ISO/IEC 27559 — Privacy-enhancing data de-identification framework [Draft]
The standard outlines a non-prescriptive framework that can be used to identify and mitigate risks associated with re-identification of de-identified data as well as other risks associated with the lifecycle of de-identified data. This standard can help organizations de-identify (anonymize) data, build trust with data subjects, and meet compliance requirements.
The scope of the standard
The risks of re-identification are on the rise as data analytics increasingly rely on sharing and combining data sets that contain supposedly de-identified (anonymized) data. In this standard, guidance is provided for recognizing and mitigating risks.
The main sections include:
– Context assessment: identifying the main concerns and consequently the main requirements.
– Data assessment: understanding the data as well as possible attackers’ attempts (to acquire data that exposes the privacy of individuals).
– Identifiability assessment: finding out what personal information can be gathered from available, accumulated data that has not been appropriately anonymized (individually or collectively).
– Governance: assigning roles and responsibilities to people involved in maintaining privacy, handling incidents, etc.
The project began in 2019.
Currently, it is at the 1st Committee Draft stage.
With people’s personal data increasingly being acquired and shared within and between organizations, this standard can play a valuable role in setting the ground rules for how to do so without unnecessarily compromising their privacy. Consequently, it increases the trust between the providers and purchasers of information and facilitates the process.