Australian businesses and the IT partners that handle their digital assets have been handed a helping hand by the Government aimed at minimising the risk of inadvertent breaches of personal or sensitive data.
The Australian Government’s Office of the Australian Information Commissioner (OAIC), in partnership with the CSIRO’s Data61 data innovation group, has released new guidelines to help organisations deal with how an individual’s personal information is shared or released, whether for ethical or legal reasons.
The new guide, which was adapted from the UK’s The Anonymisation Decision-Making Framework, was also informed by input from the Australian Bureau of Statistics (ABS) and the Australian Institute for Health and Welfare (AIHW).
The De-identification Decision-Making Framework guide, which can be found here, focuses on assessing and managing data re-identification risks within the context of the data release or share.
The guidelines themselves encourage organisations to consider the current data release environment, as well as the techniques and controls applied to the data.
Lead author of the guide and Data61 research scientist, Dr Christine O’Keefe, explained that individuals were increasingly conscious of how their data was being used, as well as the risk of data breaches, which underlined the importance in how well de-identification is carried out.
Australian Information and Privacy Commissioner, Timothy Pilgrim, said that deciding whether data should be released or shared – and if so, in what form – required careful consideration.
“A range of factors needs to be considered, from ethical and legal obligations to technical data questions. Integrating the different perspectives on the topic of de-identification into a single, comprehensible framework is what this guide is all about,” Pilgrim stated.
“The interpretation and application of data has the potential to positively transform our lives and bring about great social and economic benefits. However, we need to remember that many of these data sets are made up of individuals’ personal information.
“So when we think about releasing it we need to anticipate the risks to ensure we are protecting the rights of individuals,” he said.
Pilgrim said de-identification was an exercise in risk management, rather than an exact science, and it was important to strike the right balance between maintaining useful data and making sure it’s safe.
“The OAIC looks forward to engaging further with organisations and technical experts on de-identification,” he said.
Ultimately, the guide is aimed at reducing the risks of data breaches among local organisations and minimising the chances of individuals’ personal details being released into the public sphere.
Indeed, such an incident hit the Government’s own public service workplace authority, the Australian Public Service Commission (APSC), late last year when confidential information of more than 96,000 public servants was compromised after a data populated with confidential information set was inadvertently made publicly available.
While the data set has been taken from public view to be ‘washed’ of identifying features, the Commission has confirmed that it was downloaded up to 60 times before it was withdrawn.
Likewise, the Australian Red Cross Blood Service ran into trouble of its own last year, when it was discovered that one of its IT partners inadvertently published a 1.74GB MySQL database back-up with more than 1.28 million records to a publicly-facing website.
Indeed, the Government’s new guide is intended to help organisations de-identify, or scrub such data sets clean of sensitive information, before it is released.
However, de-identification process is not always clear cut. Indeed, de-identified data sets can sometimes be re-identified with sensitive information to some degree.
As the guide states: “De-identifying data can help an organisation to meet its ethical responsibilities, fulfil its legal obligations, and satisfy community expectations. However, when de-identification is not carried out properly, a data release can raise privacy concerns”.
This is largely why the Federal Government introduced new legislation last year aimed at making it a crime for someone to re-identify publicly-available de-identified data sets.
While this legislation did not extend into the private sphere, it highlighted the risks of re-identification of data from de-identified data sets.
(Additional reporting by Leon Spencer)