In the age of big data, many countries are implementing and establishing de-identification policies quite actively. There are many efforts to institutionalize de-identification of personal information to protect privacy and utilize the use of personal information. But even with such efforts, de-identification policy always has a potential risk that de-identified information can be re-identified by being combined with other information. Therefore, it is necessary to consider the management mechanism that manages these risks as well as a mechanism for distributing the responsibilities and liabilities in the event of incidents involving the invasion of privacy. So far, most countries implementing the de-identification policies are focusing on defining what de-identification is and the exemption requirements to allow free use of de-identified personal information. On the other hand, there is a lack of discussion and consideration on how to distribute the responsibility of the risks and liabilities involved in the process of de-identification of personal information.