< Previous standard ^ Up a level ^ Next standard >

ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection —
Privacy-enhancing data de-identification framework (first edition)

Abstract

“This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.”

[Source: ISO/IEC 27559:2022]

Introduction

This standard proposes a ‘principles-based’ framework/structure for identifying and mitigating privacy-related risks such as re-identification etc. during the lifecycle of supposedly de-identified data. It advises on properly de-identifying (anonymising) personal data in order to build trust with data subjects and comply with applicable obligations under GDPR and other privacy laws and regulations.

Scope of the standard

As data analytics increasingly relies on sharing and combining data sets containing supposedly de-identified (anonymized) data, the risks of re-identification are growing more significant. This standard provides guidance on the principles involved in recognizing and mitigating those risks. It stops short of the specific technologies and their implementation.

Content of the standard

Main sections:

Context assessment: essentially, determining the general concerns and hence main requirements in this area, using analytical approaches such as threat modelling. Understanding the business situations in which personal data are shared both within and without the organisation suggests the possibility of procedural and administrative controls (such as contracts and agreements) to be applied by data custodians.
Data assessment: understanding the data structures to identify possible ‘attacks’ (unauthorised/inappropriate attempts to obtain personal information that would compromise privacy).
Identifiability assessment and mitigation: understanding how personal information might be gleaned from available/accumulated data that (whether individually or as a whole) has been inadequately anonymized, and mitigating the risks (e.g. applying the de-identification techniques described in ISO/IEC 20889) to an acceptable level (not necessarily zero!).
De-identification governance: directing and controlling the people involved in maintaining privacy, for example by determining and assigning appropriate roles and responsibilities, defining policies and procedures, managing and mopping-up after privacy breach incidents.

Status

The standard was first published in 2022.

Personal notes

As our personal information is increasingly obtained and shared both within and among organisations, this standard has a valuable role in setting the ground rules for how to do so without unnecessarily compromising the privacy of the individuals concerned, or exposing personal data to compromise by various means (e.g. data aggregation and inference attacks). As such, it facilitates the process by increasing the level of trust between providers and acquirers of personal information, supporting privacy arrangements in general.