De-identification is the process used to prevent someone's personal identity from being revealed. For example,data produced during human subject research might be de-identified to preservethe privacy of research participants. Biological data may be de-identified in order to comply withHIPAA regulations that define and stipulate patient privacy laws.^[1]

When applied tometadata or general data about identification, the process is also known as data anonymization. Common strategies include deleting or maskingpersonal identifiers, such aspersonal name, and suppressing or generalizingquasi-identifiers, such as date of birth. The reverse process of using de-identified data to identify individuals is known asdata re-identification. Successful re-identifications^[2][3][4][5] cast doubt on de-identification's effectiveness. A systematic review of fourteen distinct re-identification attacks found "a high re-identification rate […] dominated by small-scale studies on data that was not de-identified according to existing standards".^[6]

De-identification is adopted as one of the main approaches toward dataprivacy protection.^[7] It is commonly used in fields of communications, multimedia, biometrics, big data, cloud computing,data mining, internet, social networks, and audio–video surveillance.^[8]

When surveys are conducted, such as acensus, they collect information about a specific group of people. To encourage participation and to protect the privacy of survey respondents, the researchers attempt to design the survey in a way that when people participate in a survey, it will not be possible to match any participant's individual response(s) with any data published.^[9]

When an online shopping website wants to know its users' preferences and shopping habits, it decides to retrieve customers' data from its database and do analysis on them. The personal data information includepersonal identifiers which were collected directly when customers created their accounts. The website needs to pre-handle the data through de-identification techniques before analyzing data records to avoid violating their customers' privacy.

Anonymization refers to irreversibly severing a data set from the identity of the data contributor in a study to prevent any future re-identification, even by the study organizers under any condition.^[10][11] De-identification may also include preserving identifying information which can only be re-linked by a trusted party in certain situations.^[10][11][12] There is a debate in the technology community on whether data that can be re-linked, even by a trusted party, should ever be considered de-identified.^[13]

Common strategies of de-identification are maskingpersonal identifiers and generalizingquasi-identifiers.Pseudonymization is the main technique used to maskpersonal identifiers from data records, and k-anonymization is usually adopted for generalizingquasi-identifiers.

Pseudonymization is performed by replacing real names with a temporary ID. It deletes or masks personal identifiers to make individuals unidentified. This method makes it possible to track the individual's record over time, even though the record will be updated. However, it can not prevent the individual from being identified if some specific combinations of attributes in the data record indirectly identify the individual.^[14]

k-anonymization defines attributes that indirectly points to the individual's identity asquasi-identifiers (QIs) and deal with data by making at leastk individuals have some combination of QI values.^[14] QI values are handled following specific standards. For example, the k-anonymization replaces some original data in the records with new range values and keep some values unchanged. New combination of QI values prevents the individual from being identified and also avoid destroying data records.

Research into de-identification is driven mostly for protectinghealth information.^[15] Some libraries have adopted methods used in thehealthcare industry to preserve their readers' privacy.^[15]

Inbig data, de-identification is widely adopted by individuals and organizations.^[8] With the development of social media, e-commerce, and big data, de-identification is sometimes required and often used fordata privacy when users' personal data are collected by companies or third-party organizations who will analyze it for their own personal usage.

Insmart cities, de-identification may be required to protect the privacy of residents, workers and visitors. Without strict regulation, de-identification may be difficult because sensors can still collect information without consent.^[16]

PHI (Protected Health Information) can be present in various data and each format need specific techniques and tools for de-identify it:

• ForText de-identification is using rule based andNLP (Natural language processing) approaches.
• Pdf de-identification is based on text de-identification, also required in most cases OCR and specific techniques for hidePHI in PDF.^[17]
• DICOM de-identification required to clean metadata, pixel data, encapsulated documents.

Whenever a person participates ingenetics research, the donation of a biological specimen often results in the creation of a large amount of personalized data. Such data is uniquely difficult to de-identify.^[18]

Anonymization of genetic data is particularly difficult because of the huge amount of genotypicinformation in biospecimens,^[18] the ties that specimens often have to medical history,^[19] and the advent of modern bioinformatics tools fordata mining.^[19] There have been demonstrations that data for individuals in aggregate collections of genotypic data sets can be tied to the identities of the specimen donors.^[20]

Some researchers have suggested that it is not reasonable to ever promise participants in genetics research that they can retain their anonymity, but instead, such participants should be taught the limits of using coded identifiers in a de-identification process.^[11]

In May 2014, theUnited States President's Council of Advisors on Science and Technology found de-identification "somewhat useful as an added safeguard" but not "a useful basis for policy" as "it is not robust against near‐term future re‐identification methods".^[21]

TheHIPAA Privacy Rule provides mechanisms for using and disclosing health data responsibly without the need for patient consent. These mechanisms center on two HIPAA de-identification standards –Safe Harbor and the Expert Determination Method. Safe harbor relies on the removal of specific patient identifiers (e.g. name, phone number, email address, etc.), while the Expert Determination Method requires knowledge and experience with generally accepted statistical and scientific principles and methods to render information not individually identifiable.^[22]

Thesafe harbor method uses a list approach to de-identification and has two requirements:

1. The removal or generalization of 18 elements from the data.
2. That the Covered Entity or Business Associate does not have actual knowledge that the residual information in the data could be used alone, or in combination with other information, to identify an individual. Safe Harbor is a highly prescriptive approach to de-identification. Under this method, all dates must be generalized to year and zip codes reduced to three digits. The same approach is used on the data regardless of the context. Even if the information is to be shared with a trusted researcher who wishes to analyze the data for seasonal variations in acute respiratory cases and, thus, requires the month of hospital admission, this information cannot be provided; only the year of admission would be retained.

Expert Determination takes a risk-based approach to de-identification that applies current standards and best practices from the research to determine thelikelihood that a person could be identified from their protectedhealth information. This method requires that a person with appropriateknowledge of and experience with generally accepted statistical and scientific principles and methods render the information not individually identifiable. It requires:

1. That the risk is very small that the information could be used alone, or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information;
2. Documents the methods and results of the analysis that justify such a determination.

The key law about research inelectronic health record data isHIPAA Privacy Rule. This law allows use of electronic health record of deceased subjects for research (HIPAA Privacy Rule (section 164.512(i)(1)(iii))).^[23]

• Adversarial stylometry
• Genetic privacy
• Statistical disclosure control

• Simson L. Garfinkel (2015-12-16)."NISTIR 8053, De-Identification of Personal Information"(PDF). NIST. Retrieved2016-01-03.
• A training series on United States government de-identification standards
• Guidance Regarding Methods for De-identification of Protected Health Information
• Ohm, Paul (2010)."Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization"(PDF).UCLA Law Review.57: 1701–77. Archived fromthe original(PDF) on 2019-09-17. Retrieved2019-07-20.
• Padilla-López, José Ramón; Chaaraoui, Alexandros Andre; Flórez-Revuelta, Francisco (June 2015)."Visual privacy protection methods: A survey"(PDF).Expert Systems with Applications.42 (9):4177–4195.doi:10.1016/j.eswa.2015.01.041.hdl:10045/44523.S2CID 6794899.
• Chaaraoui, Alexandros; Padilla-López, José; Ferrández-Pastor, Francisco; Nieto-Hidalgo, Mario; Flórez-Revuelta, Francisco (20 May 2014)."A Vision-Based System for Intelligent Monitoring: Human Behaviour Analysis and Privacy by Context".Sensors.14 (5):8895–8925.Bibcode:2014Senso..14.8895C.doi:10.3390/s140508895.PMC 4063058.PMID 24854209.

• Information privacy
• Data protection
• Research ethics
• Electronic health records

• CS1: unfit URL
• Articles with short description
• Short description is different from Wikidata