RE: ACTION-406: Propose a new set of names around yellow state

Rob,

So close...  Let's hold on the "partly de-identified" vs. "fully de-identified" discussion for a live engagement.  I believe you're equating "de-identified" to be equal for the most part to "unlinkable" from a definition perspective whereas they are slightly different to me.

We are indeed on the same page conceptually and simply struggling to use terms we both agree with so I see this as very positive.

- Shane

-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Monday, May 27, 2013 6:13 AM
To: Shane Wiley
Cc: public-tracking@w3.org
Subject: RE: ACTION-406: Propose a new set of names around yellow state


Shane,

Thanks for friendly ammendment. If you are ok with the following added precision, you and I have reached consensus. This way we do not have to get into the linguistic difference between the partly and full de-identified state versus the 2-step process of de-identification.


(...) e.g. a partly de-identified but still linkable unique identifier, such as a hashed pseudonym.


mvg::Rob

Shane Wiley schreef op 2013-05-27 14:39:
> Rob,
> 
> I believe this well stated but am caught up on the following phrase:
> "...MAY contain information indirectly linked to an individual,
> computer or device, e.g. a linkable unique identifier or a hashed
> pseudonym."  Use of a "linkable unique identifier" in this sense makes
> it appear like  we're back in the red state.  Perhaps it would be
> better stated as "...MAY contain information indirectly linked to an
> individual, computer or device, e.g. a de-identified but still
> linkable unique identifier, such as a hashed pseudonym."
> 
> Are you okay with that modification?
> 
> - Shane
> 
> -----Original Message-----
> From: Rob van Eijk [mailto:rob@blaeu.com]
> Sent: Monday, May 27, 2013 4:07 AM
> To: public-tracking@w3.org
> Subject: Re: ACTION-406: Propose a new set of names around yellow 
> state
> 
> 
> To avoid confusion, repost as a whole (thanks Mike!):
> 
> 
> For the PII definition, I use the ISO 29100 (privacy framework) 
> definition.
> 
> We discussed a 3 state process of de-identification at the last F2F.
> In order to take away any confusion on the difference between partly
> de-identified (YELLOW state) and fully de-identified (GREEN state), I
> propose the following text:
> 
> <TEXT>
> In terms of unlinkability versus de-identification it remains
> important to seperate the two concepts:
> - de-identification helps in the event of a data breach, when a
> dataset is out on the street due to e.g a databreach. It is a way to
> address the reasonable requirements of an adequate level of
> protection.
> - an adequate level of protection is completely different from
> unlinkability. Unlinkability is connected to the notion of personally
> identifieable information (PII).
> 
> This standard refers to the ISO 29100 (privacy framework) definition
> of personally identifiable information (PII):
> any information that (a) can be used to identify the PII principal to
> whom such information relates, or (b) is or might be directly or
> indirectly linked to a PII principal.
> NOTE To determine whether a PII principal is identifiable, account
> should be taken of all the means which can reasonably be used by the
> privacy stakeholder holding the data, or by any other party, to
> identify that natural person.
> 
> The RED state data may contain (a) and (b). In order to go from the
> red state to the yellow state, direct identifiable information MUST be
> removed, e.g. an email address or a phone number.
> The YELLOW state data is partly de-identified, and MAY contain
> information indirectly linked to an individual, computer or device,
> e.g.
> a linkable unique identifier or a hashed pseudonym.
> The GREEN state data is fully de-identified data and SHOULD NOT
> contain personally identifiable information (PII). Any risk for
> re-identification of fully de-identified data MUST be regularly
> assessed and mitigated through Privacy Risk Management.
> </TEXT>
> 
> 
> Rob van Eijk schreef op 2013-05-27 12:15:
>> s/fully de-identified (red state)/fully de-identified (GREEN state)/
>> 
>> sorry for typo. Green is fully de-identified.
>> 
>> Rob
>> 
>> Rob van Eijk schreef op 2013-05-27 12:01:
>>> For the PII definition, I use the ISO 29100 (privacy framework)
>>> definition.
>>> We discussed a 3 state process of de-identification at the last F2F.
>>> In order to take away any confusion on the difference between partly
>>> de-identified (yellow state) and fully de-identified (red state), I
>>> propose the following text:
>>> <TEXT>
>>> In terms of unlinkability versus de-identification it remains
>>> important to seperate the two concepts:
>>> - de-identification helps in the event of a data breach, when a
>>> dataset is out on the street due to e.g a databreach. It is a way to
>>> address the reasonable requirements of an adequate level of
>>> protection.
>>> - an adequate level of protection is completely different from
>>> unlinkability. Unlinkability is connected to the notion of 
>>> personally
>>> identifieable information (PII).
>>> This standard refers to the ISO 29100 (privacy framework) definition
>>> of personally identifiable information (PII):
>>> any information that (a) can be used to identify the PII principal 
>>> to
>>> whom such information relates, or (b) is or might be directly or
>>> indirectly linked to a PII principal.
>>> NOTE To determine whether a PII principal is identifiable, account
>>> should be taken of all the means which can reasonably be used by the
>>> privacy stakeholder holding the data, or by any other party, to
>>> identify that natural person.
>>> The red state data may contain (a) and (b). In order to go from the
>>> red state to the yellow state, direct identifiable information MUST
>>> be removed, e.g. an email address or a phone number.
>>> The yellow state data is partly de-identified, and MAY contain
>>> information indirectly linked to an individual, computer or device,
>>> e.g. a linkable unique identifier or a hashed pseudonym.
>>> The green state data is fully de-identified data and SHOULD NOT
>>> contain personally identifiable information (PII). Any risk for
>>> re-identification of fully de-identified data MUST be regularly
>>> assessed and mitigated through Privacy Risk Management.
>>> </TEXT>

Received on Monday, 27 May 2013 13:17:27 UTC