IP Review

This fragment is available on download.html

This publication includes IP covered under the following statements.

These codes are excerpted from Digital Imaging and Communications in Medicine (DICOM) Standard, Part 16: Content Mapping Resource, Copyright © 2011 by the National Electrical Manufacturers Association.
Show Usage
- DICOM Controlled Terminology Definitions : AuditEvent/ex-auditDeIdentification-source , AuditEvent/ex-auditReIdentification-source and AuditPrivacyDeIdentificationSource
These codes are excerpted from ISO Standard, TS 21089-2017 - Health Informatics - Trusted End-to-End Information Flows, Copyright by ISO International. Copies of this standard are available through the ISO Web Site at www.iso.org.
Show Usage
- ISO 21089 2017 Health Record Lifecycle Events : AuditEvent/ex-auditDeIdentification-source , AuditEvent/ex-auditReIdentification-source , AuditEventSubtypeDeidentify and AuditPrivacyDeIdentificationSource
This material contains content that is copyright of SNOMED International. Implementers of these specifications must have the appropriate SNOMED CT Affiliate license - for more information contact https://www.snomed.org/get-snomed or info@snomed.org .
Show Usage
- SNOMED Clinical Terms® (SNOMED CT®) : AuditEvent/ex-auditDeIdentification-source and AuditPrivacyDeIdentificationSource
This material derives from the HL7 Terminology (THO). THO is copyright ©1989+ Health Level Seven International and is made available under the CC0 designation. For more licensing information see: https://terminology.hl7.org/license.html
Show Usage

hl7.fhir.us.hai: Healthcare Associated Infection Implementation Guide ®© HL7 | CC0 ( src )

De-Identification Profile, published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 0.0.1-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.DeIdHandbook/ and changes regularly. See the Directory of published versions ( src )

The ISO 25237 standard closely aligns with the HIPAA Rule (45 CFR § 164.514(a)-(c)), which permits de-identification through the Safe Harbor method, Expert Determination method, or a combination of both. Although HIPAA does not use "pseudonymization" or "anonymization," it encompasses similar concepts: re-identification under 45 CFR § 164.514(c) resembles reversible pseudonymization, and 45 CFR § 164.514(b) outlines conditions for health information to be non-individually identifiable, akin to anonymization. The GDPR does not explicitly define de-identification but describes pseudonymization in Art. 4(5) as a form of de-identification. In contrast, China’s Personal Information Protection Law (PIPL) explicitly distinguishes de-identification from anonymization. Under PIPL, de-identified data remains personal data, while anonymized data is non-personal. Comparing GDPR’s pseudonymization (Art. 4(5)) with PIPL’s de-identification (Art. 73(3)) reveals two key similarities: both treat processed data as personal data, and both require that re-identification is not possible without additional information. To align these concepts with modern privacy frameworks, de-identification in this book should be carefully interpreted and mapped to relevant privacy laws. ( src )

These codes are excerpted from Digital Imaging and Communications in Medicine (DICOM) Standard, Part 16: Content Mapping Resource, Copyright © 2011 by the National Electrical Manufacturers Association. Show Usage * DICOM Controlled Terminology Definitions: AuditEvent/ex-auditDeIdentification-source, AuditEvent/ex-auditReIdentification-source and AuditPrivacyDeIdentificationSource ( src )

This material derives from the HL7 Terminology (THO). THO is copyright ©1989+ Health Level Seven International and is made available under the CC0 designation. For more licensing information see: https://terminology.hl7.org/license.html Show Usage * Audit event entity type: AuditEvent/ex-auditDeIdentification-source, AuditEvent/ex-auditReIdentification-source and AuditPrivacyDeIdentificationSource * AuditEventEntityRole: AuditEvent/ex-auditDeIdentification-source, AuditEvent/ex-auditReIdentification-source and AuditPrivacyDeIdentificationSource * Audit Event Source Type: AuditEvent/ex-auditDeIdentification-source and AuditEvent/ex-auditReIdentification-source * ActReason: AuditEvent/ex-auditDeIdentification-source and AuditEvent/ex-auditReIdentification-source ( src )

® ( src )

External References

Type	Reference	Content
web	example.org	who : http://example.org/fhir/Patient/ex-patient
web	example.org	what : http://example.org/fhir/Patient/ex-patient
web	example.org	what : http://example.org/fhir/Consent/ex-consent
web	profiles.ihe.net	This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .
web	profiles.ihe.net	This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .
web	profiles.ihe.net	This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .
web	profiles.ihe.net	ATNA required, encouraged IHE-IUA or SMART-on-FHIR
web	profiles.ihe.net	ATNA required, encouraged IHE-IUA or SMART-on-FHIR
web	profiles.ihe.net
web	profiles.ihe.net
web	github.com	De-Identification Profile, published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 0.0.1-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.DeIdHandbook/ and changes regularly. See the Directory of published versions
web	www.ihe.net	IG © 2021+ IHE IT Infrastructure Technical Committee . Package ihe.iti.deid#0.0.1-current based on FHIR 4.0.1 . Generated 2025-08-22 Links: Table of Contents \| QA Report \| New Issue \| Issues Version History \| \| Propose a change
web	github.com	Links: Table of Contents \| QA Report \| New Issue \| Issues Version History \| \| Propose a change
web	github.com	Links: Table of Contents \| QA Report \| New Issue \| Issues Version History \| \| Propose a change
web	profiles.ihe.net	Links: Table of Contents \| QA Report \| New Issue \| Issues Version History \| \| Propose a change
web	www.ihe.net	Links: Table of Contents \| QA Report \| New Issue \| Issues Version History \| \| Propose a change
web	profiles.ihe.net	This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .
web	profiles.ihe.net	This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .
web	profiles.ihe.net	This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .
web	upload.wikimedia.org	Source
web	gdpr-info.eu	The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Recital 26, GDPR .
web	en.npc.gov.cn.cdurl.cn	"anonymization" refers to the process of processing personal information to make it impossible to identify specific natural persons and impossible to restore. Art 73 (4), PIPL
web	curia.europa.eu	A practical anonymization is prefered. (ISO 25237, 2017) acknowledges that an absolute definition of anonymization is difficult to achieve and often impractical, favoring a practical approach that is increasingly widely accepted. The legal practices also show a preferences of a practical anonymization. In Case C-582/14 , the Court of Justice of the European Union (CJEU) held that a dynamic IP address qualifies as personal data for a website operator only if the operator has legal means reasonably likely to access additional identifying information, such as from an internet service provider. More recently, Case T-557/20 from the CJEU provided a key precedent by delineating pseudonymized from anonymized data in cross-entity data-sharing contexts. The court introduced the "reasonable likelihood" standard, stressing that data’s status as personal hinges on the recipient’s actual re-identification capability, not theoretical potential. This pragmatic stance aligns with the Expert Determination method under the HIPAA Privacy Rule (45 C.F.R. §164.514(b)). Likewise, China is crafting data anonymization standards that adopt a practical lens, assessing re-identification risk from the recipient’s perspective. Recognizing that such risks cannot be fully eradicated, these standards prioritize governance measures alongside technical safeguards.
web	curia.europa.eu	A practical anonymization is prefered. (ISO 25237, 2017) acknowledges that an absolute definition of anonymization is difficult to achieve and often impractical, favoring a practical approach that is increasingly widely accepted. The legal practices also show a preferences of a practical anonymization. In Case C-582/14 , the Court of Justice of the European Union (CJEU) held that a dynamic IP address qualifies as personal data for a website operator only if the operator has legal means reasonably likely to access additional identifying information, such as from an internet service provider. More recently, Case T-557/20 from the CJEU provided a key precedent by delineating pseudonymized from anonymized data in cross-entity data-sharing contexts. The court introduced the "reasonable likelihood" standard, stressing that data’s status as personal hinges on the recipient’s actual re-identification capability, not theoretical potential. This pragmatic stance aligns with the Expert Determination method under the HIPAA Privacy Rule (45 C.F.R. §164.514(b)). Likewise, China is crafting data anonymization standards that adopt a practical lens, assessing re-identification risk from the recipient’s perspective. Recognizing that such risks cannot be fully eradicated, these standards prioritize governance measures alongside technical safeguards.
web	ukanon.net	Disclosure risk control starts with risk assessment. Re-Identification risks in a given data environment come from the interaction between agents and data (including the data disclosed/released and other data available to the agents). Thus, both the data risk and the data environment risk (so called context risk) should be assessed. The The governance and infrastructure within the data environment largely determine the likelihood of a certain type of re-identification threats. The assessment can be conducted using either qualitative analysis or quantitative analysis. An initial risk assessment may be required to make a quick decision whether a quantitative risk analysis is needed. (University of Manchester, 2024) introduces a practical initial risk assessment tool to help make a decision whether a quantitative risk assessment is needed. (ISO/IEC 27559, 2022) specifies an equation for calculating the re-identification risk:
web	en.npc.gov.cn.cdurl.cn	Note 1: The term is defined in a similar way under the PIPL ( Art. 73(4) ).
web	gdpr-info.eu	identifiable natural person : one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Source: GDPR Art 4(1) ).
web	www.privacy-regulation.eu	Note 2: The pseudonymised data can no longer be attributed to a specific data subject without the use of additional information, but could be attributed to a natural person by the use of additional information (Source: GDPR Recital 26 ).
web	github.com	The source code for this Implementation Guide can be found on IHE ITI DeIdentification Handbook Github Repo
web	digital.lib.washington.edu	It is feasible that motivated individuals who want to target or embarrass people who have consumed family planning services in general could compare the de-identified family planning database with other publicly available databases in order to see how many individuals can be identified. An excellent analysis of such an attack on de-identified published Netflix ratings to identify individual Netflix users is discussed in this paper: https://digital.lib.washington.edu/dspace-law/bitstream/handle/1773.1/417/vol5_no1_art3.pdf?sequence=1
web	profiles.ihe.net	IHE uses the normative words: Shall, Should, and May according to standards conventions .
web	profiles.ihe.net	The use of `mustSupport` in StructureDefinition profiles is equivalent to the IHE use of R2 as defined in Appendix Z .
web	arxiv.org	One example of this is the analysis by Latanya Sweeney from CMU using simply: Date-of-Birth, Current ZIP Code, and Sex (see Sweeney in references). An example of the impact of changing technology is the evaluation of risks from unrestricted publication of raw genetic data by Erlich and Narayanan http://arxiv.org/pdf/1310.3197v1 .
web	www.iso.org	ISO 25237. (2017). Health informatics — Pseudonymization (ISO 25237:2017; Number ISO 25237:2017). International Organization for Standardization. https://www.iso.org/standard/63553.html
web	www.iso.org	ISO/IEC 20889. (2018). Privacy enhancing data de-identification terminology and classification of techniques (Standard ISO/IEC 20889:2018(E); Number ISO/IEC 20889:2018(E)). International Organization for Standardization. https://www.iso.org/standard/69373.html
web	data.europa.eu	GDPR. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council . European Parliament and Council of the European Union. https://data.europa.eu/eli/reg/2016/679/oj
web	en.npc.gov.cn.cdurl.cn	PIPL. (2021). Personal Information Protection Law of the People’s Republic of China . National People’s Congress of the People’s Republic of China (NPC). http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm
web	doi.org	NIST 800-188. (2023). De-identifying Government Datasets (Special Publication No. 800-188; Numbers 800-188). National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-188
web	www.edpb.europa.eu	European Data Protection Board. (2025). Guidelines 01/2025 on Pseudonymisation . https://www.edpb.europa.eu/system/files/2025-01/edpb_guidelines_202501_pseudonymisation_en.pdf
web	ico.org.uk	Information Commissioner’s Office. (2025). Pseudonymisation . Information Commissioner’s Office. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/pseudonymisation/#pseudonymiseddatastillpersonal
web	doi.org	Hintze, M. (2017). Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency. International Data Privacy Law , 8 (1), 86–101. https://doi.org/10.1093/IDPL/IPX020
web	www.iso.org	GB/T 42460. (2023). Information security technology - Guide for evaluating the effectiveness of personal information de-identification (Standard GB/T 42460—2023; Number GB/T 42460—2023). State Administration for Market Regulation Standardization Administration of China. https://www.iso.org/standard/69373.html
web	ukanon.net	University of Manchester. (2024). Anonymisation decision-making framework: European practitioners’ guide (2nd ed.). University of Manchester. https://ukanon.net/wp-content/uploads/2024/01/adf-2nd-edition-european-practitioners-guide-final-version-cover-2024-version-2.pdf
web	dicom.nema.org	National Electrical Manufacturers Association. (2025). DICOM Part 15, Annex E: Security and System Management Profiles — Attribute Confidentiality Profiles (PS3.15 Annex E; Number PS3.15 Annex E). National Electrical Manufacturers Association. https://dicom.nema.org/medical/dicom/current/output/chtml/part15/chapter_E.html
web	www.iso.org	ISO/IEC 27559. (2022). Information security, cybersecurity and privacy protection — Privacy enhancing data de-identification framework (ISO/IEC 27559:2022; Number ISO/IEC 27559:2022). International Organization for Standardization. https://www.iso.org/standard/71677.html
web	www.iso.org	ISO/TS 22220. (2011). Health informatics — Identification of subjects of care (ISO/TS 22220:2011; Number ISO/TS 22220:2011). International Organization for Standardization. https://www.iso.org/standard/44439.html
web	hpl.hp.com	HP. Efficient signature schemes supporting redaction, pseudonymization, and data deidentification. HP. HPL-2007-191
web	www.schneier.com	Schneier, Bruce. Commentary on the Importance of a Systemic Approach to Security. Bruce Schneier. Essay-028
web	www.nationalarchives.gov.uk	UK Redaction Toolkit. A United Kingdom government document describing a toolkit for removing content prior publication for various legal reasons. REDACTION GUIDELINES FOR THE EDITING OF EXEMPT INFORMATION FROM PAPER AND ELECTRONIC DOCUMENTS PRIOR TO RELEASE
web	www.dicomstandard.org	DICOM. DICOM current publication
web	dicom.nema.org	DICOM Part 15 Annex E. Discusses clinical trials, double-blinding, traceability (relinking) to original content, preserving data needed for the trial. DICOM Part 15, Annex E current publication
web	healthcaresecprivacy.blogspot.com	Moehrke. De-Identification is Highly Contextual . (2009) De-Identification is highly contextual
web	hitsp.wikispaces.com	HITSP. HITSP Biosurveillance Use Case Presentation . Lists summary of units of data exchange and values that should be pseudonymized. HITSP Biosurveillance Use Case presentation
web	dud.inf.tu-dresden.de	Dresden Anonymity. A proposed vocabulary for pseudonymization and related concepts . Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A onsolidated Proposal for Terminology* (Version v0.31 Feb. 15, 2008)
web	web.mit.edu	MIT Reidentification. Shows that a large percentage of people can be re-identified with Date-of-Birth, Current ZIP Code, and Sex . Reidentification of Individuals in Chicago's Homicide Database A Technical and Legal Study
web	www.ihe.net	IHE provides guidelines for preparing security and privacy risk assessments in http://www.ihe.net/Technical_Framework/upload/IHE_ITI_Whitepaper_Security_Cookbook_2008-11-10.pdf
web	profiles.ihe.net	The act of De-identification, pseudonymization, and re-identification are events that should be logged as part of the Audit Trail and Node Authentication (ATNA) surveillance log. The specific audit messages that will be appropriate depend upon the usage, and will be profiled elsewhere. The Basic Audit Log Patterns (BALP) should be reviewed for generalized patterns of ATNA audit log messages and some specific privacy events.

Type

Reference

Content

web

example.org

who : http://example.org/fhir/Patient/ex-patient

web

example.org

what : http://example.org/fhir/Patient/ex-patient

web

example.org

what : http://example.org/fhir/Consent/ex-consent

web

profiles.ihe.net

This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .

web

profiles.ihe.net

This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .

web

profiles.ihe.net

This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .

web

profiles.ihe.net

ATNA required, encouraged IHE-IUA or SMART-on-FHIR

web

profiles.ihe.net

ATNA required, encouraged IHE-IUA or SMART-on-FHIR

web

profiles.ihe.net

web

profiles.ihe.net

web

github.com

web

www.ihe.net

IG © 2021+ IHE IT Infrastructure Technical Committee . Package ihe.iti.deid#0.0.1-current based on FHIR 4.0.1 . Generated 2025-08-22
Links: Table of Contents | QA Report | New Issue | Issues Version History |

| Propose a change external

web

github.com

Links: Table of Contents | QA Report | New Issue | Issues Version History |

| Propose a change external

web

github.com

Links: Table of Contents | QA Report | New Issue | Issues Version History |

| Propose a change external

web

profiles.ihe.net

Links: Table of Contents | QA Report | New Issue | Issues Version History |

| Propose a change external

web

www.ihe.net

Links: Table of Contents | QA Report | New Issue | Issues Version History |

| Propose a change external

web

profiles.ihe.net

This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .

web

profiles.ihe.net

This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .

web

profiles.ihe.net

This Actor is derived off of the ATNA Secure Application or ATNA Secure Node actor with ATNA ATX:FHIR Feed Option .

web

upload.wikimedia.org

Source

web

gdpr-info.eu

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Recital 26, GDPR .

web

en.npc.gov.cn.cdurl.cn

"anonymization" refers to the process of processing personal information to make it impossible to identify specific natural persons and impossible to restore. Art 73 (4), PIPL

web

curia.europa.eu

A practical anonymization is prefered. (ISO 25237, 2017) acknowledges that an absolute definition of anonymization is difficult to achieve and often impractical, favoring a practical approach that is increasingly widely accepted. The legal practices also show a preferences of a practical anonymization. In Case C-582/14 , the Court of Justice of the European Union (CJEU) held that a dynamic IP address qualifies as personal data for a website operator only if the operator has legal means reasonably likely to access additional identifying information, such as from an internet service provider. More recently, Case T-557/20 from the CJEU provided a key precedent by delineating pseudonymized from anonymized data in cross-entity data-sharing contexts. The court introduced the "reasonable likelihood" standard, stressing that data’s status as personal hinges on the recipient’s actual re-identification capability, not theoretical potential. This pragmatic stance aligns with the Expert Determination method under the HIPAA Privacy Rule (45 C.F.R. §164.514(b)). Likewise, China is crafting data anonymization standards that adopt a practical lens, assessing re-identification risk from the recipient’s perspective. Recognizing that such risks cannot be fully eradicated, these standards prioritize governance measures alongside technical safeguards.

web

curia.europa.eu

web

ukanon.net

Disclosure risk control starts with risk assessment. Re-Identification risks in a given data environment come from the interaction between agents and data (including the data disclosed/released and other data available to the agents). Thus, both the data risk and the data environment risk (so called context risk) should be assessed. The The governance and infrastructure within the data environment largely determine the likelihood of a certain type of re-identification threats. The assessment can be conducted using either qualitative analysis or quantitative analysis. An initial risk assessment may be required to make a quick decision whether a quantitative risk analysis is needed. (University of Manchester, 2024) introduces a practical initial risk assessment tool to help make a decision whether a quantitative risk assessment is needed. (ISO/IEC 27559, 2022) specifies an equation for calculating the re-identification risk:

web

en.npc.gov.cn.cdurl.cn

Note 1: The term is defined in a similar way under the PIPL ( Art. 73(4) ).

web

gdpr-info.eu

identifiable natural person : one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Source: GDPR Art 4(1) ).

web

www.privacy-regulation.eu

Note 2: The pseudonymised data can no longer be attributed to a specific data subject without the use of additional information, but could be attributed to a natural person by the use of additional information (Source: GDPR Recital 26 ).

web

github.com

The source code for this Implementation Guide can be found on IHE ITI DeIdentification Handbook Github Repo

web

digital.lib.washington.edu

It is feasible that motivated individuals who want to target or embarrass people who have consumed family planning services in general could compare the de-identified family planning database with other publicly available databases in order to see how many individuals can be identified. An excellent analysis of such an attack on de-identified published Netflix ratings to identify individual Netflix users is discussed in this paper: https://digital.lib.washington.edu/dspace-law/bitstream/handle/1773.1/417/vol5_no1_art3.pdf?sequence=1

web

profiles.ihe.net

IHE uses the normative words: Shall, Should, and May according to standards conventions .

web

profiles.ihe.net

The use of mustSupport in StructureDefinition profiles is equivalent to the IHE use of R2 as defined in Appendix Z .

web

arxiv.org

One example of this is the analysis by Latanya Sweeney from CMU using simply: Date-of-Birth, Current ZIP Code, and Sex (see Sweeney in references). An example of the impact of changing technology is the evaluation of risks from unrestricted publication of raw genetic data by Erlich and Narayanan http://arxiv.org/pdf/1310.3197v1 .

web

www.iso.org

ISO 25237. (2017). Health informatics — Pseudonymization (ISO 25237:2017; Number ISO 25237:2017). International Organization for Standardization. https://www.iso.org/standard/63553.html

web

www.iso.org

ISO/IEC 20889. (2018). Privacy enhancing data de-identification terminology and classification of techniques (Standard ISO/IEC 20889:2018(E); Number ISO/IEC 20889:2018(E)). International Organization for Standardization. https://www.iso.org/standard/69373.html

web

data.europa.eu

GDPR. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council . European Parliament and Council of the European Union. https://data.europa.eu/eli/reg/2016/679/oj

web

en.npc.gov.cn.cdurl.cn

PIPL. (2021). Personal Information Protection Law of the People’s Republic of China . National People’s Congress of the People’s Republic of China (NPC). http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm

web

doi.org

NIST 800-188. (2023). De-identifying Government Datasets (Special Publication No. 800-188; Numbers 800-188). National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-188

web

www.edpb.europa.eu

European Data Protection Board. (2025). Guidelines 01/2025 on Pseudonymisation . https://www.edpb.europa.eu/system/files/2025-01/edpb_guidelines_202501_pseudonymisation_en.pdf

web

ico.org.uk

Information Commissioner’s Office. (2025). Pseudonymisation . Information Commissioner’s Office. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/pseudonymisation/#pseudonymiseddatastillpersonal

web

doi.org

Hintze, M. (2017). Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency. International Data Privacy Law , 8 (1), 86–101. https://doi.org/10.1093/IDPL/IPX020

web

www.iso.org

GB/T 42460. (2023). Information security technology - Guide for evaluating the effectiveness of personal information de-identification (Standard GB/T 42460—2023; Number GB/T 42460—2023). State Administration for Market Regulation Standardization Administration of China. https://www.iso.org/standard/69373.html

web

ukanon.net

University of Manchester. (2024). Anonymisation decision-making framework: European practitioners’ guide (2nd ed.). University of Manchester. https://ukanon.net/wp-content/uploads/2024/01/adf-2nd-edition-european-practitioners-guide-final-version-cover-2024-version-2.pdf

web

dicom.nema.org

National Electrical Manufacturers Association. (2025). DICOM Part 15, Annex E: Security and System Management Profiles — Attribute Confidentiality Profiles (PS3.15 Annex E; Number PS3.15 Annex E). National Electrical Manufacturers Association. https://dicom.nema.org/medical/dicom/current/output/chtml/part15/chapter_E.html

web

www.iso.org

ISO/IEC 27559. (2022). Information security, cybersecurity and privacy protection — Privacy enhancing data de-identification framework (ISO/IEC 27559:2022; Number ISO/IEC 27559:2022). International Organization for Standardization. https://www.iso.org/standard/71677.html

web

www.iso.org

ISO/TS 22220. (2011). Health informatics — Identification of subjects of care (ISO/TS 22220:2011; Number ISO/TS 22220:2011). International Organization for Standardization. https://www.iso.org/standard/44439.html

web

hpl.hp.com

HP. Efficient signature schemes supporting redaction, pseudonymization, and data deidentification. HP. HPL-2007-191

web

www.schneier.com

Schneier, Bruce. Commentary on the Importance of a Systemic Approach to Security. Bruce Schneier. Essay-028

web

www.nationalarchives.gov.uk

UK Redaction Toolkit. A United Kingdom government document describing a toolkit for removing content prior publication for various legal reasons. REDACTION GUIDELINES FOR THE EDITING OF EXEMPT INFORMATION FROM PAPER AND ELECTRONIC DOCUMENTS PRIOR TO RELEASE

web

www.dicomstandard.org

DICOM. DICOM current publication

web

dicom.nema.org

DICOM Part 15 Annex E. Discusses clinical trials, double-blinding, traceability (relinking) to original content, preserving data needed for the trial. DICOM Part 15, Annex E current publication

web

healthcaresecprivacy.blogspot.com

Moehrke. De-Identification is Highly Contextual . (2009) De-Identification is highly contextual

web

hitsp.wikispaces.com

HITSP. HITSP Biosurveillance Use Case Presentation . Lists summary of units of data exchange and values that should be pseudonymized. HITSP Biosurveillance Use Case presentation

web

dud.inf.tu-dresden.de

Dresden Anonymity. A proposed vocabulary for pseudonymization and related concepts . Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A onsolidated Proposal for Terminology* (Version v0.31 Feb. 15, 2008)

web

web.mit.edu

MIT Reidentification. Shows that a large percentage of people can be re-identified with Date-of-Birth, Current ZIP Code, and Sex . Reidentification of Individuals in Chicago's Homicide Database A Technical and Legal Study

web

www.ihe.net

IHE provides guidelines for preparing security and privacy risk assessments in http://www.ihe.net/Technical_Framework/upload/IHE_ITI_Whitepaper_Security_Cookbook_2008-11-10.pdf

web

profiles.ihe.net

The act of De-identification, pseudonymization, and re-identification are events that should be logged as part of the Audit Trail and Node Authentication (ATNA) surveillance log. The specific audit messages that will be appropriate depend upon the usage, and will be profiled elsewhere. The Basic Audit Log Patterns (BALP) should be reviewed for generalized patterns of ATNA audit log messages and some specific privacy events.

Internal Images

fp-flow.png