De-identification is the process used to prevent someone's

personal identity Personal identity is the unique numerical identity of a person over time. Discussions regarding personal identity typically aim to determine the necessary and sufficient conditions under which a person at one time and a person at another time can ...

from being revealed. For example,

data In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...

produced during human subject research might be de-identified to preserve the privacy of research participants. Biological data may be de-identified in order to comply with

HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...

regulations that define and stipulate patient privacy laws. When applied to

metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...

or general data about identification, the process is also known as

data anonymization Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous. Overv ...

. Common strategies include deleting or masking

personal identifier Personal Identifiers (PID) are a subset of personally identifiable information (PII) data elements, which identify an individual and can permit another person to “assume” that individual's identity without their knowledge or consent. Identi ...

s, such as

personal name A personal name, or full name, in onomastic terminology also known as prosoponym (from Ancient Greek πρόσωπον / ''prósōpon'' - person, and ὄνομα / ''onoma'' - name), is the set of names by which an individual person is known ...

, and suppressing or generalizing

quasi-identifier Quasi-identifiers are pieces of information that are not of themselves unique identifiers, but are sufficiently well correlated with an entity that they can be combined with other quasi-identifiers to create a unique identifier. Quasi-identifiers c ...

s, such as date of birth. The reverse process of using de-identified data to identify individuals is known as

data re-identification Data re-identification or de-anonymization is the practice of matching anonymous data (also known as de-identified data) with publicly available information, or auxiliary data, in order to discover the individual to which the data belong. This is ...

. Successful re-identifications cast doubt on de-identification's effectiveness. A systematic review of fourteen distinct re-identification attacks found "a high re-identification rate ��dominated by small-scale studies on data that was not de-identified according to existing standards". De-identification is adopted as one of the main approaches toward data

privacy protection Privacy engineering is an emerging field of engineering which aims to provide methodologies, tools, and techniques to ensure systems provide acceptable levels of privacy. In the US, an acceptable level of privacy is defined in terms of compliance ...

. It is commonly used in fields of communications, multimedia, biometrics,

big data Though used sometimes loosely partly because of a lack of formal definition, the interpretation that seems to best describe Big data is the one associated with large body of information that we could not comprehend when used only in smaller am ...

, cloud computing, data mining, internet, social networks, and audio–video surveillance.

Examples

In designing surveys

When surveys are conducted, such as a

census A census is the procedure of systematically acquiring, recording and calculating information about the members of a given population. This term is used mostly in connection with national population and housing censuses; other common censuses incl ...

, they collect information about a specific group of people. To encourage participation and to protect the privacy of survey respondents, the researchers attempt to design the survey in a way that when people participate in a survey, it will not be possible to match any participant's individual response(s) with any data published.

Before using information

When an online shopping website wants to know its users' preferences and shopping habits, it decides to retrieve customers' data from its database and do analysis on them. The personal data information include personal identifiers which were collected directly when customers created their accounts. The website needs to pre-handle the data through de-identification techniques before analyzing data records to avoid violating their customers' privacy.

Anonymization

Anonymization Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous. Overv ...

refers to irreversibly severing a data set from the identity of the data contributor in a study to prevent any future re-identification, even by the study organizers under any condition. De-identification may also include preserving identifying information which can only be re-linked by a trusted party in certain situations. There is a debate in the technology community on whether data that can be re-linked, even by a trusted party, should ever be considered de-identified.

Techniques

Common strategies of de-identification are masking personal identifiers and generalizing quasi-identifiers.

Pseudonymization Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced ...

is the main technique used to mask personal identifiers from data records and k-anonymization is usually adopted for generalizing quasi-identifiers.

Pseudonymization

Pseudonymization is performed by replacing real names with a temporary ID. It deletes or masks personal identifiers to make individuals unidentified. This method makes it possible to track the individual's record over time even though the record will be updated. However, it can not prevent the individual from being identified if some specific combinations of attributes in data record indirectly identify the individual.

k-anonymization

k-anonymization defines attributes that indirectly points to the individual's identity as quasi-identifiers (QIs) and deal with data by making at least ''k'' individuals have same combination of QI values. QI values are handled following specific standards. For example, the k-anonymization replaces some original data in the records with new range values and keep some values unchanged. New combination of QI values prevents the individual from being identified and also avoid destroying data records.

Applications

Research into de-identification is driven mostly for protecting

health information Health informatics is the field of science and engineering that aims at developing methods and technologies for the acquisition, processing, and study of patient data, which can come from different sources and modalities, such as electronic hea ...

. Some libraries have adopted methods used in the

healthcare industry The healthcare industry (also called the medical industry or health economy) is an aggregation and integration of sectors within the economic system that provides goods and services to treat patients with curative, preventive, rehabilitative, a ...

to preserve their readers' privacy. In

, de-identification is widely adopted by individuals and organizations. With the development of social media, e-commerce, and big data, de-identification is sometimes required and often used for

data privacy Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...

when users' personal data are collected by companies or third-party organizations who will analyze it for their own personal usage. In

smart cities A smart city is a technologically modern urban area that uses different types of electronic methods and sensors to collect specific data. Information gained from that data is used to manage assets, resources and services efficiently; in retur ...

, de-identification may be required to protect the privacy of residents, workers and visitors. Without strict regulation, de-identification may be difficult because sensors can still collect information without consent.

Limits

Whenever a person participates in

genetics Genetics is the study of genes, genetic variation, and heredity in organisms.Hartl D, Jones E (2005) It is an important branch in biology because heredity is vital to organisms' evolution. Gregor Mendel, a Moravian Augustinian friar wor ...

research, the donation of a biological specimen often results in the creation of a large amount of personalized data. Such data is uniquely difficult to de-identify. Anonymization of genetic data is particularly difficult because of the huge amount of genotypic information in biospecimens, the ties that specimens often have to medical history, and the advent of modern bioinformatics tools for data mining. There have been demonstrations that data for individuals in aggregate collections of genotypic data sets can be tied to the identities of the specimen donors. Some researchers have suggested that it is not reasonable to ever promise participants in genetics research that they can retain their anonymity, but instead, such participants should be taught the limits of using coded identifiers in a de-identification process.

De-identification laws in the United States of America

In May 2014, the

United States President's Council of Advisors on Science and Technology The President's Council of Advisors on Science and Technology (PCAST) is a council, chartered (or re-chartered) in each administration with a broad mandate to advise the president of the United States on science and technology. The current PCAST w ...

found de-identification "somewhat useful as an added safeguard" but not "a useful basis for policy" as "it is not robust against near‐term future re‐identification methods". The

Privacy Rule provides mechanisms for using and disclosing health data responsibly without the need for patient consent. These mechanisms center on two HIPAA de-identification standards – Safe Harbor and the Expert Determination Method. Safe harbor relies on the removal of specific patient identifiers (e.g. name, phone number, email address, etc.), while the Expert Determination Method requires knowledge and experience with generally accepted statistical and scientific principles and methods to render information not individually identifiable.

Safe harbor

The safe harbor method uses a list approach to de-identification and has two requirements: # The removal or generalization of 18 elements from the data. # That the Covered Entity or Business Associate does not have actual knowledge that the residual information in the data could be used alone, or in combination with other information, to identify an individual. Safe Harbor is a highly prescriptive approach to de-identification. Under this method, all dates must be generalized to year and zip codes reduced to three digits. The same approach is used on the data regardless of the context. Even if the information is to be shared with a trusted researcher who wishes to analyze the data for seasonal variations in acute respiratory cases and, thus, requires the month of hospital admission, this information cannot be provided; only the year of admission would be retained.

Expert Determination

Expert Determination takes a risk-based approach to de-identification that applies current standards and best practices from the research to determine the

likelihood The likelihood function (often simply called the likelihood) represents the probability of random variable realizations conditional on particular values of the statistical parameters. Thus, when evaluated on a given sample, the likelihood funct ...

that a person could be identified from their protected

. This method requires that a person with appropriate

knowledge Knowledge can be defined as awareness of facts or as practical skills, and may also refer to familiarity with objects or situations. Knowledge of facts, also called propositional knowledge, is often defined as true belief that is distinc ...

of and experience with generally accepted statistical and scientific principles and methods render the information not individually identifiable. It requires: # That the risk is very small that the information could be used alone, or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; # Documents the methods and results of the analysis that justify such a determination.

Research on decedents

The key law about research in

electronic health record An electronic health record (EHR) is the systematized collection of patient and population electronically stored health information in a digital format. These records can be shared across different health care settings. Records are shared throu ...

data is

Privacy Rule. This law allows use of electronic health record of deceased subjects for research (HIPAA Privacy Rule (section 164.512(i)(1)(iii))).

References

External links

*
A training series
on United States government de-identification standards

* * * {{Telemedicine navbox Information privacy Data protection Research ethics Electronic health records