The National Institute of Standards and Technology (“NIST”) recently released the final draft of its report entitled De-Identification of Personal Information. The report stems from a review conducted by NIST of various de-identification techniques for removal of personal information from computerized documents. While de-identification techniques are widely used, there is concern that existing techniques are insufficient to protect personal privacy because certain remaining information can make it possible to re-identify individuals.
The final report follows NIST’s request for comments on its April 7, 2015 initial public draft, and generally covers the following:
- an introductory overview of the concepts of de-identification, re-identification and data sharing models;
- approaches for de-identifying structured data (i.e., data that resides in a field within a database) typically by removing, masking or altering specific categories such as names and phone numbers; and
- challenges of de-identification for non-tabular data, such as free-format text, images and genomic information.
The report concludes that although it is not perfect, de-identification is “a significant technical control that may protect the privacy of data subjects.”