SIST EN ISO 25237:2017

SLOVENSKI STANDARD
SIST EN ISO 25237:2017
01-maj-2017
Zdravstvena informatika - Psevdonimizacija (ISO 25237:2017)
Health informatics - Pseudonymisation (ISO 25237:2017)
Medizinische Informatik - Pseudonymisierung (ISO 25237:2017)
Informatique de santé - Pseudonymization (ISO 25237:2017)
Ta slovenski standard je istoveten z: EN ISO 25237:2017
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 25237:2017 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN ISO 25237:2017

---------------------- Page: 2 ----------------------

SIST EN ISO 25237:2017

EUROPEAN STANDARD
EN ISO 25237

NORME EUROPÉENNE

EUROPÄISCHE NORM
January 2017
ICS 35.240.80
English Version
Health informatics - Pseudonymization (ISO 25237:2017)
Informatique de santé - Pseudonymisation (ISO Medizinische Informatik - Pseudonymisierung (ISO
25237:2017) 25237:2017)
This European Standard was approved by CEN on 14 December 2016.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 25237:2017 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN ISO 25237:2017
EN ISO 25237:2017 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------

SIST EN ISO 25237:2017
EN ISO 25237:2017 (E)
European foreword
This document (EN ISO 25237:2017) has been prepared by Technical Committee ISO/TC 215 “Health
informatics” in collaboration with Technical Committee CEN/TC 251 “Health informatics” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by July 2017, and conflicting national standards shall be
withdrawn at the latest by July 2017.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Endorsement notice
The text of ISO 25237:2017 has been approved by CEN as EN ISO 25237:2017 without any modification.
Type de document :  Norme européenne
Sous-type de document :
Stade du document :  Publication / Adoption
Langue du document :  E

Y:\STD_MGT\STDDEL\PRODUCTION\Standards\00251\316\64_e_stf.doc STD Version 2.5a

---------------------- Page: 5 ----------------------

SIST EN ISO 25237:2017

---------------------- Page: 6 ----------------------

SIST EN ISO 25237:2017
INTERNATIONAL ISO
STANDARD 25237
First edition
2017-01
Health informatics —
Pseudonymization
Informatique de santé — Pseudonymisation
Reference number
ISO 25237:2017(E)
©
ISO 2017

---------------------- Page: 7 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

---------------------- Page: 8 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 6
5 Requirements for privacy protection of identities in healthcare . 7
5.1 Objectives of privacy protection . 7
5.2 General . 7
5.3 De-identification as a process to reduce risk . 8
5.3.1 General. 8
5.3.2 Pseudonymization . 8
5.3.3 Anonymization . 9
5.3.4 Direct and indirect identifiers . 9
5.4 Privacy protection of entities . 9
5.4.1 Personal data versus de-identified data . 9
5.4.2 Concept of pseudonymization .11
5.5 Real world pseudonymization .13
5.5.1 Rationale .13
5.5.2 Levels of assurance of privacy protection .14
5.6 Categories of data subject .16
5.6.1 General.16
5.6.2 Subject of care .16
5.6.3 Health professionals and organizations .16
5.6.4 Device data .16
5.7 Classification data .17
5.7.1 Payload data .17
5.7.2 Observational data .17
5.7.3 Pseudonymized data .17
5.7.4 Anonymized data .17
5.8 Research data .17
5.8.1 General.17
5.8.2 Generation of research data .18
5.8.3 Secondary use of personal health information .18
5.9 Identifying data .18
5.9.1 General.18
5.9.2 Healthcare identifiers .18
5.10 Data of victims of violence and publicly known persons .19
5.10.1 General.19
5.10.2 Genetic information .19
5.10.3 Trusted service .19
5.10.4 Need for re-identification of pseudonymized data .19
5.10.5 Pseudonymization service characteristics .20
6 Protecting privacy through pseudonymization .20
6.1 Conceptual model of the problem areas .20
6.2 Direct and indirect identifiability of personal information .21
6.2.1 General.21
6.2.2 Person identifying variables .21
6.2.3 Aggregation variables .21
6.2.4 Outlier variables .22
6.2.5 Structured data variables .22
6.2.6 Non-structured data variables .23
© ISO 2017 – All rights reserved iii

---------------------- Page: 9 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

6.2.7 Inference risk assessment .23
6.2.8 Privacy and security .24
7 Re-identification process .24
7.1 General .24
7.2 Part of normal procedures .24
7.3 Exception.24
7.4 Technical feasibility .25
Annex A (informative) Healthcare pseudonymization scenarios .26
Annex B (informative) Requirements for privacy risk analysis .39
Annex C (informative) Pseudonymization process (methods and implementation) .49
Annex D (informative) Specification of methods and implementation .55
Annex E (informative) Policy framework for operation of pseudonymization services
(methods and implementation) .56
Annex F (informative) Genetic information .60
Bibliography .61
iv © ISO 2017 – All rights reserved

---------------------- Page: 10 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.
The committee responsible for this document is ISO/TC 215, Health informatics.
© ISO 2017 – All rights reserved v

---------------------- Page: 11 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

Introduction
Pseudonymization is recognized as an important method for privacy protection of personal health
information. Such services may be used nationally, as well as for trans-border communication.
Application areas include, but are not limited to:
— indirect use of clinical data (e.g. research);
— clinical trials and post-marketing surveillance;
— pseudonymous care;
— patient identification systems;
— public health monitoring and assessment;
— confidential patient-safety reporting (e.g. adverse drug effects);
— comparative quality indicator reporting;
— peer review;
— consumer groups;
— field service.
This document provides a conceptual model of the problem areas, requirements for trustworthy
practices, and specifications to support the planning and implementation of pseudonymization services.
The specification of a general workflow, together with a policy for trustworthy operations, serve
both as a general guide for implementers but also for quality assurance purposes, assisting users of
the pseudonymization services to determine their trust in the services provided. This guide will serve
to educate organizations so they can perform pseudonymization services themselves with sufficient
proficiency to achieve the desired degree of quality and risk reduction.
vi © ISO 2017 – All rights reserved

---------------------- Page: 12 ----------------------

SIST EN ISO 25237:2017
INTERNATIONAL STANDARD ISO 25237:2017(E)
Health informatics — Pseudonymization
1 Scope
This document contains principles and requirements for privacy protection using pseudonymization
services for the protection of personal health information. This document is applicable to organizations
who wish to undertake pseudonymization processes for themselves or to organizations who make a
claim of trustworthiness for operations engaged in pseudonymization services.
This document
— defines one basic concept for pseudonymization (see Clause 5),
— defines one basic methodology for pseudonymization services including organizational, as well as
technical aspects (see Clause 6),
— specifies a policy framework and minimal requirements for controlled re-identification (see
Clause 7),
— gives an overview of different use cases for pseudonymization that can be both reversible and
irreversible (see Annex A),
— gives a guide to risk assessment for re-identification (see Annex B),
— provides an example of a system that uses de-identification (see Annex C),
— provides informative requirements to an interoperability to pseudonymization services (see
Annex D), and
— specifies a policy framework and minimal requirements for trustworthy practices for the operations
of a pseudonymization service (see Annex E).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 27799, Health informatics — Information security management in health using ISO/IEC 27002
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[SOURCE: ISO/IEC 2382:2015, 2126294]
© ISO 2017 – All rights reserved 1

---------------------- Page: 13 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

3.2
anonymization
process by which personal data (3.37) is irreversibly altered in such a way that a data subject can no
longer be identified directly or indirectly, either by the data controller alone or in collaboration with
any other party
Note 1 to entry: The concept is absolute, and in practice, it may be difficult to obtain.
[SOURCE: ISO/IEC 29100:2011, 2.2, modified.]
3.3
anonymized data
data (3.14) that has been produced as the output of an anonymization (3.2) process
[SOURCE: ISO/IEC 29100:2011, 2.3, modified.]
3.4
anonymous identifier
identifier (3.27) of a person which does not allow the identification (3.26) of the natural person (3.34)
3.5
authentication
assurance of the claimed identity
3.6
attacker
person deliberately exploiting vulnerabilities in technical and non-technical security controls in order
to steal or compromise information systems and networks, or to compromise availability to legitimate
users of information system and network resources
[SOURCE: ISO/IEC 27033-1:2015, 3.3]
3.7
ciphertext
data (3.14) produced through the use of encryption, the semantic content of which is not available
without the use of cryptographic techniques
[SOURCE: ISO/IEC 2382:2015, 2126285]
3.8
confidentiality
property that information (3.29) is not made available or disclosed to unauthorized individuals, entities
or processes
[SOURCE: ISO 7498-2:1989, 3.3.16]
3.9
content-encryption key
cryptographic key used to encrypt the content of a communication
3.10
controller
natural or legal person, public authority, agency or any other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data (3.40)
3.11
cryptography
discipline which embodies principles, means and methods for the transformation of data (3.14) in order
to hide its information content, prevent its undetected modification and/or prevent its unauthorized use
[SOURCE: ISO 7498-2:1989, 3.3.20]
2 © ISO 2017 – All rights reserved

---------------------- Page: 14 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

3.12
cryptographic algorithm
method for the transformation of data (3.14) in order to hide its information content, prevent
its undetected modification and/or prevent its unauthorized use
3.13
cryptographic key management
key management
generation, storage, distribution, deletion, archiving and application of keys (3.31) in accordance with a
security policy (3.46)
[SOURCE: ISO 7498-2:1989, 3.3.33]
3.14
data
reinterpretable representation of information (3.29) in a formalized manner suitable for communication,
interpretation or processing
Note 1 to entry: Data can be processed by humans or by automatic means.
[SOURCE: ISO/IEC 2382:2015, 2121272]
3.15
data integrity
property that data (3.14) has not been altered or destroyed in an unauthorized manner
[SOURCE: ISO 7498-2:1989, 3.3.21]
3.16
data linking
matching and combining data (3.14) from multiple databases
3.17
data protection
technical and social regimen for negotiating, managing and ensuring informational privacy (3.39), and
security
3.18
data subject
person to whom data (3.14) refer
3.19
decryption
process of converting encrypted data (3.14) back into its original form so it can be understood
3.20
de-identification
general term for any process of reducing the association between a set of identifying data (3.14) and the
data subject (3.18)
3.21
directly identifying data
data (3.14) that directly identifies a single individual
Note 1 to entry: Direct identifiers are those data that can be used to identify a person without additional
information or with cross-linking through other information that is in the public domain.
© ISO 2017 – All rights reserved 3

---------------------- Page: 15 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

3.22
disclosure
divulging of, or provision of access to, data (3.14)
Note 1 to entry: Whether the recipient actually looks at the data, takes them into knowledge or retains them, is
irrelevant to whether disclosure has occurred.
3.23
encryption
process of converting information (3.29) or data (3.14) into a cipher or code
3.24
healthcare identifier
subject of care identifier
identifier (3.27) of a person for primary use by a healthcare system
3.25
identifiable person
one who can be identified, directly or indirectly, in particular by reference to an identification number
or to one or more factors specific to his physical, physiological, mental, economic, cultural or social
identity
[SOURCE: Directive 95/46/EC]
3.26
identification
process of using claimed or observed attributes of an entity to single out the entity among other entities
in a set of identities
Note 1 to entry: The identification of an entity within a certain context enables another entity to distinguish
between the entities with which it interacts.
3.27
identifier
information (3.29) used to claim an identity, before a potential corroboration by a corresponding
authenticator
[SOURCE: ENV 13608-1:2000, 3.44]
3.28
indirectly identifying data
data (3.14) that can identify a single person only when used together with other indirectly
identifying data
Note 1 to entry: Indirect identifiers can reduce the population to which the person belongs, possibly down to one
if used in combination.
EXAMPLE Postcode, sex, age, date of birth.
3.29
information
knowledge concerning objects that within a certain context has a particular meaning
[SOURCE: ISO/IEC 2382:2015, 2121271, modified.]
3.30
irreversibility
situation when, for any passage from identifiable to pseudonymous, it is computationally unfeasible to
trace back to the original identifier (3.27) from the pseudonym (3.43)
4 © ISO 2017 – All rights reserved

---------------------- Page: 16 ----------------------

SIST EN ISO 25237:2017
ISO 25237:2017(E)

3.31
key
sequence of symbols which controls the operations of encryption (3.23) and decryption (3.19)
[SOURCE: ISO 7498-2:1989, 3.3.32]
3.32
linkage of information objects
process allowing a logical association to be established be
...