|
Work item:
|
X.Spud
|
|
Subject/title:
|
Security requirements for psuedonymizing unstructured data
|
|
Status:
|
Under study
|
|
Approval process:
|
TAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2026-09 (Medium priority)
|
|
Liaison:
|
-
|
|
Supporting members:
|
Korea (Republic of), KISA, Soonchunhyang Univ
|
|
Summary:
|
Structured data is one which are organized based on a pre-defined (applicable) set of rules. There are some standard to address de-identification such as ITU-T X.1148 and ISO/IEC 20889. Unstructured data is data which are characterized by not having any structure apart from that record or file level. An example of unstructured data is free text. It is necessary to pseudonymize the unstructured data for the utilization of them. Deidentifying unstructured data allows organizations to use them for a variety of purposes, such as data analysis, research, marketing, and more, while protecting privacy. There are several use cases for deidentifying unstructured data: clinical research, public health analysis, etc. The pseudonymized unstructured data may have a risk of re-identification. Based on the use cases introduced in Appendix II of this Recommendation, such as "AI Development for Oral Disease Diagnosis" and "AI Development for Abnormal Situation Recognition in Autonomous Vehicles," basic principles and procedural considerations for pseudonymizing unstructured data can be derived to reduce the risk of re-identification. The benefits for deidentifying unstructured data may include: protecting confidentiality, supporting healthcare research, etc.
The basic principles for pseudonymizing the unstructured data to prevent re-identification are presented as follows.
1. Comprehensively considering the purpose of data processing, data sensitivity, environment, etc., personal data controllers should determine information at risk of personal identification and set reasonable processing levels and methods.
2. In order to compensate for the limitations of pseudonym processing technology, personal data controllers thoroughly should review risks from the preliminary preparation stage and implement appropriate safety measures.
3. In response to developments in data restoration technology, etc., personal data controllers actively should implement measures such as controlling access to related software when using unstructured data.
Additionally, this Recommendation includes procedural security considerations for each step of pseudonymization when pseudonymizing unstructured data.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2025-04-17 14:07:43
|
|
Last update:
2025-08-11 17:37:32
|
|
