ACTION-406: Propose a new set of names around yellow state

For the PII definition, I use the ISO 29100 (privacy framework) 

We discussed a 3 state process of de-identification at the last F2F. In 
order to take away any confusion on the difference between partly 
de-identified (yellow state) and fully de-identified (red state), I 
propose the following text:

In terms of unlinkability versus de-identification it remains important 
to seperate the two concepts:
- de-identification helps in the event of a data breach, when a dataset 
is out on the street due to e.g a databreach. It is a way to address the 
reasonable requirements of an adequate level of protection.
- an adequate level of protection is completely different from 
unlinkability. Unlinkability is connected to the notion of personally 
identifieable information (PII).

This standard refers to the ISO 29100 (privacy framework) definition of 
personally identifiable information (PII):
any information that (a) can be used to identify the PII principal to 
whom such information relates, or (b) is or might be directly or 
indirectly linked to a PII principal.
NOTE To determine whether a PII principal is identifiable, account 
should be taken of all the means which can reasonably be used by the 
privacy stakeholder holding the data, or by any other party, to identify 
that natural person.

The red state data may contain (a) and (b). In order to go from the red 
state to the yellow state, direct identifiable information MUST be 
removed, e.g. an email address or a phone number.
The yellow state data is partly de-identified, and MAY contain 
information indirectly linked to an individual, computer or device, e.g. 
a linkable unique identifier or a hashed pseudonym.
The green state data is fully de-identified data and SHOULD NOT contain 
personally identifiable information (PII). Any risk for 
re-identification of fully de-identified data MUST be regularly assessed 
and mitigated through Privacy Risk Management.

Received on Monday, 27 May 2013 10:01:40 UTC