Open data's Achilles heel: Re-identification

Open data's Achilles heel: Re-identification

Summary: The privacy czar has floated the possibility of making re-identification of anonymised data illegal.


Governments around the globe are embracing the mantra of open data and talking up its productivity benefits, but none have so far made the re-identification of this mass of anonymised data illegal.

That's possibly because the risks of re-identification in a world of multiple open sets of anonymised data are still energetically debated.

John Edwards

The possibility of outlawing re-identification is now being discussed in New Zealand, with both the Privacy Commissioner John Edwards and a May report (PDF) from the New Zealand Data Futures Forum suggesting that legal protections against re-identification may be necessary.

Edwards told ZDNet that he is trying to look towards the future and ensure that the value in government data can be safely extracted in ways that maintain public confidence.

“One of the methods might be a prohibition on re-identification. If we did that, we would be world leaders," he said.

Similarly, the Data Futures Forum report said it is necessary to develop a "robust data-use ecosystem" and to get the rules around open data right. This should include a data council to act as guardians and advisers, and a broad review of legislation.

The report also recommended: "Specific changes to legislation in the short term to provide for mandatory proactive release, extension of information sharing beyond central government, better definition of personal data and protections against re-identification of anonymised data.

"Although there are low risks involved, robust, secure, shared infrastructure, and governance are needed for this data-use scenario to protect individuals from accidental or malicious re-identification," the report said.

It recommended three changes to the Privacy Act: Updating the definition of personal data; extending the information-sharing provisions beyond central government; and including protections against the re-identification of anonymised data.

This week, Edwards addressed the issue in a speech (PDF) to New Zealand's Ministry of Social Development.

"For example, under the [Privacy] Act, there is currently no explicit prohibition on the re-identification of data from which identifying information has been removed," he said. "It's food for thought that a prohibition of this nature could potentially increase public confidence in the safe use of 'de-identified' or 'anonymised' data.

"Similarly, further work could be undertaken on strengthening individual rights to have information about them deleted, again increasing their confidence that information provided is not necessarily available forever and able to be combined with yet-to-be-created data sets."

For Edwards, there is still a lot of work to do before changes to the law are made.

"I’m not yet convinced there is a compelling case for it, and we would need to carefully consider practicalities and implications before recommending such a step.

“At this stage, I am much encouraged by talk of an independent 'data council' to provide ethical oversight and governance as a way to proceed with caution.”

 In his submission to the Data Futures Forum, Edwards said an explicit prohibition in the Privacy Act "could usefully reassure people that they have a means of redress if they suffered harm due to them being successfully re-identified from supposedly anonymous data”.

Topics: Privacy, Big Data, Government, Security, New Zealand

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • U.S. ...

    I realize the article is talking about New Zealand, but the same problem exists in the U.S.

    One concern I would particularly have in the U.S. is all these secret orders and secret courts that basically allow the NSA pretty much free access to whatever it wants, under the excuse that it is to combat terrorism. Even if laws against re-identification were passed in the U.S., I strongly doubt they would apply to the federal government too. They might "for appearances' sake" but in practice I expect they would be ignored.

    (By the way, in order for someone to bring a lawsuit, whether against a governmental entity or any other defendant, they have to show they have "standing", i.e., the circumstances or law affect THEM PERSONALLY to a greater extent than just the effects on the average member of the general public. That prevents lawsuits by folks who "just don't like what they're doing".)
  • The major problem with that is... does one determine how effective the anonymizing algorithm really is? I would suspect that CSS would have been a lot harder to break had it not been for the DMCA and the false assurance that as it's a criminal offense to try to break an encryption algorithm, nobody will try very hard.

    Reputable data miners don't try to identify individual respondents (they're interested in the aggregate, not individuals), but not everyone is reputable or honest.
    John L. Ries
    • Correction

      "...will try to break DRM..."
      John L. Ries
  • Enforcement

    I have to ask to whom would the new laws apply. Obviously it wouldn't apply to the various governmental agencies at any level. Corporations? The penalties would have exceed any conceivable profit otherwise ineffectual. Private citizens? Don't count them out as doxing is already a skill area. I understand the intent, I simply don't have any expectation that any meaningful laws will come out the sausage-machine.
    Brian J. Bartlett