- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Mon, 27 May 2013 12:39:27 +0000
- To: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Rob, I believe this well stated but am caught up on the following phrase: "...MAY contain information indirectly linked to an individual, computer or device, e.g. a linkable unique identifier or a hashed pseudonym." Use of a "linkable unique identifier" in this sense makes it appear like we're back in the red state. Perhaps it would be better stated as "...MAY contain information indirectly linked to an individual, computer or device, e.g. a de-identified but still linkable unique identifier, such as a hashed pseudonym." Are you okay with that modification? - Shane -----Original Message----- From: Rob van Eijk [mailto:rob@blaeu.com] Sent: Monday, May 27, 2013 4:07 AM To: public-tracking@w3.org Subject: Re: ACTION-406: Propose a new set of names around yellow state To avoid confusion, repost as a whole (thanks Mike!): For the PII definition, I use the ISO 29100 (privacy framework) definition. We discussed a 3 state process of de-identification at the last F2F. In order to take away any confusion on the difference between partly de-identified (YELLOW state) and fully de-identified (GREEN state), I propose the following text: <TEXT> In terms of unlinkability versus de-identification it remains important to seperate the two concepts: - de-identification helps in the event of a data breach, when a dataset is out on the street due to e.g a databreach. It is a way to address the reasonable requirements of an adequate level of protection. - an adequate level of protection is completely different from unlinkability. Unlinkability is connected to the notion of personally identifieable information (PII). This standard refers to the ISO 29100 (privacy framework) definition of personally identifiable information (PII): any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal. NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person. The RED state data may contain (a) and (b). In order to go from the red state to the yellow state, direct identifiable information MUST be removed, e.g. an email address or a phone number. The YELLOW state data is partly de-identified, and MAY contain information indirectly linked to an individual, computer or device, e.g. a linkable unique identifier or a hashed pseudonym. The GREEN state data is fully de-identified data and SHOULD NOT contain personally identifiable information (PII). Any risk for re-identification of fully de-identified data MUST be regularly assessed and mitigated through Privacy Risk Management. </TEXT> Rob van Eijk schreef op 2013-05-27 12:15: > s/fully de-identified (red state)/fully de-identified (GREEN state)/ > > sorry for typo. Green is fully de-identified. > > Rob > > Rob van Eijk schreef op 2013-05-27 12:01: >> For the PII definition, I use the ISO 29100 (privacy framework) >> definition. >> We discussed a 3 state process of de-identification at the last F2F. >> In order to take away any confusion on the difference between partly >> de-identified (yellow state) and fully de-identified (red state), I >> propose the following text: >> <TEXT> >> In terms of unlinkability versus de-identification it remains >> important to seperate the two concepts: >> - de-identification helps in the event of a data breach, when a >> dataset is out on the street due to e.g a databreach. It is a way to >> address the reasonable requirements of an adequate level of >> protection. >> - an adequate level of protection is completely different from >> unlinkability. Unlinkability is connected to the notion of personally >> identifieable information (PII). >> This standard refers to the ISO 29100 (privacy framework) definition >> of personally identifiable information (PII): >> any information that (a) can be used to identify the PII principal to >> whom such information relates, or (b) is or might be directly or >> indirectly linked to a PII principal. >> NOTE To determine whether a PII principal is identifiable, account >> should be taken of all the means which can reasonably be used by the >> privacy stakeholder holding the data, or by any other party, to >> identify that natural person. >> The red state data may contain (a) and (b). In order to go from the >> red state to the yellow state, direct identifiable information MUST >> be removed, e.g. an email address or a phone number. >> The yellow state data is partly de-identified, and MAY contain >> information indirectly linked to an individual, computer or device, >> e.g. a linkable unique identifier or a hashed pseudonym. >> The green state data is fully de-identified data and SHOULD NOT >> contain personally identifiable information (PII). Any risk for >> re-identification of fully de-identified data MUST be regularly >> assessed and mitigated through Privacy Risk Management. >> </TEXT>
Received on Monday, 27 May 2013 12:40:37 UTC