De-identification policy and risk distribution framework for securing personal information

Moon Ho Joo, Sang Pil Yoon, Hun Yeong Kwon, Jong In Lim

Research output: Contribution to journalArticlepeer-review

5 Citations (Scopus)


In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information. The purpose of this study is to compare the de-identification policies of the European Union, the United States, Japan, and Korea, all of which are now actively pursuing de-identification policies. Additionally, this study proposes to take a look at the various de-identification policies worldwide and contemplate on these policies in the perspective of risk society and risk-liability theory. The constituencies of the de-identification policies are identified in order to analyze the roles and responsibilities of each of these constituencies thereby providing the theoretical basis on which to initiate the discussions on the distribution of burden and responsibilities arising from the de-identification policies.

Original languageEnglish
Pages (from-to)195-219
Number of pages25
JournalInformation Polity
Issue number2
Publication statusPublished - 2018

Bibliographical note

Funding Information:
Korea has a de-identification support and management system to share the preliminary management and responsibility burden of the Risk Provider (A). Specialized agencies are defined and operated for each sector under the supervision of each relevant ministry, and a personal information de-identification support center has been established and operated by the Korea Internet and Security Agency (KISA), which is a specialized agency dedicated to personal information protection. Support roles of the sectoral expert agencies and the Personal Information De-identification Support Center are as shown above in Table 5.

Funding Information:
Most recently, on June 30, 2016, the relevant departments, including the Cabinet Office; the Ministry of Government Administration and Home Affairs; the Korea Communications Commission; the Financial Services Commission; the Ministry of Science, ICT and Future Planning; and the Ministry of Health and Welfare published the ‘Guideline for the De-identification of Personal Information’. It is reported in the guideline that all previous guidelines would be replaced beginning July 1, 2016; therefore, this latest guideline will be discussed to examine the details of the de-identification policies in Korea.

Funding Information:
In Korea, many regulations, case studies and other information have been published on de-identification methods and cases by each government ministry as the demand for big data began to emerge from the private sector. And on June 30th, 2016, the ‘Guideline on De-Identification Measures of Personal Information’ was announced together by six government ministries including the Office for Government Policy Coordination, Ministry of Interior, Korea Communications Commission, Financial Supervisory Commission, Ministry of ICT, Science and Future Planning, and the Ministry of Health and Welfare which replaced all previous documentations and regulations of the government on the de-identification issues. This Guideline is in the form of a guidebook or handbook, not the legal administrative regulation and was designed to be used as a guide to help understanding of the readers. This Guideline offers detailed information on the precautionary measures to prevent the re-identification of de-identified information and includes legislation guide and Q&A annexes. As such, it is the thought of the authors that this Guideline can be used to analyze the cases of Korea’s de-identification policies to identify the major issues on the risk distribution problem.

Publisher Copyright:
© 2018-IOS Press and the authors. All rights reserved.


  • Big data
  • de-identification
  • distribution of responsibility
  • personal information
  • re-identification
  • risk-liability theory

ASJC Scopus subject areas

  • Information Systems
  • Communication
  • Sociology and Political Science
  • Public Administration


Dive into the research topics of 'De-identification policy and risk distribution framework for securing personal information'. Together they form a unique fingerprint.

Cite this