Agenda for January 16, 2013 TPWG call

Agenda for January 16, 2013 Call

The call is scheduled for 90 minutes, but may run shorter, such as 60 minutes.

Chair: Peter Swire
Scribe: JC Cannon

1. Offline-caller-identification (almost NEW):
If you intend to join the phone call, you must either associate your phone number with your IRC username once you've joined the call (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick know your phone number ahead of  time. If you are not comfortable with the Zakim IRC syntax for associating your phone number, please email your name and phone number to npdoty@w3.org<mailto:npdoty@w3.org> by 8am PT tomorrow. We want to reduce (in fact, eliminate) the time spent on the call identifying phone numbers. Note that if your number is not identified and you do not respond to off-the-phone reminders via IRC, you will be dropped from the call.

2. Introductory comments from Swire:

A. Creation of Issue 191, Non-Normative Discussion of De-Identification.
B.  Discussion of de-identification at Center for Democracy and Technology on January 17, 9:00 a.m. to 12:30 p.m. eastern.  The call will be scribed, with call-in circulated separately.  If you are interested in attending, please RSVP to Yianni Lagos at ylagos@futureofprivacy.org.
C. Swire meeting in Brussels with interested persons, likely afternoon of January 24.

D.  Any questions/comments or old business.
3.  De-identification presentation by Deven McGraw, CDT.  The presentation will focus on the guidelines on de-identification issued in late 2012 by the U.S. Department of Health and Human Services, as discussed in January 11 email from Swire to the group, copied below.
Topics include: (1) definitions of covered data; (2) methods of de-identification; (3) types of safeguards that achieve de-identification; and (4) role of pseudonyms and persistent identifiers.

4.  Announce next meeting and adjourn.

================ Infrastructure =================

Zakim teleconference bridge:
VoIP:    sip:zakim@voip.w3.org<file://localhost/sip/zakim@voip.w3.org>
Phone +1.617.761.6200 passcode TRACK (87225)
IRC Chat: irc.w3.org<http://irc.w3.org/>, port 6665, #dnt

===========================================

TPWG agenda for Wednesday, January 16; background reading on de-identification

 *   This message: [ Message body<http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0037.html#start37> ] [ Respond<mailto:public-tracking@w3.org?Subject=Re%3A%20TPWG%20agenda%20for%20Wednesday%2C%20January%2016%3B%20background%20reading%20on%20%20de-identification&In-Reply-To=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E&References=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E> ] [ More options<http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0037.html#options3> ]
 *   Related messages: [ Next message<http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0038.html> ] [ Previous message<http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0036.html> ] [ Next in thread<http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0038.html> ] [ Replies<http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0037.html#replies> ]

From: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net?Subject=Re%3A%20TPWG%20agenda%20for%20Wednesday%2C%20January%2016%3B%20background%20reading%20on%20%20de-identification&In-Reply-To=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E&References=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E>>
Date: Fri, 11 Jan 2013 08:48:46 -0800
To: "public-tracking@w3.org<mailto:public-tracking@w3.org?Subject=Re%3A%20TPWG%20agenda%20for%20Wednesday%2C%20January%2016%3B%20background%20reading%20on%20%20de-identification&In-Reply-To=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E&References=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E>" <public-tracking@w3.org<mailto:public-tracking@w3.org?Subject=Re%3A%20TPWG%20agenda%20for%20Wednesday%2C%20January%2016%3B%20background%20reading%20on%20%20de-identification&In-Reply-To=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E&References=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E>>
CC: Deven McGraw <deven@cdt.org<mailto:deven@cdt.org?Subject=Re%3A%20TPWG%20agenda%20for%20Wednesday%2C%20January%2016%3B%20background%20reading%20on%20%20de-identification&In-Reply-To=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E&References=%253CCD15AC9E.691F0%25peter%40peterswire.net%253E>>
Message-ID: <CD15AC9E.691F0%peter@peterswire.net>

Hello DNT folks:

In response to a question, yes there will be the usualWorking Group call on Wednesday, January 16.

The call will include a presentation on the de-identification guidelines issued by the U.S. Department of Health and Human Services in November, 2012.  Deven McGraw of CDT was deeply involved in that process, and has agreed to present on that subject.

Another major 2012 document on de-identification was areport of the UK Information Commissioner Office, with guidelines for anonymisation under UK and EU law.  Is there someone in the group, or known to the group, who has materials prepared on these guidelines and would be able to brief the group on them?  If someone is able to do that for this Wednesday, we could do roughly half the call on each one.

Discussion below on why these documents provide good background for our discussion of delinking/de-identification.

Best,

Peter
======

Background reading on de-identification:

            (1) United Kingdom, Information Commissioner’s Office, “Anonymisation: Managing Data Protection Risk Code of Practice.” (2012).  This is the first code of practice on anonymisation published by an EU data protection authority.

http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx

            (2) U.S. Department of Health and Human Services, “Guidance Regarding Methods of De-Identification of Protected Health Information in Accordance with the HIPAA Privacy Rule.” (2012).

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf


            Here is an explanation for why I have selected these two documents to assist in our examination of de-identification issues.  Both of them are written by established government agencies that have years of experience with de-identification.  Both agencies sought and received public comments in the preparation of the reports, from a range of stakeholders.

            Selection of these documents is not intended to endorse the reports or claim that their recommendations should be applied directly to Do Not Track.  For the HHS report, one might assert that it is stricter than should apply to DNT, because medical data is usually considered more sensitive than advertising data.  On the other hand, perhaps the HHS report is less strict than appropriate for DNT, because entities covered by the HIPAArules have comprehensive privacy obligations that do not apply to other U.S. firms.  Similarly, for the ICO report, one might argue that it is stricter than appropriate for DNT, because many entities covered by DNT are not subject to the comprehensive legal regime of the EU Data Protection Directive.  By contrast, one might argue that the ICO report is not as strict as appropriate. I have been told, for instance, that the Dutch approach is stricter than the ICO report, although I have not seen any document that explains the Dutch approach.  If someone in the Working Group is aware of such a document, that could be helpful.

            Here are two other governmental reports that provide additional background for those who wish to dig deeper:

            1.  Health System Use Technical Advisory Committee, “Best Practice Guidelines for Managing the Disclosure of De-Identified Health Information.”  2010.  This document was drafted by a multi-stakeholder group led by Canadian federal/provincial/territorial ministries of health.

http://www.ehealthinformation.ca/documents/de-idguidelines.pdf

            2.  Federal Committee on Statistical Methodology, “Statistical Policy Working Paper 22, Report on Statistical Disclosure Limitation Methodology.”  2005.  The U.S. government for decades has released statistical information while seeking to prevent re-identification, such as for Census results.  This paper is the current inter-agency policy document for how to manage the risks of re-identification.

http://www.fcsm.gov/working-papers/SPWP22_rev.pdf

            I welcome others on the WG to suggest background reading on delinking/de-identification, as we lead up to face-to-face discussion on the topic in Boston in February.

            Peter


Professor Peter P. Swire
C. William O'Neill Professor of Law
    Ohio State University
240.994.4142
www.peterswire.net

Received on Tuesday, 15 January 2013 20:34:17 UTC