Formal modelling of (de)pseudonymisation: A case study in health care privacy

Meilof Veeningen, Benne de Weger, Nicola Zannone

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

3 Citations (Scopus)


In recent years, a number of infrastructures have been proposed for the collection and distribution of medical data for research purposes. The design of such infrastructures is challenging: on the one hand, they should link patient data collected from different hospitals; on the other hand, they can only use anonymised data because of privacy regulations. In addition, they should allow data depseudonymisation in case research results provide information relevant for patients' health. The privacy analysis of such infrastructures can be seen as a problem of data minimisation. In this work, we introduce coalition graphs, a graphical representation of knowledge of personal information to study data minimisation. We show how this representation allows identification of privacy issues in existing infrastructures. To validate our approach, we use coalition graphs to formally analyse data minimisation in two (de)-pseudonymisation infrastructures proposed by the Parelsnoer initiative.

Original languageEnglish
Title of host publicationSecurity and Trust Management
Subtitle of host publication8th International Workshop, STM 2012, Revised Selected Papers
Number of pages16
ISBN (Electronic)978-3-642-38004-4
ISBN (Print)978-3-642-38003-7
Publication statusPublished - 2013
Externally publishedYes
Event8th International Workshop on Security and Trust Management, STM 2012 - Pisa, Italy
Duration: 13 Sep 201214 Sep 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7783 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference8th International Workshop on Security and Trust Management, STM 2012

Fingerprint Dive into the research topics of 'Formal modelling of (de)pseudonymisation: A case study in health care privacy'. Together they form a unique fingerprint.

Cite this