TPWG agenda for Wednesday, January 16; background reading on de-identification from Peter Swire on 2013-01-11 (public-tracking@w3.org from January 2013)

From: Peter Swire <peter@peterswire.net>
Date: Fri, 11 Jan 2013 08:48:46 -0800
To: "public-tracking@w3.org" <public-tracking@w3.org>
CC: Deven McGraw <deven@cdt.org>
Message-ID: <CD15AC9E.691F0%peter@peterswire.net>

Hello DNT folks:

In response to a question, yes there will be the usualWorking Group call on Wednesday, January 16.

The call will include a presentation on the de-identification guidelines issued by the U.S. Department of Health and Human Services in November, 2012. Deven McGraw of CDT was deeply involved in that process, and has agreed to present on that subject.

Another major 2012 document on de-identification was areport of the UK Information Commissioner Office, with guidelines for anonymisation under UK and EU law. Is there someone in the group, or known to the group, who has materials prepared on these guidelines and would be able to brief the group on them? If someone is able to do that for this Wednesday, we could do roughly half the call on each one.

Discussion below on why these documents provide good background for our discussion of delinking/de-identification.

Best,

Peter
======

Background reading on de-identification:

(1) United Kingdom, Information Commissioner’s Office, “Anonymisation: Managing Data Protection Risk Code of Practice.” (2012). This is the first code of practice on anonymisation published by an EU data protection authority.

http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx

(2) U.S. Department of Health and Human Services, “Guidance Regarding Methods of De-Identification of Protected Health Information in Accordance with the HIPAA Privacy Rule.” (2012).

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf

Here is an explanation for why I have selected these two documents to assist in our examination of de-identification issues. Both of them are written by established government agencies that have years of experience with de-identification. Both agencies sought and received public comments in the preparation of the reports, from a range of stakeholders.

Selection of these documents is not intended to endorse the reports or claim that their recommendations should be applied directly to Do Not Track. For the HHS report, one might assert that it is stricter than should apply to DNT, because medical data is usually considered more sensitive than advertising data. On the other hand, perhaps the HHS report is less strict than appropriate for DNT, because entities covered by the HIPAArules have comprehensive privacy obligations that do not apply to other U.S. firms. Similarly, for the ICO report, one might argue that it is stricter than appropriate for DNT, because many entities covered by DNT are not subject to the comprehensive legal regime of the EU Data Protection Directive. By contrast, one might argue that the ICO report is not as strict as appropriate. I have been told, for instance, that the Dutch approach is stricter than the ICO report, although I have not seen any document that explains the Dutch approach. If someone in the Working Group is aware of such a document, that could be helpful.

Here are two other governmental reports that provide additional background for those who wish to dig deeper:

1. Health System Use Technical Advisory Committee, “Best Practice Guidelines for Managing the Disclosure of De-Identified Health Information.” 2010. This document was drafted by a multi-stakeholder group led by Canadian federal/provincial/territorial ministries of health.

http://www.ehealthinformation.ca/documents/de-idguidelines.pdf

2. Federal Committee on Statistical Methodology, “Statistical Policy Working Paper 22, Report on Statistical Disclosure Limitation Methodology.” 2005. The U.S. government for decades has released statistical information while seeking to prevent re-identification, such as for Census results. This paper is the current inter-agency policy document for how to manage the risks of re-identification.

http://www.fcsm.gov/working-papers/SPWP22_rev.pdf

I welcome others on the WG to suggest background reading on delinking/de-identification, as we lead up to face-to-face discussion on the topic in Boston in February.

Peter

Professor Peter P. Swire
C. William O'Neill Professor of Law
Ohio State University
240.994.4142
www.peterswire.net

Received on Friday, 11 January 2013 16:49:14 UTC