Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.4.719

A New Scheme for Risk Assessment Based on Data Context for De-Identification of Personal Information  

Kim, Dong-hyun (Chungang University)
Kim, Soon-seok (Halla University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.4, 2020 , pp. 719-734 More about this Journal
Abstract
This paper proposes a new measurement scheme for estimating the processing level according to risk when performing de-identification in the use of personal information by practitioners in the organization in line with the recently revised Data 3 Act. Our proposed methods considered the surrounding circumstances surrounding the data, not just the data, for risk measurement, and divided the data situation into three categories more systematically so that it can be applied in all areas in a general-purpose environment, the data utilization environment, and the data (self) so that it can be calculated quantitatively based on each context risk according to the presented classification. The proposed method is designed to calculate the risk of existing de-identifiable information in a quantitative manner so that personal information controller in general organizations can use it in practice, not just in the qualitative judgment of experts.
Keywords
De-identification; Personal Information; Data Context; Risk Assessment;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Elliot, M. J., Dibben, C., Gowans, H., Mackey, E., Lightfoot, D., O'Hara, K., and Purdam, K, "Functional Anonymisation: The crucial role of the data environment in determining the classification of data as (non-) personal," CMIST work paper 2015.
2 Sweeney L, "k-anonymity: A model for protecting privacy," International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(3), pp. 557-570, 2002.   DOI
3 Mackey, E and Elliot, M. J, "Understanding the Data Environment," XRDS: Crossroads, 20(1), pp. 37-39, 2016.
4 Duncan, G. T, Elliot, M. J and Salazar-Gonzalez, J. J, "Statistical Confidentiality," New York: Springer, 2011.
5 Khaled El Eman, "Guide to the De-identification of Personal Health Information," CRC Press, pp. 203-221, 2013.
6 HITRUST and Privacy Analytics, HITRUST Data De-identification Methodology, Training course material, 2019.
7 NIST 800-188(2nd Draft) De-Identifying Government Datasets, Dec. 2016.
8 Joint government departments in Korea, Guidelines for de-identification of personal information, June. 2016.
9 Nissenbaum HF, "Privacy in Context: technology, policy, and the integrity of social life, Stanford, California," Stanford Law Books, 2010.
10 Bieker F, Friedewald M, Hansen M, Obersteller H, and Rost M, "A process for data protection impact assessment under the european general data protection regulation," Lecture notes in computer science, Proceeedings of 4th annual privacy forum, pp. 21-37, 2016.
11 Khaled El Emam, "Risk-based de-identification of health data," IEEE Security & Privacy,8(3), pp. 64-67, 2010.   DOI
12 UKAN(UK Anonymisation Network), "The anonymisation decision making framework," 2016.
13 Mulligan DK, Koopman C, and Doty N, "Privacy is an essentially contested concept: a multi-dimensional analytic for mapping privacy," Philos Trans Ser A Math Phys Eng Sci, 374(2083), pp. 1-17, 2016.
14 Solove DJ, "A taxonomy of privacy," Univ Pa Law Rev, 154(3), pp. 477-564, 2006.   DOI
15 Khaled El Emam and Luk Arbuckle, "Anonymizing health data," O'Reilly book, pp. 29-33, 2013.
16 Fabian Prasser, Florian Kohlmayer, and Klaus A. Kuhn, "The Importance of Context: Risk-Based De-Identification of Biomedical Data," Methods of Information in Medicine, Schattauer, June. 2016.
17 Oleksandr Tomashchuk, Dimitri Van Landuyt, Daniel PleteaKim Wuyts, and Wouter Joosen, "A data utility- driven benchmark for de-identification methods," International Conference on Trust and Privacy in Digital Business, TrustBus 2019, Lecture Notes in Computer Science book series, volume 11711, pp 63-77, 2019.
18 HIPAA(Health Insurance Portability and Accountability Act) Privacy Rule, Dec. 2012.