Last week, we discussed defining use cases as a first step towards implementing de-identification effectively. The next step is to assess your existing de-identification practices and develop a plan to improve them. This assessment is best guided by a maturity model with the capacity to evaluate how well de-identification and other privacy practices work together to lower privacy risk and support organizational efficiency.
Once you have envisioned the purpose and use cases for improved de-identification services, a closer look at your organization’s current de-identification practices is warranted. Every program, service, and organization passes through stages of development, moving gradually from ad hoc projects to clear staff roles, practices, processes, and standards. De-identification services are no different: de-identification techniques and processes start at a basic level and become more sophisticated over time. Organizations usually develop more quickly in some areas than others; for instance, an organization may use advanced de-identification techniques, but have few accountability controls.
Assessing De-identification Maturity
Maturity models map out the typical stages of development of various operational areas. Maturity models relevant to de-identification include the AICPA/CICA Privacy Maturity Model and the Ki Consulting Risk-based Privacy Maturity Model. (To read a case illustration of the Risk-Based Privacy Maturity Model applied to de-identification services, please email email@example.com.) Maturity assessments based on these models identify strengths, weaknesses, and possibilities for improvement. In other words, they serve several performance management purposes:
- Objectively evaluating current de-identification practice
- Establishing a baseline against which to measure future progress
- Comparing the practices of different units or departments
- Guiding future development
A maturity assessment may involve conducting interviews, analyzing use patterns, dissecting processes, and looking at current privacy management practices.
A key indicator of privacy maturity is risk-based decision-making. A risk-based approach, rather than defining standard privacy and security practices that may or may not actually reduce privacy risk to an acceptable level, uses objective measures of privacy risk to evaluate the effectiveness of an organization’s practices. Ideally, a risk-based privacy assessment will evaluate how well a variety of privacy techniques, such as de-identification, access control, and encryption, work together to protect privacy. Basing policy and business decisions on an objective assessment of privacy risk generally leads to more effective and defensible practices. In addition, risk metrics provide a means of performance measurement, making it possible to allocate resources to the most efficient privacy and security solutions.
Developing a De-identification Roadmap
A maturity assessment centred on de-identification will help you to evaluate current strengths and gaps, envision a desired future state of de-identification services, and set realistic goals for improvement. The maturity model itself helps to set priorities by identifying areas that are interdependent: for instance, the three dimensions of the Risk-based Privacy Maturity Model demonstrate that effective implementation of de-identification techniques requires well-defined business tools and systematic risk measurement and control practices. Assessment findings become the base for a service development roadmap that establishes realistic maturity targets for a given time frame.
As changes are implemented, maturity targets provide an objective metric for ongoing performance measurement. Progress can and should also be measured against tangible outcomes. Performance measurement can include measures of the volume and efficiency of data sharing, and the utility of de-identified data to various clients. These measures can provide rapid and concrete feedback on the value of improved de-identification practices and processes.
If you are seeking to implement de-identification as a regular part of operations, maturity assessment is the key to identifying which areas in your organization need to be strengthened to support future development. Conducting a maturity assessment early in the process of developing de-identification services ensures that your next steps will be effective both in strengthening privacy and improving service.
AICPA/CICA Privacy Maturity Model, American Institute of Certified Public Accountants (AICPA) / Canadian Institute of Chartered Accountants (CICA), 2011
Ki Consulting Risk-based Privacy Maturity Model. Please email firstname.lastname@example.org for a copy.
Implementing De-identification Case Illustration: The Risk-Based Privacy Maturity Model as a Guide to De-identification Maturity. Please email email@example.com for a copy.
Implementing De-identification I: Who Gets What Kind of Data?