擬匿名化（Pseudonymization）的大數據（Big Data）之安全標準初探：根基於支付卡（Payment Card）的安全事故與公開金鑰基礎建設（Public Key Infrastructure，簡稱PKI）之技術脆弱性的議題

隨著「大數據」與「資料探勘」之興盛發展，「開放資料」的去識別化之議題已成為保護個人資料應面對的工作項目，法務部於「我國個人資料保護法有關去識別化之標準」中提出：「應進行整體風險評估，針對不同資料類型或資料提供方式，依比例原則分級控管去識別化程度」，闡明「開放資料」宜達「匿名化(Anonymised)資料(data)」或「不可逆(Non-retraceable)之擬匿名化(Pseudonymised)資料」亦即一般稱為「無可控制的重新識別之擬匿名化(Pseudonymization without controlled re-identification)」的程度較為妥適。根基於此，本文探討已發生之擬匿名化的資訊安全事故，提出其依比例原則宜求索之資料開放的控制措施框架以供探討使用之。

關鍵字

匿名化；去識別化；開放資料；擬匿名化；脆弱性

並列摘要

With the development of ＂Big Data＂ and ＂Data Mining＂, the issue of ＂open data＂ has become an issue in protecting personal information. The Ministry of Justice states in ＂Standards of Personal Information Protection Act related to De-identification＂ that ＂The overall risk assessment should be carried out based on the degree of identification in accordance with different data types or data provided ways.＂. Clarify that it is more appropriate if the ＂open data＂ is at the level of ＂anonymized＂ or ＂non-retraceable Pseudonymised＂, which is also known as ＂Pseudonymed without controlled re-identification＂. Based on this, this paper discusses on the pseudonymation data security incidents that have occurred, and puts forward the would-be framework of data open controls based on the principle of proportionality.