- From: Rob van Eijk <rob@blaeu.com>
- Date: Mon, 27 May 2013 15:12:45 +0200
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: <public-tracking@w3.org>
Shane, Thanks for friendly ammendment. If you are ok with the following added precision, you and I have reached consensus. This way we do not have to get into the linguistic difference between the partly and full de-identified state versus the 2-step process of de-identification. (...) e.g. a partly de-identified but still linkable unique identifier, such as a hashed pseudonym. mvg::Rob Shane Wiley schreef op 2013-05-27 14:39: > Rob, > > I believe this well stated but am caught up on the following phrase: > "...MAY contain information indirectly linked to an individual, > computer or device, e.g. a linkable unique identifier or a hashed > pseudonym." Use of a "linkable unique identifier" in this sense makes > it appear like we're back in the red state. Perhaps it would be > better stated as "...MAY contain information indirectly linked to an > individual, computer or device, e.g. a de-identified but still > linkable unique identifier, such as a hashed pseudonym." > > Are you okay with that modification? > > - Shane > > -----Original Message----- > From: Rob van Eijk [mailto:rob@blaeu.com] > Sent: Monday, May 27, 2013 4:07 AM > To: public-tracking@w3.org > Subject: Re: ACTION-406: Propose a new set of names around yellow > state > > > To avoid confusion, repost as a whole (thanks Mike!): > > > For the PII definition, I use the ISO 29100 (privacy framework) > definition. > > We discussed a 3 state process of de-identification at the last F2F. > In order to take away any confusion on the difference between partly > de-identified (YELLOW state) and fully de-identified (GREEN state), I > propose the following text: > > <TEXT> > In terms of unlinkability versus de-identification it remains > important to seperate the two concepts: > - de-identification helps in the event of a data breach, when a > dataset is out on the street due to e.g a databreach. It is a way to > address the reasonable requirements of an adequate level of > protection. > - an adequate level of protection is completely different from > unlinkability. Unlinkability is connected to the notion of personally > identifieable information (PII). > > This standard refers to the ISO 29100 (privacy framework) definition > of personally identifiable information (PII): > any information that (a) can be used to identify the PII principal to > whom such information relates, or (b) is or might be directly or > indirectly linked to a PII principal. > NOTE To determine whether a PII principal is identifiable, account > should be taken of all the means which can reasonably be used by the > privacy stakeholder holding the data, or by any other party, to > identify that natural person. > > The RED state data may contain (a) and (b). In order to go from the > red state to the yellow state, direct identifiable information MUST be > removed, e.g. an email address or a phone number. > The YELLOW state data is partly de-identified, and MAY contain > information indirectly linked to an individual, computer or device, > e.g. > a linkable unique identifier or a hashed pseudonym. > The GREEN state data is fully de-identified data and SHOULD NOT > contain personally identifiable information (PII). Any risk for > re-identification of fully de-identified data MUST be regularly > assessed and mitigated through Privacy Risk Management. > </TEXT> > > > Rob van Eijk schreef op 2013-05-27 12:15: >> s/fully de-identified (red state)/fully de-identified (GREEN state)/ >> >> sorry for typo. Green is fully de-identified. >> >> Rob >> >> Rob van Eijk schreef op 2013-05-27 12:01: >>> For the PII definition, I use the ISO 29100 (privacy framework) >>> definition. >>> We discussed a 3 state process of de-identification at the last F2F. >>> In order to take away any confusion on the difference between partly >>> de-identified (yellow state) and fully de-identified (red state), I >>> propose the following text: >>> <TEXT> >>> In terms of unlinkability versus de-identification it remains >>> important to seperate the two concepts: >>> - de-identification helps in the event of a data breach, when a >>> dataset is out on the street due to e.g a databreach. It is a way to >>> address the reasonable requirements of an adequate level of >>> protection. >>> - an adequate level of protection is completely different from >>> unlinkability. Unlinkability is connected to the notion of >>> personally >>> identifieable information (PII). >>> This standard refers to the ISO 29100 (privacy framework) definition >>> of personally identifiable information (PII): >>> any information that (a) can be used to identify the PII principal >>> to >>> whom such information relates, or (b) is or might be directly or >>> indirectly linked to a PII principal. >>> NOTE To determine whether a PII principal is identifiable, account >>> should be taken of all the means which can reasonably be used by the >>> privacy stakeholder holding the data, or by any other party, to >>> identify that natural person. >>> The red state data may contain (a) and (b). In order to go from the >>> red state to the yellow state, direct identifiable information MUST >>> be removed, e.g. an email address or a phone number. >>> The yellow state data is partly de-identified, and MAY contain >>> information indirectly linked to an individual, computer or device, >>> e.g. a linkable unique identifier or a hashed pseudonym. >>> The green state data is fully de-identified data and SHOULD NOT >>> contain personally identifiable information (PII). Any risk for >>> re-identification of fully de-identified data MUST be regularly >>> assessed and mitigated through Privacy Risk Management. >>> </TEXT>
Received on Monday, 27 May 2013 13:13:23 UTC