The National Institute of Standards and Technology (NIST) recently released its final report on De-Identification of Personal Information. The Report examines the issues surrounding the de-identification of personal information and discusses some of the most notable studies about the effectiveness of common de-identification methods. The report also outlines the risks associated with sharing de-identified information; namely, the possibility that the information could be re-identified by an unauthorized “attacker” so as to reveal the original subject of the data. NIST also highlights the ability of an organization to enter into data use agreements with the recipient of the de-identified information so the organization can specify what can and cannot be done with the de-identified information (i.e., that it cannot be re-identified).
TIP: The NIST report provides guidance on tested de-identification methods that may be helpful to businesses seeking to anonymize personal information. This might include businesses considering sharing anonymous information for marketing purposes.