1、BS EN ISO 25237:2017Health informatics Pseudonymization (ISO25237:2017)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO 25237:2017 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN ISO 25237:2017. The UK participation in i
2、ts preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correct
3、application. The British Standards Institution 2017. Published by BSI Standards Limited 2017ISBN 978 0 580 83466 0ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy C
4、ommittee on 31 January 2017.Amendments/Corrigenda issued since publicationDate Text affectedEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 25237 January 2017 ICS 35.240.80 English Version Health informatics - Pseudonymization (ISO 25237:2017) Informatique de sant - Pseudonymisation (ISO 25
5、237:2017) Medizinische Informatik - Pseudonymisierung (ISO 25237:2017) This European Standard was approved by CEN on 14 December 2016. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national s
6、tandard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version i
7、n any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
8、Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingd
9、om. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 2523
10、7:2017 EBS EN ISO 25237:2017EN ISO 25237:2017 (E) Type de document : Norme europenne Sous-type de document : Stade du document : Publication / Adoption Langue du document : E Y:STD_MGTSTDDELPRODUCTIONStandards0025131664_e_stf.doc STD Version 2.5a European foreword This document (EN ISO 25237:2017) h
11、as been prepared by Technical Committee ISO/TC 215 “Health informatics” in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical te
12、xt or by endorsement, at the latest by July 2017, and conflicting national standards shall be withdrawn at the latest by July 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible f
13、or identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Form
14、er Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of IS
15、O 25237:2017 has been approved by CEN as EN ISO 25237:2017 without any modification. BS EN ISO 25237:2017ISO 25237:2017(E)Foreword vIntroduction vi1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms 65 Requirements for privacy protection of identities in healthcare 75.1
16、 Objectives of privacy protection 75.2 General . 75.3 De-identification as a process to reduce risk 85.3.1 General 85.3.2 Pseudonymization 85.3.3 Anonymization 95.3.4 Direct and indirect identifiers 95.4 Privacy protection of entities . 95.4.1 Personal data versus de-identified data 95.4.2 Concept o
17、f pseudonymization . 115.5 Real world pseudonymization 135.5.1 Rationale 135.5.2 Levels of assurance of privacy protection .145.6 Categories of data subject . 165.6.1 General. 165.6.2 Subject of care .165.6.3 Health professionals and organizations .165.6.4 Device data .165.7 Classification data . 17
18、5.7.1 Payload data 175.7.2 Observational data 175.7.3 Pseudonymized data .175.7.4 Anonymized data 175.8 Research data 175.8.1 General. 175.8.2 Generation of research data 185.8.3 Secondary use of personal health information .185.9 Identifying data . 185.9.1 General. 185.9.2 Healthcare identifiers .1
19、85.10 Data of victims of violence and publicly known persons 195.10.1 General. 195.10.2 Genetic information .195.10.3 Trusted service .195.10.4 Need for re-identification of pseudonymized data .195.10.5 Pseudonymization service characteristics .206 Protecting privacy through pseudonymization .206.1
20、Conceptual model of the problem areas 206.2 Direct and indirect identifiability of personal information .216.2.1 General. 216.2.2 Person identifying variables . 216.2.3 Aggregation variables .216.2.4 Outlier variables 226.2.5 Structured data variables 226.2.6 Non-structured data variables 23 ISO 201
21、7 All rights reserved iiiContents PageBS EN ISO 25237:2017ISO 25237:2017(E)6.2.7 Inference risk assessment 236.2.8 Privacy and security .247 Re-identification process 247.1 General 247.2 Part of normal procedures . 247.3 Exception. 247.4 Technical feasibility . 25Annex A (informative) Healthcare pse
22、udonymization scenarios 26Annex B (informative) Requirements for privacy risk analysis 39Annex C (informative) Pseudonymization process (methods and implementation) .49Annex D (informative) Specification of methods and implementation .55Annex E (informative) Policy framework for operation of pseudon
23、ymization services (methods and implementation) 56Annex F (informative) Genetic information .60Bibliography .61iv ISO 2017 All rights reservedBS EN ISO 25237:2017ISO 25237:2017(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (
24、ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, go
25、vernmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maint
26、enance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).At
27、tention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduct
28、ion and/or on the ISO list of patent declarations received (see www .iso .org/ patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to con
29、formity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html.The committee responsible for this document is ISO/TC 215, Health informatics. ISO 2017
30、All rights reserved vBS EN ISO 25237:2017ISO 25237:2017(E)IntroductionPseudonymization is recognized as an important method for privacy protection of personal health information. Such services may be used nationally, as well as for trans-border communication.Application areas include, but are not li
31、mited to: indirect use of clinical data (e.g. research); clinical trials and post-marketing surveillance; pseudonymous care; patient identification systems; public health monitoring and assessment; confidential patient-safety reporting (e.g. adverse drug effects); comparative quality indicator repor
32、ting; peer review; consumer groups; field service.This document provides a conceptual model of the problem areas, requirements for trustworthy practices, and specifications to support the planning and implementation of pseudonymization services.The specification of a general workflow, together with
33、a policy for trustworthy operations, serve both as a general guide for implementers but also for quality assurance purposes, assisting users of the pseudonymization services to determine their trust in the services provided. This guide will serve to educate organizations so they can perform pseudony
34、mization services themselves with sufficient proficiency to achieve the desired degree of quality and risk reduction.vi ISO 2017 All rights reservedBS EN ISO 25237:2017Health informatics Pseudonymization1 ScopeThis document contains principles and requirements for privacy protection using pseudonymi
35、zation services for the protection of personal health information. This document is applicable to organizations who wish to undertake pseudonymization processes for themselves or to organizations who make a claim of trustworthiness for operations engaged in pseudonymization services.This document de
36、fines one basic concept for pseudonymization (see Clause 5), defines one basic methodology for pseudonymization services including organizational, as well as technical aspects (see Clause 6), specifies a policy framework and minimal requirements for controlled re-identification (see Clause 7), gives
37、 an overview of different use cases for pseudonymization that can be both reversible and irreversible (see Annex A), gives a guide to risk assessment for re-identification (see Annex B), provides an example of a system that uses de-identification (see Annex C), provides informative requirements to a
38、n interoperability to pseudonymization services (see Annex D), and specifies a policy framework and minimal requirements for trustworthy practices for the operations of a pseudonymization service (see Annex E).2 Normative referencesThe following documents are referred to in the text in such a way th
39、at some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 27799, Health informatics Information security management in h
40、ealth using ISO/IEC 270023 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at h t t p :/ www .electropedia .org/ ISO Onli
41、ne browsing platform: available at h t t p :/ www .iso .org/ obp3.1access controlmeans of ensuring that the resources of a data processing system can be accessed only by authorized entities in authorized waysSOURCE: ISO/IEC 2382:2015, 2126294INTERNATIONAL STANDARD ISO 25237:2017(E) ISO 2017 All righ
42、ts reserved 1BS EN ISO 25237:2017ISO 25237:2017(E)3.2anonymizationprocess by which personal data (3.37) is irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other partyNote 1 to
43、entry: The concept is absolute, and in practice, it may be difficult to obtain.SOURCE: ISO/IEC 29100:2011, 2.2, modified.3.3anonymized datadata (3.14) that has been produced as the output of an anonymization (3.2) processSOURCE: ISO/IEC 29100:2011, 2.3, modified.3.4anonymous identifieridentifier (3.
44、27) of a person which does not allow the identification (3.26) of the natural person (3.34)3.5authenticationassurance of the claimed identity3.6attackerperson deliberately exploiting vulnerabilities in technical and non-technical security controls in order to steal or compromise information systems
45、and networks, or to compromise availability to legitimate users of information system and network resourcesSOURCE: ISO/IEC 27033-1:2015, 3.33.7ciphertextdata (3.14) produced through the use of encryption, the semantic content of which is not available without the use of cryptographic techniquesSOURC
46、E: ISO/IEC 2382:2015, 21262853.8confidentialityproperty that information (3.29) is not made available or disclosed to unauthorized individuals, entities or processesSOURCE: ISO 7498-2:1989, 3.3.163.9content-encryption keycryptographic key used to encrypt the content of a communication3.10controllern
47、atural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (3.40)3.11cryptographydiscipline which embodies principles, means and methods for the transformation of data (3.14) in order to
48、 hide its information content, prevent its undetected modification and/or prevent its unauthorized useSOURCE: ISO 7498-2:1989, 3.3.202 ISO 2017 All rights reservedBS EN ISO 25237:2017ISO 25237:2017(E)3.12cryptographic algorithmmethod for the transformation of data (3.14) in order to hide its informa
49、tion content, prevent its undetected modification and/or prevent its unauthorized use3.13cryptographic key managementkey managementgeneration, storage, distribution, deletion, archiving and application of keys (3.31) in accordance with a security policy (3.46)SOURCE: ISO 7498-2:1989, 3.3.333.14datareinterpretable representation of information (3.29) in a formalized manner suitable for communication, interpretation or processingNote 1 to entry: Data can be processed by humans or by automatic means.SOURC
