De-identification policy and risk distribution framework for securing personal information

Issue title: Special issue on Evidence-based Government: Secure, Transparent and Responsible Digital Governance

Guest editors: Soon Ae Chun, Nabil R. Adam and Beth Noveck

Article type: Research Article

Authors: Joo, Moon-Ho | Yoon, Sang-Pil | Kwon, Hun-Yeong^* | Lim, Jong-In

Affiliations: Graduate School of Information Security, Korea University, Seoul, Korea

Correspondence: [*] Corresponding author: Hun-Yeong Kwon, Graduate School of Information Security, Korea University, 145, Anam-ro, Seongbuk-gu, Seoul, Korea. E-mail: [email protected].

Abstract: In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.

Keywords: Big data, personal information, de-identification, re-identification, risk-liability theory, distribution of responsibility

DOI: 10.3233/IP-170057

Journal: Information Polity, vol. 23, no. 2, pp. 195-219, 2018