - case from IP address - https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2933781

[DimitriPapadopoulos]

On the other hand, Wikipedia defines "pseudonymization" as a "de-identification" procedure, hence as a subset of it:

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.^[1] A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

Perhaps we should use "de-identification" in the broad sense, as defined by Wikipedia:

De-identification is the process used to prevent someone's personal identity from being revealed. For example, data produced during human subject research might be de-identified to preserve the privacy of research participants. Biological data may be de-identified in order to comply with HIPAA regulations that define and stipulate patient privacy laws. ^[1]

[CPernet]

sure we can use that definition, I would still add that it's a concept from the US Health Insurance Portability and Accountability Act (HIPPA) which does not involve irreversibility as anonymization does

[CPernet]

don't have the ISO thing either

[DimitriPapadopoulos]

I'll add the glossary.

[DimitriPapadopoulos]

@CPernet Can you have a look at the updated merge request? I have added the glossary. Fell free to modify.

[DimitriPapadopoulos]

Here are the ISO documents:

• ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework is fully available online.
• ISO 25237:2017 Health informatics — Pseudonymization is not fully available, but we do have access to the first pages, including "3 Terms and Definitions" which actually refer to the above ISO/IEC 29100:2011.

[CPernet]

proposed to reverse for credits - the EU workshop discussed anonymization

[CPernet]

where is the glossary? couldn't not see it -- we need to define up front what we mean in the doc by de-identification and refer to the glossary