ISO INTERNATIONAL STANDARD 25237 Firstedition 2017-01 Health informatics Pseudonymization Informatique de santé-Pseudonymisation Reference number IS025237:2017(E) International Organization for Standardization =ZHEJIANG INST OF STANDARDIZATION C1 5956617 @ IS0 2017 No reproduction or networking permitted without license from IHS IS0 25237:2017(E) COPYRIGHTPROTECTEDDOCUMENT IS0 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyrightoffice Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org PrganizationforStandardization ensee-ZHEJIANG INST OF STANDARDIZRoISQ $17 - All rights reserved Not for Resale, 2017/3/28 02:58:03 etworking permitted without license from IHS IS0 25237:2017(E) Contents Page Foreword ..V Introduction. ...vi 1 Scope. 2 Normative references 3 Terms and definitions 4 Abbreviated terms ..6 5 Requirements for privacy protection of identities in healthcare .1 5.1 Objectives of privacy protection. > 5.2 General .7 5.3 De-identification as a process to reduce risk .8 5.3.1 General. 5.3.2 Pseudonymization. ..8 5.3.3 Anonymization .9 5.3.4 Direct and indirect identifiers. .9 5.4 Privacy protection of entities .9 5.4.1 Personal data versus de-identified data .9 5.4.2 Concept of pseudonymization.. .11 5.5 Real world pseudonymization. .13 5.5.1 Rationale .13 5.5.2 Levels of assurance of privacy protection ..14 5.6 Categories of data subject. .16 5.6.1 General .16 5.6.2 Subject of care. .16 5.6.3 Health professionals and organizations .16 5.6.4 Device data. ..16 5.7 Classification data. .17 5.7.1 Payload data ..17 5.7.2 Observational data .17 5.7.3 Pseudonymized data .17 5.7.4 Anonymized data ..17 5.8 Research data. ..17 5.8.1 General .17 5.8.2 Generation of research data. .18 5.8.3 Secondary use of personal health information .18 5.9 Identifying data. ..18 5.9.1 General ..18 5.9.2 Healthcare identifiers. .18 5.10 Data of victims of violence and publicly known persons .19 5.10.1 General .19 5.10.2 Genetic information ..19 5.10.3 Trusted service. ..19 5.10.4 Need for re-identification of pseudonymized data ..19 5.10.5 Pseudonymization service characteristics .20 6 Protecting privacy through pseudonymization .20 6.1 Conceptual model of the problem areas. 20 6.2 Direct and indirect identifiability of personal information. .21 6.2.1 General. .21 6.2.2 Person identifying variables. 21 6.2.3 Aggregation variables. 21 6.2.4 Outlier variables. 22 6.2.5 Structured data variables. .22 6.2.6 Non-structured data variables. .23 iii Censee=ZHEJIANG INST OF STANDARDIZATION C1 5956617 ed without license from IHS Not for Resale, 2017/3/28 02:58:03