I agree that "Given the growing interest in de-identification, there is a clear need for standards and assessment techniques that can measurably address the breadth of data and risks," but standards may take an additional 10 years to agree on and enforcing regulations is always difficult.
We know that NIST is concluding that "Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory." It may take many years to fix this issue.
We know that "the risk depends upon the availability of data in the future that may not be available now." So we need a policy driven approach that can be easily adjusted over time as more data is available.
I like to consider employing "a combination of several approaches to mitigate re-identification risk. These include technical controls." I've seen two interesting technical approaches that can provide a balanced combined solution to address the growing issue of privacy and access to data. The first approach is based on a service oriented privacy-preserving data publishing. This service oriented approach can provide policy driven control over how combinations of different data is accessed and the accumulated volume of data that is accessed. The second approach is based on data tokenization and dynamic masking, can secure the data itself against misuse and theft.
I think that a balance between the first and second approach can provide an attractive data centric solution for different sensitivity levels.
I agree that we need a "balance between providing privacy and useful data," and we are running out of time to fix this growing issue.
Ulf Mattsson, CTO Protegrity