ISO TS 25237-2008 Health informatics - Pseudonymization《健康信息学 Pseudonymization》.pdf

1、 Reference numberISO/TS 25237:2008(E)ISO 2008TECHNICAL SPECIFICATION ISO/TS25237First edition2008-12-01Health informatics Pseudonymization Informatique de sant Pseudonymisation ISO/TS 25237:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing polic

2、y, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central S

3、ecretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimised for printing. Every care has been taken to

4、 ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008 All rights reserved. Unless otherwise specified, no part of this publi

5、cation may be reproduced or utilised in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Genev

6、a 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2008 All rights reservedISO/TS 25237:2008(E) ISO 2008 All rights reserved iiiContents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms and definitio

7、ns. 1 4 Symbols (and abbreviated terms) . 6 5 Requirements for privacy protection of identities in healthcare . 6 5.1 A conceptual model for pseudonymization of personal data 6 5.2 Categories of data subject. 13 5.3 Classification of data 14 5.4 Trusted services . 16 5.5 Need for re-identification o

8、f pseudonymized data 16 5.6 Pseudonymization service characteristics 17 6 Pseudonymization process (methods and implementation) 18 6.1 Design criteria . 18 6.2 Entities in the model. 18 6.3 Workflow in the model 20 6.4 Preparation of data . 21 6.5 Processing steps in the workflow. 22 6.6 Protecting

9、privacy protection through pseudonymization 23 7 Re-identification process (methods and implementation) . 27 8 Specification of interoperability of interfaces (methods and implementation) 28 9 Policy framework for operation of pseudonymization services (methods and implementation) 29 9.1 General. 29

10、 9.2 Privacy policy 29 9.3 Trustworthy practices for operations. 30 9.4 Implementation of trustworthy practices for re-identification . 31 Annex A (informative) Healthcare pseudonymization scenarios 33 Annex B (informative) Requirements for privacy risk assessment design 46 Bibliography . 56 ISO/TS

11、25237:2008(E) iv ISO 2008 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each memb

12、er body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Ele

13、ctrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adop

14、ted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In other circumstances, particularly when there is an urgent market requirement for such documents, a techn

15、ical committee may decide to publish other types of document: an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in an ISO working group and is accepted for publication if it is approved by more than 50 % of the members of the parent committee casting

16、 a vote; an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether

17、 it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an International Standard or be withdrawn. Attention i

18、s drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/TS 25237 was prepared by Technical Committee ISO/TC 215, Healthcare informatics. ISO/TS 25237:2008(E) ISO 20

19、08 All rights reserved vIntroduction Pseudonymization is recognised as an important method for privacy protection of personal health information. Such services may be used nationally as well as for trans-border communication. Application areas include but are not limited to: secondary use of clinica

20、l data (e.g. research); clinical trials and post-marketing surveillance; pseudonymous care; patient identification systems; public health monitoring and assessment; confidential patient-safety reporting (e.g. adverse drug effects); comparative quality indicator reporting; peer review; consumer group

21、s; equipment maintenance. This Technical Specification provides a conceptual model of the problem areas, requirements for trustworthy practices, and specifications to support the planning and implementation of pseudonymization services. The specification of a general workflow together with a policy

22、for trustworthy operations serve both as a general guide for implementers but also for quality assurance purposes, assisting users of the pseudonymization services to determine their trust in the services provided. This Technical Specification also defines the interfaces to pseudonymization services

23、 to ensure interoperability between pseudonymization service systems, identity management systems, information providers and recipients of pseudonyms. TECHNICAL SPECIFICATION ISO/TS 25237:2008(E) ISO 2008 All rights reserved 1Health informatics Pseudonymization 1 Scope This Technical Specification c

24、ontains principles and requirements for privacy protection using pseudonymization services for the protection of personal health information. This technical specification is applicable to organizations who make a claim of trustworthiness for operations engaged in pseudonymization services. This Tech

25、nical Specification: defines one basic concept for pseudonymization; gives an overview of different use cases for pseudonymization that can be both reversible and irreversible; defines one basic methodology for pseudonymization services including organizational as well as technical aspects; gives a

26、guide to risk assessment for re-identification; specifies a policy framework and minimal requirements for trustworthy practices for the operations of a pseudonymization service; specifies a policy framework and minimal requirements for controlled re-identification; specifies interfaces for the inter

27、operability of services interfaces. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments)

28、 applies. ISO 27799, Health informatics Information security management in health using ISO/IEC 27002 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 access control means of ensuring that the resources of a data processing system can be acces

29、sed only by authorized entities in authorized ways ISO/IEC 2382-8:1998, definition 08.04.01 ISO/TS 25237:2008(E) 2 ISO 2008 All rights reserved3.2 anonymization process that removes the association between the identifying data set and the data subject 3.3 anonymized data data from which the patient

30、cannot be identified by the recipient of the information General Medical Council Confidentiality Guidance 3.4 anonymous identifier identifier of a person which does not allow the unambiguous identification of the natural person 3.5 authentication assurance of the claimed identity 3.6 ciphertext data

31、 produced through the use of encryption, the semantic content of which is not available without the use of cryptographic techniques ISO/IEC 2382-8:1998, definition 08-03-8 3.7 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities or proces

32、ses ISO 7498-2:1989, definition 3.3.16 3.8 content-encryption key cryptographic key used to encrypt the content of a communication 3.9 controller natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing

33、 of personal data 3.10 cryptography discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use ISO 7498-2:1989, definition 3.3.20 3.11 cryptographic algorithm

34、 cipher method for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use 3.12 key management cryptographic key management generation, storage, distribution, deletion, archiving and application of keys in accordanc

35、e with a security policy (3.43) ISO 7498-2:1989, definition 3.3.33 ISO/TS 25237:2008(E) ISO 2008 All rights reserved 33.13 data integrity property that data have not been altered or destroyed in an unauthorized manner ISO 7498-2:1989, definition 3.3.21 3.14 data linking matching and combining data f

36、rom multiple databases 3.15 data protection technical and social regimen for negotiating, managing and ensuring informational privacy, confidentiality and security 3.16 data-subjects persons to whom data refer 3.17 decipherment decryption process of obtaining, from a ciphertext, the original corresp

37、onding data ISO/IEC 2382-8:1998, definition 08-03-04 NOTE A ciphertext can be enciphered a second time, in which case a single decipherment does not produce the original plaintext. 3.18 de-identification general term for any process of removing the association between a set of identifying data and t

38、he data subject 3.19 direct identifying data data that directly identifies a single individual NOTE Direct identifiers are those data that can be used to identify a person without additional information or with cross-linking through other information that is in the public domain. 3.20 disclosure div

39、ulging of, or provision of access to, data NOTE Whether the recipient actually looks at the data, takes them into knowledge, or retains them, is irrelevant to whether disclosure has occurred. 3.21 encipherment encryption cryptographic transformation of data to produce ciphertext (3.6) ISO 7498-2:198

40、9, definition 3.3.27 NOTE See cryptography (3.10). ISO/TS 25237:2008(E) 4 ISO 2008 All rights reserved3.22 subject of care identifier healthcare identifier identifier of a person for exclusive use by a healthcare system 3.23 identifiable person one who can be identified, directly or indirectly, in p

41、articular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the

42、processing of personal data and on the free movement of such data 3.24 identification process of using claimed or observed attributes of an entity to single out the entity among other entities in a set of identities NOTE The identification of an entity within a certain context enables another entity

43、 to distinguish between the entities with which it interacts. 3.25 identifier information used to claim an identity, before a potential corroboration by a corresponding authenticator ENV 13608-1 3.26 indirectly identifying data data that can identify a single person only when used together with othe

44、r indirectly identifying data NOTE Indirect identifiers can reduce the population to which the person belongs, possibly down to one if used in combination. EXAMPLE Postcode, sex, age, date of birth. 3.27 information data set within a context of meaning 3.28 irreversibility situation when, for any pa

45、ssage from identifiable to pseudonymous, it is computationally unfeasible to trace back to the original identifier from the pseudonym 3.29 key sequence of symbols which controls the operations of encipherment (3.21) and decipherment (3.17) ISO 7498-2:1989, definition 3.3.32 3.30 linkage of informati

46、on objects process allowing a logical association to be established between different information objects 3.31 other names name(s) by which the patient has been known at some time HL7 ISO/TS 25237:2008(E) ISO 2008 All rights reserved 53.32 person identification process for establishing an associatio

47、n between an information object and a physical person 3.33 personal identifier information with the purpose of uniquely identifying a person within a given context 3.34 personal data any information relating to an identified or identifiable natural person (“data subject”) Directive 95/46/EC of the E

48、uropean Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 3.35 primary use of personal data use of personal data for delivering healthcare 3.36 privacy freedom from intrusion into the

49、 private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual ISO/IEC 2382-8:1998, definition 08-01-23 3.37 processing of personal data any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or