Topic-specific policies
ISO/IEC 27559

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27559 Privacy-enhancing data
de-identification framework



“De-identification can be used to strike a balance between protecting personal information and an organisations’ desire to use personal information in new and innovative ways. The appropriate use of de-identification techniques can support compliance with the regulatory requirements and relevant privacy principles. This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.”
[Source: SC 27 Standing Document 11 (2021)]


This standard will provide a non-prescriptive framework for identifying and mitigating the privacy-related risks such as re-identification etc. during the lifecycle of de-identified data.  organisations can use the standard to properly de-identify (anonymise) data, build trust with data subjects and meet compliance requirements.


Scope of the standard

As data analytics increasingly relies on sharing and combining data sets containing supposedly de-identified (anonymized) data, the risks of re-identification are growing. This standard will provide guidance on recognizing and mitigating those risks.


Content of the standard

Main sections:

  • Context assessment: essentially, determining the general concerns and hence main requirements in this area.
  • Data assessment: understanding the data and potential ‘attacks’ (attempts to obtain personal information that would compromise privacy).
  • Identifiability assessment: understanding how personal information might be gleaned from available/accumulated data that (whether individually or as a whole) has been inadequately anonymized.
  • Governance: directing and controlling the people involved in maintaining privacy, dealing with incidents etc. e.g. determining and assigning appropriate roles and responsibilities.



The project started in 2019.

It passed a vote at Committee Draft stage.


Personal notes

As our personal information is increasingly obtained and shared both within and among organisations, this standard has a valuable role in setting the ground rules for how to do so without unnecessarily compromising the privacy of the individuals concerned, or exposing personal data to compromise by various means (e.g. data aggregation and inference attacks). As such, it facilitates the process by increasing the level of trust between providers and acquirers of information, and supports privacy arrangements in general.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.