De-identification policy and risk distribution framework for securing personal information

Moon Ho Joo, Sang Pil Yoon, Hun-Yeong Kwon, Jong In Lim

Research output: Contribution to journalArticle

Abstract

In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.

Original languageEnglish
Pages (from-to)195-219
Number of pages25
JournalInformation Polity
Volume23
Issue number2
DOIs
Publication statusPublished - 2018 Jan 1

Fingerprint

liability
responsibility
privacy
risk society
exemption
invasion
Korea
incident
Japan
event
lack
management
European Union
Big data

Keywords

  • Big data
  • de-identification
  • distribution of responsibility
  • personal information
  • re-identification
  • risk-liability theory

ASJC Scopus subject areas

  • Information Systems
  • Communication
  • Sociology and Political Science
  • Public Administration

Cite this

De-identification policy and risk distribution framework for securing personal information. / Joo, Moon Ho; Yoon, Sang Pil; Kwon, Hun-Yeong; Lim, Jong In.

In: Information Polity, Vol. 23, No. 2, 01.01.2018, p. 195-219.

Research output: Contribution to journalArticle

@article{428f68cb27794d5e9e0ffa4796328900,
title = "De-identification policy and risk distribution framework for securing personal information",
abstract = "In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.",
keywords = "Big data, de-identification, distribution of responsibility, personal information, re-identification, risk-liability theory",
author = "Joo, {Moon Ho} and Yoon, {Sang Pil} and Hun-Yeong Kwon and Lim, {Jong In}",
year = "2018",
month = "1",
day = "1",
doi = "10.3233/IP-170057",
language = "English",
volume = "23",
pages = "195--219",
journal = "Information Polity",
issn = "1570-1255",
publisher = "IOS Press",
number = "2",

}

TY - JOUR

T1 - De-identification policy and risk distribution framework for securing personal information

AU - Joo, Moon Ho

AU - Yoon, Sang Pil

AU - Kwon, Hun-Yeong

AU - Lim, Jong In

PY - 2018/1/1

Y1 - 2018/1/1

N2 - In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.

AB - In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.

KW - Big data

KW - de-identification

KW - distribution of responsibility

KW - personal information

KW - re-identification

KW - risk-liability theory

UR - http://www.scopus.com/inward/record.url?scp=85049644065&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049644065&partnerID=8YFLogxK

U2 - 10.3233/IP-170057

DO - 10.3233/IP-170057

M3 - Article

AN - SCOPUS:85049644065

VL - 23

SP - 195

EP - 219

JO - Information Polity

JF - Information Polity

SN - 1570-1255

IS - 2

ER -