NIST Releases Data De-Identification Final Report

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Oct. 29 — The National Institute of Standards and Technology recently released the final draft of its report, De-Identification of Personal Information, summarizing two decades of de-identification research and discussing current practices.

The report, however, didn't make recommendations regarding the “appropriateness of de-identification” or specific algorithms.

“De-identification techniques are intended to remove identifying information from a dataset while retaining some utility in the remaining data,” the report said. De-identification isn't a single technique, but a collection of approaches, tools and algorithms. “In general,” it said, “privacy protection improves as more aggressive de-identification techniques are employed, but less utility remains in the resulting dataset.”

Being able to effectively de-identity personally identifying information is a central requirement for the protection of privacy when utilizing big data analytics.

The report warned that a variety of problems can result from distribution or use of de-identified data, including re-identifying the de-identified data. However, risks to individuals exist in de-identified data, the NIST report said. Some of the risks include inferences about individuals in the data without re-identification.

Concluding that there's “comparatively little known” about de-identification, the report said there's a need for “standards and assessment techniques that can measurably address the breadth of data and risks.”

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at