Tuesday, April 7, 2015

NIST seeks comments on De-Identification

UPDATE: NIST published their NIST IR 8053, October 2015. This is an excellent, well written, text. I would recommend it as reading material for anyone wanting to understand the overall De-Identification space. It gets only slightly deep into technical concepts (like HIPAA Privacy Rule; k-anonymity; differential privacy; re-identification), just enough to encourage you to go to the references.  I failed to get my comments in, but I am happy with the result. It still doesn't reference the IHE De-Identification Handbook.

NIST is seeking comment on De-Identification. The good news is that they have used the Healthcare ISO 25237 specification. The bad news is that they didn't reference the IHE De-Identification Handbook-. Guess I have my first comment ready. De-Identification is a Process used to lower 'risk' of re-identification.

NIST IR 8053
DRAFT De-Identification of Personally Identifiable Information
NIST requests comments on an initial public draft report on NISTIR 8053, De-identification of personally Identifiable Information. This document describes terminology, process and procedures for the removal of personally identifiable information (PII) from a variety of electronic document types.

This draft results from a NIST-initiated review of techniques that have been developed for the removal of personally identifiable information from digital documents. De-identification techniques are widely used to removal of personal information from data sets to protect the privacy of the individual data subjects. In recent years many concerns have been raised that de-identification techniques are themselves not sufficient to protect personal privacy, because information remains in the data set that makes it possible to re-identify data subjects.

We are soliciting public comment for this initial draft to obtain feedback from experts in industry, academia and government that are familiar with de-identification techniques and their limitations.

Comments will be reviewed and posted on the CSRC website. We expect to publish a final report based on this round of feedback. The publication will serve as a basis for future work in de-identification and privacy in general.

Note to Reviewers:
NIST requests comments especially on the following:

    • Is the terminology that is provided consistent with current usage?
    • Since this document is about de-identification techniques, to what extent should it discuss differential privacy?
    • To what extent should this document be broadened to include a discussion of statistical disclosure limitation techniques?
    • Should the glossary be expanded? If so, please suggest words, definitions, and appropriate citations?

Please send comments to draft-nistir-deidentify@nist.gov by May 15, 2015.
Draft NISTIR 8053
Comment Template Form for Draft NISTIR 8053

References to articles I have written on De-Identification