Tracking-ISSUE-191 (Descriptive DeID): Report on Jan 17 DeID discussion [Tracking Definitions and Compliance]

Dear Working Group:
For the non-normative discussion on de-identification, thank you for the great turnout yesterday in person (about 25 people) and online (a strong showing). The meeting was a positive step toward addressing important issues for the compliance spec.
I left the meeting with four takeaways:
(1) There is a good business case to be made for many companies to de-identify in many settings.
(2) Using accepted risk management techniques, we can analyze de-identification approaches  on a risk spectrum.  Risk of re-identification never becomes zero, but a system for compliance (such as the HIPAA discussion on Wednesday) draws a line at some place for what is considered "de-identified."
(3) Hashing is not a magic bullet; there are both benefits and possible flaws.
(4) All stakeholders were able to sit around a conference table for three and a half hours and conduct a civil, wide-ranging and productive meeting.
I am pleased to say that the transcript shows that we clarified a number of terms.  We helped develop a common vocabulary for subsequent discussions, an important step toward writing the compliance spec.
Again, thank you for your help as we prepare for the face to face meeting in Boston.  The professional tone of yesterday’s meeting and everyone's willingness to engage on issues that are essential to the spec bode well for our continued work together.
Thank you,
Peter
Professor Peter P. Swire
C. William O'Neill Professor of Law
    Ohio State University
240.994.4142
www.peterswire.net

Received on Friday, 18 January 2013 13:31:39 UTC