Operational Pseudonymization and Pseudonym Disclosure

In the following, we tie together the solutions presented in the previous Chapters of this Part and describe how to generate the pseudonym mapping and the data in the pseudonymity-layer as well as how pseudonym disclosure works. The associations and dependencies between the elements in the application-layer, in the decision tree, in the pseudonymity-layer, and in the pseudonym mapping are depicted in Fig. 15.1, already respecting the extensions in Sect. 16.3 and Sect. 16.6. Figure 15.2 depicts an abstraction of the respective data flow, showing for a given triplet of identity, disclosure context and weight the cryptographic operations for data in the pseudonymity-layer and in the pseudonym mapping, as well as the mismatch avoidance/detection and the selection of the pseudonym mapping entry corresponding to a recovered secret. In the gap between the pseudonymizer and the reidentifier in Fig. 15.2 the data is shown, which is actually transmitted from the pseudonymizer to the reidentifier. Considering this data, the encrypted features c _i and the entry verifiers v _i are components of the pseudonym mapping, whereas the remaining data resides in the pseudonymity-layer. Note, that Fig. 15.2 omits operations in the application-layer, the linkage to the application-layer, the initialization, the use of the decision tree and some further details.