ISO/IEC 27559:2022

INTERNATIONAL ISO/IEC
STANDARD 27559
First edition
2022-11
Information security, cybersecurity
and privacy protection – Privacy
enhancing data de-identification
framework
Sécurité de l’information, cybersécurité et protection de la vie
privée — Cadre pour la dé-identification de données pour la
protection de la vie privée
Reference number
ISO/IEC 27559:2022(E)
© ISO/IEC 2022

---------------------- Page: 1 ----------------------
ISO/IEC 27559:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27559:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 S c op e . 1
2 Nor m at i ve r ef er enc e s . 1
3 T erms and definitions . 1
4 S ymbols and abbreviated terms.3
5 O ver v iew . 3
6 C ont e x t a s s e s s ment .4
6.1 General . 4
6.2 T hreat modelling . 4
6.2.1 G eneral . 4
6.2.2 S ecurity and privacy practices . 5
6.2.3 M otives and capacity to re-identify . 5
6.3 T ransparency and impact assessment . 6
6.3.1 G eneral . 6
6.3.2 T ransparency of actions and stakeholder engagement . 6
6.3.3 Privacy-related harms . . . 6
7 D at a a s s e s s ment .7
7.1 G eneral . 7
7.2 D ata features . 7
7.2.1 G eneral . 7
7.2.2 D ata principals . 7
7.2.3 Data type . 7
7.2.4 A ttribute types . 8
7.2.5 D ataset properties . 8
7.3 A ttack modelling . 8
7.3.1 General . 8
7.3.2 Maximum or average risk . 9
7.3.3 Population or sample-based attack . 9
7.3.4 Data privacy models . 9
8 I dentifiability assessment and mitigation .10
8.1 General . 10
8.2 A ssessing identifiability . 10
8.2.1 General . 10
8.2.2 Q uantifying identifiability . 10
8.2.3 Adversarial testing . 11
8.3 M itigation .12
8.3.1 G eneral .12
8.3.2 R econfiguring the environment .12
8.3.3 Transforming the data .12
8.3.4 R e-evaluation . 13
9 De-identification governance .13
9.1 G eneral .13
9.2 B efore data are made available. 13
9.2.1 G eneral .13
9.2.2 Assigning roles and responsibilities . 13
9.2.3 Establishing principles, policies and procedures . 14
9.2.4 Identifying and managing a data disclosure . 14
9.2.5 C ommunicating with stakeholders . 15
9.3 A fter data are made available .15
9.3.1 General .15
iii
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/IEC 27559:2022(E)
9.3.2 Monitoring the data environment . 15
9.4 M itigation in case of incident . 15
Annex A (informative) Example identifiers .17
Annex B (informative) Example threshold identifiability benchmarks .19
Bibliography .21
iv
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27559:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 27559:2022(E)
Introduction
De-identification is one potential means for facilitating the use of personally identifiable information
(PII) in a way that does not identify or otherwise compromise the privacy of an individual or a group
of individuals. The appropriate use of de-identification techniques can support compliance with
regulatory requirements and relevant privacy principles. However, the term “data principal” used in
this document is broader than “PII principal” and, for example, includes organizations and computers.
In almost all cases de-identification requires, at the very least, an evaluation of the additional information
available to an individual or group that can inappropriately reveal or uncover PII (which is referred to
as an adversary, whether a data principal is identified intentionally or not), and how they can combine
it to reveal or uncover PII. In short, de-identification requires an assessment of the environment and the
circumstances in which the data are made available to data recipients. This considers what additional
information is available to an adversary and the possibility of attacks and motivation to re-identify. De-
identification also requires an assessment of the data. This determines how the additional information
available to an adversary can be used to reveal or uncover PII and the possibility of re-identification, or
identity disclosure, by itself or attacks of inference.
This document provides organizations with an implementation framework to govern the appropriate
use of data de-identification techniques described in ISO/IEC 20889. This de-identification framework
can be applied at any point in the data lifecycle: from designing the means of data collection, the internal
reuse of that data, making data available to external partners, or archival. The data recipients can
therefore be internal or external to the data custodian that is implementing procedures and practices
in accordance with this de-identification framework. As shown in Figure 1 a), use and reuse implies
the custodian maintains oversight over the de-identified data while making it available to an internal
department or functional group. Figure 1 b) shows external sharing, which implies the custodian
maintains oversight over the de-identified data while making it available to an external data recipient
(e.g. through a virtual access portal, or a physical data centre). Figure 1 c) shows external release, which
implies the custodian transfers oversight over the de-identified data to an external data recipient. In
each of these cases, the process of de-identification itself can be transferred to a third party, separate
from the custodian or recipient. Written agreements with the recipient determine how data made
available after de-identification can be used, in accordance with applicable laws.
a) Use and reuse b) External sharing c) External release
Figure 1 — Data availability
vi
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27559:2022(E)
Information security, cybersecurity and privacy protection
– Privacy enhancing data de-identification framework
1 S cope
This document provides a framework for identifying and mitigating re-identification risks and risks
associated with the lifecycle of de-identified data.
This document is applicable to all types and sizes of organizations, including public and private
companies, government entities, and not-for-profit organizations, that are PII controllers or PII
processors acting on a controller’s behalf, implementing data de-identification processes for privacy
enhancing purposes.
2 Normat ive references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 29100, Information technology — Security techniques — Privacy framework
ISO/IEC 20889, Privacy enhancing data de-identification terminology and classification of techniques
ISO 31000, Risk Management — Guidelines
3 T erms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 29100,
ISO/IEC 20889, ISO 31000 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
custodian
person or entity that has custody, control or possession of electronically stored information
[SOURCE: ISO/IEC 27050-1:2019, 3.2]
3.2
data recipient
person or organization by, with or to whom data is accessed, shared or released
3.3
adversary
individual or unit that can, whether intentionally or not, exploit potential vulnerabilities
Note 1 to entry: Adversary, attacker, intruder, snooper, and other similar terms are often used interchangeably
in the de-identification literature.
1
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 27559:2022(E)
3.4
threat modelling
systematic exploration technique to expose any circumstance or event having the potential to cause
harm to a system in the form of destruction, disclosure (3.8), modification of data, or denial of service
[SOURCE: ISO/IEC/IEEE 24765:2017, 3.4290, modified — Note 1 to entry has been deleted.]
3.5
privacy impact assessment
PIA
overall process of identifying, analysing, evaluating, consulting, communicating and planning the
treatment of potential privacy impacts with regard to the processing of personally identifiable
information, framed within an organization’s broader risk management framework
[SOURCE: ISO/IEC 29134:2017, 3.7, modified — Note 1 to entry has been deleted.]
3.6
defined population
set of elements that a dataset is drawn from that contributes to the adversary’s (3.3) ability to identify a
data principal
3.7
sample
dataset that is only a proportion of the defined population (3.6), such that an adversary (3.3) cannot be
certain that any particular entity was in it
3.8
disclosure
revealing confidential or personally identifiable information from a dataset based on a vulnerability
that is found or exploited
3.9
shared data
dataset in which a fixed set of entities have been granted access to the data by the custodian
3.10
released data
dataset in which the custodian no longer directly controls who has access to the data
3.11
data privacy model
approach to the application of data de-identification techniques that enables the calculation of
identifiability
[SOURCE: ISO/IEC 20889:2018, 3.3, modified — The word “formal” and “measurement” have been
deleted from the term and "data" added, and “re-identification risk“ has been replaced by “identifiability“
in the definition.]
3.12
written agreement
data sharing agreement, memorandum of understanding, data access request, contract and any other
formally documented agreement
3.13
data transformation
modification of the data
2
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 27559:2022(E)
3.14
de-identification governance
system of directing and controlling the de-identification process
[SOURCE: ISO/IEC 38500:2015, 2.8, modified — “the de-identification process” has been added to the
definition.]
4 S ymbols and abbreviated terms
PIA privacy impact assessment
PII personally identifiable information
P probability function
5 Overview
The goal of this document is to provide a principles-based framework to approach de-identification,
which considers procedures, risks, and harms. A principles-based approach to de-identification is
intended to be neutral on the specifics of implementation and technologies. The framework is presented
in four main parts:
— Context (Clause 6): An assessment of the environment and circumstances in which the data are
made available to data recipients, to determine what external information can be available to an
adversary. This implies that risk can be managed through contextual controls as well (meaning
the IT security controls, obligations described in written agreements, and policy and governance
measures).
— Data (Clause 7): An assessment of the data, to determine how the additional information available
to an adversary can be used to reveal or uncover PII. Risk can be managed by limiting what data are
made available, and in what form that data will be made available (by transforming the data).
— Identifiability (Clause 8): The method of assessing identifiability is a function of context risk (the
probability of an attack) and data risk (the probability of disclosure given that there is an attack). An
appropriate tolerance shall be defined to ensure the identifiability is below a pre-defined tolerance
level.
— Governance (Clause 9): Documented procedures and practices for the custodian to ensure the above
are done consistently and effectively, now and in the future, and the preparations that are required
before, during, and after de-identified data are made available.
It can be necessary to repeat the process if the resulting de-identified data does not meet acceptance
criteria (by the custodian or intended data recipient), in an effort to find solutions that are acceptable
to both parties. For example, the privacy and security practices for the data environment can be
improved in an effort to reduce threats and improve the utility of data that are made available to the
data recipients based on their operational context. The entire approach can be thought of in a somewhat
linear fashion, with de-identification governance by the custodian embodying the overall processes
of context assessment, data assessment, identifiability assessment and mitigation, and acceptance
criteria, as shown in Figure 2. It is, however, possible to reorder elements based on implementation
needs (e.g. improving efficiency and scalability for specific data flows). ISO 31000 contains guidelines
on managing risk faced by organizations.
3
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 27559:2022(E)
Figure 2 — De-identification framework in practice
6 Context assessment
6.1 General
The custodian shall evaluate the context in which data are being made available to a data recipient
(either by providing shared access or by giving a copy of the dataset), to help properly scope the de-
identification process.
NOTE Legal requirements can apply.
Determining this context involves a detailed assessment of the environment in which the data are
accessed, shared or released, where the data come from and their intended use, and the circumstances
under which the data are made available to a data recipient (such as levels of transparency). These
elements shall be factored, in one form or another, into the method of assessing risk. For example,
detailed checklists can be used to categorize risk in the data environment, and be factored into a
standard risk matrix used to compare the possibility of an attack against the impact of identifying a
data principal in a given context. It should be noted, however, that disclosures only occur if the attack is
successful.
6.2 Threat modelling
6.2.1 General
The custodian doing the sharing or releasing, or a third party doing an assessment, shall use an objective
and structured process to evaluate the environment in which the data will be accessed, shared or
released. This environment includes persons and their motives (organizational and individual), other
data they have access to, and their infrastructure and governance structures (including IT security
controls such as those described in ISO/IEC 27002 and ISO/IEC 27701, access policies, etc.). An IT audit
or assessment, even self-administered, can capture a great deal of information regarding the release
environment, to help frame potential risks (in particular, potential threats).
A structured approach, often known as threat modelling, shall be used to assess the risk of an attack
that would reveal or uncover PII. This includes examining what other external data sources can be
available and sketching out the who, why and how of a potential disclosure. Potential threats can be:
— Deliberate: A targeted attempt to reveal or uncover PII in the data that are made available to them
by an insider to the group or organization that is the data recipient.
— Accidental: A disclosure can also be unintentional, for example a data principal being recognized
while a data recipient is working with the shared or released data.
— Environmental: The data can also be lost or stolen in the case where all the controls put in place
have failed to prevent a data disclosure.
4
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 27559:2022(E)
6.2.2 Security and privacy practices
The security and privacy practices of the data recipient will have an impact on the likelihood of a rogue
employee at the data recipient’s site being able to re-identify the shared data. A rogue employee can
choose not to abide by a contract in the absence of strong mitigating controls. The security and privacy
practices can also determine the likelihood of an outsider gaining access to the shared data, either
directly or by compromising an insider’s credentials.
An evaluation of mitigating controls shall be detailed and evidence based.
NOTE Professional, international, and government regulations, standards, and policies can apply, including
ISO/IEC 27002 and ISO/IEC 27701, where appropriate.
Using a standardized approach also ensures consistency, not only for a single organization that is
sharing data, but across organizations.
In order to avoid inappropriate or excessive burdens on the data provider or recipient, the evaluation
can take into account third party audits and relevant certifications, as well as re-using prior analyses.
6.2.3 Motives and capacity to re-identify
A recipient's motives to reveal or uncover PII can be controlled in part by training, awareness, and
obligations described in written agreements, including processes and terms described in ISO/IEC 23751,
provided they are enforceable (through legal mechanisms and by refusing to share or release additional
data). Obligations in written agreements can include:
— delivery of training on disclosure risks to individuals with access to de-identified data;
— regular reminders of their obligations to uphold data privacy and security policies;
— prohibiting attempts to identify data principals in the data made available to data recipients,
or linking data that would extend the profiles of data principals (thereby increasing the risk of
disclosing PII) without express permission;
— allowing for spot checks or full audits (possibly by a third party) that ensure compliance with the
stated terms of
...