The Office of the Australian Information Commissioner (OAIC) and CSIRO’s Data61 have released a guide to assist organisations to de-identify their data effectively. The practical and accessible guide is for Australian organisations that handle personal information and are considering sharing or releasing it to meet their ethical responsibilities and legal obligations, such as those under the Privacy Act 1988.
‘The interpretation and application of data has the potential to positively transform our lives and bring about great social and economic benefits. However, we need to remember that many of these data sets are made up of individuals’ personal information. So when we think about releasing it we need to anticipate the risks to ensure we are protecting the rights of individuals,’ said Timothy Pilgrim, Australian Information and Privacy Commissioner.
‘Deciding whether data should be released or shared – and if so, in what form – requires careful consideration. A range of factors needs to be considered, from ethical and legal obligations to technical data questions. Integrating the different perspectives on the topic of de-identification into a single, comprehensible framework is what this guide is all about.’
Dr Christine O’Keefe, the lead author of the guide and Research Scientist at Data61 explained, ‘at CSIRO’s Data61 we are a trusted advisor to government and industry organisations and we help them access the power of their data by applying deep science, engineering and design to derive insights from it and make it accessible to others without compromising privacy.
At present, there is no publicly available, comprehensive risk management guide in Australia to assist organisations with de-identification. That’s why we have set out to create this standalone guide as an adaptation of the existing UK version, the Anonymisation Decision-Making Framework — and make it freely available.
‘The community is increasingly conscious of how their data is being used, as well as the risk of data breaches, which underlines how important it is to ensure that de-identification is carried out well,’ said Dr O’Keefe. The De-identification Decision-Making Framework focuses on assessing and managing re-identification risks within the context of the data release or share. It encourages organisations to think more broadly and consider the data release environment as well as the techniques and controls applied to the data.
Commissioner Pilgrim added, ‘de-identification is one solution for sharing and releasing data while meeting legislative demands and community expectations. It is an exercise in risk management, rather than an exact science, and it’s important that we strike the right balance between maintaining useful data and making sure it’s safe.’
‘The OAIC looks forward to engaging further with organisations and technical experts on de-identification,’ said Commissioner Pilgrim.
Read the report: The De-Identification Decision-Making Framework