1、DD ISO/TS25237:2008ICS 35.240.80NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWDRAFT FOR DEVELOPMENTHealth informatics PseudonymizationThis Draft for Developmentwas published under theauthority of the StandardsPolicy and StrategyCommittee on 31 January2009 BSI 200ISBN 978 0 58
2、0 64750 5Amendments/corrigenda issued since publicationDate CommentsDD ISO/TS 25237:2008National forewordThis Draft for Development is the UK implementation of ISO/TS25237:2008.This publication is not to be regarded as a British Standard.It is being issued in the Draft for Development series of publ
3、ications andis of a provisional nature. It should be applied on this provisional basis,so that information and experience of its practical application can beobtained.Comments arising from the use of this Draft for Development arerequested so that UK experience can be reported to the internationalorg
4、anization responsible for its conversion to an international standard.A review of this publication will be initiated not later than 3 years afterits publication by the international organization so that a decision can betaken on its status. Notification of the start of the review period will bemade
5、in an announcement in the appropriate issue of Update Standards.According to the replies received by the end of the review period,the responsible BSI Committee will decide whether to support theconversion into an international Standard, to extend the life of theTechnical Specification or to withdraw
6、 it. Comments should be sent tothe Secretary of the responsible BSI Technical Committee at BritishStandards House, 389 Chiswick High Road, London W4 4AL.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this
7、committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisionsof a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunityfrom legal obligations.9DD ISO/TS 25237:2008Referenc
8、e numberISO/TS 25237:2008(E)ISO 2008TECHNICAL SPECIFICATION ISO/TS25237First edition2008-12-01Health informatics Pseudonymization Informatique de sant Pseudonymisation DD ISO/TS 25237:2008ISO/TS 25237:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes lice
9、nsing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The IS
10、O Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimised for printing. Every care has be
11、en taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008 All rights reserved. Unless otherwise specified, no part of
12、 this publication may be reproduced or utilised in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH
13、-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2008 All rights reservedDD ISO/TS 25237:2008ISO/TS 25237:2008(E) ISO 2008 All rights reserved iiiContents Page Foreword iv Introduction v 1 Scope . 1 2 Normative refer
14、ences . 1 3 Terms and definitions. 1 4 Symbols (and abbreviated terms) . 6 5 Requirements for privacy protection of identities in healthcare . 6 5.1 A conceptual model for pseudonymization of personal data 6 5.2 Categories of data subject. 13 5.3 Classification of data 14 5.4 Trusted services . 16 5
15、.5 Need for re-identification of pseudonymized data 16 5.6 Pseudonymization service characteristics 17 6 Pseudonymization process (methods and implementation) 18 6.1 Design criteria . 18 6.2 Entities in the model. 18 6.3 Workflow in the model 20 6.4 Preparation of data . 21 6.5 Processing steps in t
16、he workflow. 22 6.6 Protecting privacy protection through pseudonymization 23 7 Re-identification process (methods and implementation) . 27 8 Specification of interoperability of interfaces (methods and implementation) 28 9 Policy framework for operation of pseudonymization services (methods and imp
17、lementation) 29 9.1 General. 29 9.2 Privacy policy 29 9.3 Trustworthy practices for operations. 30 9.4 Implementation of trustworthy practices for re-identification . 31 Annex A (informative) Healthcare pseudonymization scenarios 33 Annex B (informative) Requirements for privacy risk assessment desi
18、gn 46 Bibliography . 56 DD ISO/TS 25237:2008ISO/TS 25237:2008(E) iv ISO 2008 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carr
19、ied out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
20、ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare Internat
21、ional Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In other circumstances, particularly when there is an ur
22、gent market requirement for such documents, a technical committee may decide to publish other types of document: an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in an ISO working group and is accepted for publication if it is approved by more than
23、50 % of the members of the parent committee casting a vote; an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting a vote. An ISO/PAS or ISO/TS is re
24、viewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an
25、International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/TS 25237 was prepared by Technical Committee ISO/TC 215,
26、Healthcare informatics. DD ISO/TS 25237:2008ISO/TS 25237:2008(E) ISO 2008 All rights reserved vIntroduction Pseudonymization is recognised as an important method for privacy protection of personal health information. Such services may be used nationally as well as for trans-border communication. App
27、lication areas include but are not limited to: secondary use of clinical data (e.g. research); clinical trials and post-marketing surveillance; pseudonymous care; patient identification systems; public health monitoring and assessment; confidential patient-safety reporting (e.g. adverse drug effects
28、); comparative quality indicator reporting; peer review; consumer groups; equipment maintenance. This Technical Specification provides a conceptual model of the problem areas, requirements for trustworthy practices, and specifications to support the planning and implementation of pseudonymization se
29、rvices. The specification of a general workflow together with a policy for trustworthy operations serve both as a general guide for implementers but also for quality assurance purposes, assisting users of the pseudonymization services to determine their trust in the services provided. This Technical
30、 Specification also defines the interfaces to pseudonymization services to ensure interoperability between pseudonymization service systems, identity management systems, information providers and recipients of pseudonyms. DD ISO/TS 25237:2008DD ISO/TS 25237:2008TECHNICAL SPECIFICATION ISO/TS 25237:2
31、008(E) ISO 2008 All rights reserved 1Health informatics Pseudonymization 1 Scope This Technical Specification contains principles and requirements for privacy protection using pseudonymization services for the protection of personal health information. This technical specification is applicable to o
32、rganizations who make a claim of trustworthiness for operations engaged in pseudonymization services. This Technical Specification: defines one basic concept for pseudonymization; gives an overview of different use cases for pseudonymization that can be both reversible and irreversible; defines one
33、basic methodology for pseudonymization services including organizational as well as technical aspects; gives a guide to risk assessment for re-identification; specifies a policy framework and minimal requirements for trustworthy practices for the operations of a pseudonymization service; specifies a
34、 policy framework and minimal requirements for controlled re-identification; specifies interfaces for the interoperability of services interfaces. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition
35、cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 27799, Health informatics Information security management in health using ISO/IEC 27002 3 Terms and definitions For the purposes of this document, the following terms and defi
36、nitions apply. 3.1 access control means of ensuring that the resources of a data processing system can be accessed only by authorized entities in authorized ways ISO/IEC 2382-8:1998, definition 08.04.01 DD ISO/TS 25237:2008ISO/TS 25237:2008(E) 2 ISO 2008 All rights reserved3.2 anonymization process
37、that removes the association between the identifying data set and the data subject 3.3 anonymized data data from which the patient cannot be identified by the recipient of the information General Medical Council Confidentiality Guidance 3.4 anonymous identifier identifier of a person which does not
38、allow the unambiguous identification of the natural person 3.5 authentication assurance of the claimed identity 3.6 ciphertext data produced through the use of encryption, the semantic content of which is not available without the use of cryptographic techniques ISO/IEC 2382-8:1998, definition 08-03
39、-8 3.7 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities or processes ISO 7498-2:1989, definition 3.3.16 3.8 content-encryption key cryptographic key used to encrypt the content of a communication 3.9 controller natural or legal person
40、, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data 3.10 cryptography discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prev
41、ent its undetected modification and/or prevent its unauthorized use ISO 7498-2:1989, definition 3.3.20 3.11 cryptographic algorithm cipher method for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use 3.12 key
42、management cryptographic key management generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy (3.43) ISO 7498-2:1989, definition 3.3.33 DD ISO/TS 25237:2008ISO/TS 25237:2008(E) ISO 2008 All rights reserved 33.13 data integrity property th
43、at data have not been altered or destroyed in an unauthorized manner ISO 7498-2:1989, definition 3.3.21 3.14 data linking matching and combining data from multiple databases 3.15 data protection technical and social regimen for negotiating, managing and ensuring informational privacy, confidentialit
44、y and security 3.16 data-subjects persons to whom data refer 3.17 decipherment decryption process of obtaining, from a ciphertext, the original corresponding data ISO/IEC 2382-8:1998, definition 08-03-04 NOTE A ciphertext can be enciphered a second time, in which case a single decipherment does not
45、produce the original plaintext. 3.18 de-identification general term for any process of removing the association between a set of identifying data and the data subject 3.19 direct identifying data data that directly identifies a single individual NOTE Direct identifiers are those data that can be use
46、d to identify a person without additional information or with cross-linking through other information that is in the public domain. 3.20 disclosure divulging of, or provision of access to, data NOTE Whether the recipient actually looks at the data, takes them into knowledge, or retains them, is irre
47、levant to whether disclosure has occurred. 3.21 encipherment encryption cryptographic transformation of data to produce ciphertext (3.6) ISO 7498-2:1989, definition 3.3.27 NOTE See cryptography (3.10). DD ISO/TS 25237:2008ISO/TS 25237:2008(E) 4 ISO 2008 All rights reserved3.22 subject of care identi
48、fier healthcare identifier identifier of a person for exclusive use by a healthcare system 3.23 identifiable person one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, eco
49、nomic, cultural or social identity Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 3.24 identification process of using claimed or observed attributes of an entity to single out the entity among other entities in a set of identities NOTE The identification of an entity within a certain context enables another entity to distinguish be
