NIST Sounds off on Data De-Identification
The National Institute of Standards and Technology ("NIST") report NIST.IR 8053 introduced De-Identification of Personal Information as a way to protect data. In it, they reviewed common methods as well as potential problems. NIST has followed up with DRAFT NIST Special Publication 800-188 in August of 2016 which goes into more detail on using data de-identification.
NIST takes a page from one of the more established regulations defining usage of data de-identification, HIPAA. In this report, they outline two sets of data de-identification standards; Prescriptive De-Identification Standards of which the HIPAA "Safe Harbor" method is an example as well as Performance Based De-Identification Standards of which the HIPAA "Expert Determination" method is an example.
NIST prescribes that different de-identification techniques be used for different types of data that require de-identification. This may include the use of synthetic data, which they define as data that does not exist in the source production data. They also discuss Pseudonymization, but indicate that they do not consider it as not a form of de-identification. In the report,
NIST spends some time on the possibility of re-identification. This is the possibility that someone can use information contained in a de-identified dataset to make inferences about individuals. NIST indicates that it is very difficult to calculate re-identification probabilities, as the ability to re-identify depends on many factors. They also indicate that there are no performance standards, certification, or third-party testing programs available for de-identification software.
NIST specifies that de-identification is best performed by software and provide a set of important features to look for as well as criteria for evaluating de-identification software. Some of the features specified by NIST include:
- Detection of identifying information;
- Performing de-identification;
- Mapping identifiers to pseudonyms;
- Providing for the selective revelation of pseudonyms.