RE: ACTION-406: Propose a new set of names around yellow state from Rob van Eijk on 2013-05-27 (public-tracking@w3.org from May 2013)

From: Rob van Eijk <rob@blaeu.com>
Date: Mon, 27 May 2013 15:33:27 +0200
To: Shane Wiley <wileys@yahoo-inc.com>
Cc: <public-tracking@w3.org>
Message-ID: <ca01286e0147fbc5a5894023024b8303@xs4all.nl>
Shane,

It is fine to hold it off to a live engagement. For now I would like to 
add that the NAI defines de-identified as 'data that is not linked or 
reasonably linkable to an individual or to a particular
computer or device' [1].

If the NAI can, in the Code of Conduct, I do not see why you can't. 
After all, Yahoo! is one of the NAI members.

mvg::Rob


[1] page 4 of the NAI Code of Conduct URL: 
http://www.networkadvertising.org/2013_Principles.pdf.

Shane Wiley schreef op 2013-05-27 15:16:
> Rob,
> 
> So close...  Let's hold on the "partly de-identified" vs. "fully
> de-identified" discussion for a live engagement.  I believe you're
> equating "de-identified" to be equal for the most part to "unlinkable"
> from a definition perspective whereas they are slightly different to
> me.
> 
> We are indeed on the same page conceptually and simply struggling to
> use terms we both agree with so I see this as very positive.
> 
> - Shane
> 
> -----Original Message-----
> From: Rob van Eijk [mailto:rob@blaeu.com]
> Sent: Monday, May 27, 2013 6:13 AM
> To: Shane Wiley
> Cc: public-tracking@w3.org
> Subject: RE: ACTION-406: Propose a new set of names around yellow 
> state
> 
> 
> Shane,
> 
> Thanks for friendly ammendment. If you are ok with the following
> added precision, you and I have reached consensus. This way we do not
> have to get into the linguistic difference between the partly and full
> de-identified state versus the 2-step process of de-identification.
> 
> 
> (...) e.g. a partly de-identified but still linkable unique
> identifier, such as a hashed pseudonym.
> 
> 
> mvg::Rob
> 
> Shane Wiley schreef op 2013-05-27 14:39:
>> Rob,
>> 
>> I believe this well stated but am caught up on the following phrase:
>> "...MAY contain information indirectly linked to an individual,
>> computer or device, e.g. a linkable unique identifier or a hashed
>> pseudonym."  Use of a "linkable unique identifier" in this sense 
>> makes
>> it appear like  we're back in the red state.  Perhaps it would be
>> better stated as "...MAY contain information indirectly linked to an
>> individual, computer or device, e.g. a de-identified but still
>> linkable unique identifier, such as a hashed pseudonym."
>> 
>> Are you okay with that modification?
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Rob van Eijk [mailto:rob@blaeu.com]
>> Sent: Monday, May 27, 2013 4:07 AM
>> To: public-tracking@w3.org
>> Subject: Re: ACTION-406: Propose a new set of names around yellow
>> state
>> 
>> 
>> To avoid confusion, repost as a whole (thanks Mike!):
>> 
>> 
>> For the PII definition, I use the ISO 29100 (privacy framework)
>> definition.
>> 
>> We discussed a 3 state process of de-identification at the last F2F.
>> In order to take away any confusion on the difference between partly
>> de-identified (YELLOW state) and fully de-identified (GREEN state), I
>> propose the following text:
>> 
>> <TEXT>
>> In terms of unlinkability versus de-identification it remains
>> important to seperate the two concepts:
>> - de-identification helps in the event of a data breach, when a
>> dataset is out on the street due to e.g a databreach. It is a way to
>> address the reasonable requirements of an adequate level of
>> protection.
>> - an adequate level of protection is completely different from
>> unlinkability. Unlinkability is connected to the notion of personally
>> identifieable information (PII).
>> 
>> This standard refers to the ISO 29100 (privacy framework) definition
>> of personally identifiable information (PII):
>> any information that (a) can be used to identify the PII principal to
>> whom such information relates, or (b) is or might be directly or
>> indirectly linked to a PII principal.
>> NOTE To determine whether a PII principal is identifiable, account
>> should be taken of all the means which can reasonably be used by the
>> privacy stakeholder holding the data, or by any other party, to
>> identify that natural person.
>> 
>> The RED state data may contain (a) and (b). In order to go from the
>> red state to the yellow state, direct identifiable information MUST 
>> be
>> removed, e.g. an email address or a phone number.
>> The YELLOW state data is partly de-identified, and MAY contain
>> information indirectly linked to an individual, computer or device,
>> e.g.
>> a linkable unique identifier or a hashed pseudonym.
>> The GREEN state data is fully de-identified data and SHOULD NOT
>> contain personally identifiable information (PII). Any risk for
>> re-identification of fully de-identified data MUST be regularly
>> assessed and mitigated through Privacy Risk Management.
>> </TEXT>
>> 
>> 
>> Rob van Eijk schreef op 2013-05-27 12:15:
>>> s/fully de-identified (red state)/fully de-identified (GREEN state)/
>>> 
>>> sorry for typo. Green is fully de-identified.
>>> 
>>> Rob
>>> 
>>> Rob van Eijk schreef op 2013-05-27 12:01:
>>>> For the PII definition, I use the ISO 29100 (privacy framework)
>>>> definition.
>>>> We discussed a 3 state process of de-identification at the last 
>>>> F2F.
>>>> In order to take away any confusion on the difference between 
>>>> partly
>>>> de-identified (yellow state) and fully de-identified (red state), I
>>>> propose the following text:
>>>> <TEXT>
>>>> In terms of unlinkability versus de-identification it remains
>>>> important to seperate the two concepts:
>>>> - de-identification helps in the event of a data breach, when a
>>>> dataset is out on the street due to e.g a databreach. It is a way 
>>>> to
>>>> address the reasonable requirements of an adequate level of
>>>> protection.
>>>> - an adequate level of protection is completely different from
>>>> unlinkability. Unlinkability is connected to the notion of
>>>> personally
>>>> identifieable information (PII).
>>>> This standard refers to the ISO 29100 (privacy framework) 
>>>> definition
>>>> of personally identifiable information (PII):
>>>> any information that (a) can be used to identify the PII principal
>>>> to
>>>> whom such information relates, or (b) is or might be directly or
>>>> indirectly linked to a PII principal.
>>>> NOTE To determine whether a PII principal is identifiable, account
>>>> should be taken of all the means which can reasonably be used by 
>>>> the
>>>> privacy stakeholder holding the data, or by any other party, to
>>>> identify that natural person.
>>>> The red state data may contain (a) and (b). In order to go from the
>>>> red state to the yellow state, direct identifiable information MUST
>>>> be removed, e.g. an email address or a phone number.
>>>> The yellow state data is partly de-identified, and MAY contain
>>>> information indirectly linked to an individual, computer or device,
>>>> e.g. a linkable unique identifier or a hashed pseudonym.
>>>> The green state data is fully de-identified data and SHOULD NOT
>>>> contain personally identifiable information (PII). Any risk for
>>>> re-identification of fully de-identified data MUST be regularly
>>>> assessed and mitigated through Privacy Risk Management.
>>>> </TEXT>
Received on Monday, 27 May 2013 13:34:08 UTC