Public comments: WPF encourages NIST to refine report on de-identification of personally identifiable information

The World Privacy Forum submitted comments today to the National Institute of Standards and Technology in response to its publication, Draft Report on De-Identification of Personally Identifiable Information (NISTIR 8053).

The WPF welcomes the draft NIST report, as the area of de-identification and re-identification of personal data swirls with controversy and confusion. We see considerable value in a NIST report that describes terminology in this area, as well as considers the process and procedures for the removal of personally identifiable information (PII) from a variety of electronic document types.

In our comments, WPF noted two key areas for changes in the report, Institutional Review Boards IRBs), and the HIPAA expert determination method. (The HIPAA expert determination method of deidentification is fairly technical, for more information about this, please see the detailed HHS guidance on this.)

Regarding IRBs, WPF wrote in part:

“The mention of the use of IRBs as potential regulators of the other harms is reasonable. However, while it is true that IRBs have a wide range of capabilities, some IRBs will not have the skills needed to identify and prevent the other harms, and IRBs approve a significant number of research protocols using expedited review procedures, with protocols that rely on de-identified information perhaps accepted for expedited review more often than those that use identifiable information.”

Regarding the use of the HIPAA expert determination method for de-identification, WPF noted four key areas for review and urged NIST to further analyze other aspects of this method’s shortcomings with an eye to improving outcomes.

Regarding the HIPAA expert method of deidentification, WPF wrote that one issue is transparency:

“The first problem [with the HIPAA expert method] is the lack of transparency. The rule does not require that there be any public disclosure of the expert used, of the expert’s qualifications, or of the methodology used by any given expert in any given case. While disclosure of methodology runs some risk of revealing business or research information that might quality for confidential treatment, disclosure of the hiring of an expert, the name of the expert and the expert’s qualifications present no similar risk.”

The NIST draft report is available online and open for comment until May 15, 2015.

Read the full WPF comments:

WPF’s Comments on Draft Report on De-Identification of Personally Identifiable Information (NISTIR 8053) (PDF)