​OAIC and Data61 offer up data de-identification framework

The Office of the Australian Information Commissioner and Data61 have released a guide to assist organisations to appropriately de-identify data to meet requirements such as those mandated under the Privacy Act.
Written by Asha Barbaschow, Contributor

The Office of the Australian Information Commissioner (OAIC) and CSIRO's Data61 have published a framework that aims to assist organisations to de-identify data appropriately and put strategies in place to recover should a data breach occur.

The De-Identification Decision-Making Framework comprises 10 components under three sub-headings, with the first requiring an organisation to assess its data situation and conduct an audit. The second asks the organisation to conduct a risk and control analysis, while the last calls on those holding any form of data to determine how it would effectively manage the sharing of data.

In the foreword penned by Australian Information and Privacy Commissioner Timothy Pilgrim, de-identification is described as one potential solution to the problem sharing data creates, noting that when done properly, it allows data to be shared or released in ways that protect individual privacy, and which may not otherwise be permitted under privacy legislation.

"While a growing body of de-identification literature has been appearing for some decades now, de-identification practice remains fairly inconsistent, and at times, unfortunately lacking in rigour," Pilgrim wrote.

"The use or release of poorly de-identified data gives rise to a range of serious privacy and other risks for affected data subjects. It also exposes an organisation to significant legal and reputational risks."

Aiming to make data more available while also subject to appropriate safeguards, the purpose of the framework [PDF] is to "empower organisations to understand what is involved in a de-identification process", as well as to help organisations identify, evaluate, and balance the resulting risks.

"The fundamental premise underpinning the framework is that re-identification risk must be assessed contextually," said Pilgrim, who revealed last month that he would be probing government agencies on their commitments under the Privacy Act over the coming year.

The first banner under the framework, data situation audit, is essentially a framing tool for understanding the relationship between the data held and its environment.

The first component asks organisations to be aware of what it stores and where. In regard to the Privacy Act, the next piece asks the organisation to assess whether the data is personal information or de-identified data, and, if it is the latter, to determine what controls need to be in place to ensure it remains de-identified.

The data audit also asks the organisation to be across what is precisely stored, and to determine the "who, what, where, and how" of its data while maintaining the organisation's ethical obligations.

Under disclosure risk assessment and control, the framework asks organisations to identify the processes it needs to undertake to assess both its risk and control requirements, recommending pen-testing as one method to determine whether the correct safeguards are in place.

Meanwhile, impact management puts in place a plan for reducing the impact of an unintended disclosure, should it happen, with the framework asking organisations to identify any third parties or customers that such action could affect, and plan how communication to them will play out.

Should information be unintentionally released, component nine of the framework recommends that organisations plan for what happens next.

If the above procedures go wrong, the final component says it is essential to put in place mechanisms that can help deal with a breach, such as having a strong audit trail, a crisis management policy, and adequately trained staff.

The framework comes as Australian organisations and governments prepare for the looming data breach notification laws, which will come into play from February 2018.

Under the Privacy Amendment (Notifiable Data Breaches) Act, incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm" are to be disclosed.

The notification laws apply only to companies covered by the Privacy Act, and see intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.

In addition to the OAIC and Data61, input for the framework was provided by the Australian Bureau of Statistics and the Australian Institute of Health and Welfare. It has also been adapted from a United Kingdom document, with the changes reflecting Australian Privacy Act 1988 requirements.

Data Governance Australia (DGA), the independent body tasked with establishing industry standards around data, similarly published a draft Code of Practice in June as part of its effort to set industry standards and benchmarks for the responsible collection, use, management, and disclosure of data.

The draft code places a heavy focus on doing "no harm" to the customer, as well as taking all steps to ensure data cannot be re-identified, requesting organisations appoint an officer to oversee data activities.

As the DGA has no legal power over an organisation, it would rely on the moral and ethical nature of the organisation to enforce the rules that its code dictates, however.

Under the Australian Government Public Data Policy Statement [PDF], government entities are by default permitted to publish "appropriately anonymised" data.

Currently, the Australian government is awaiting the passing of legislation that would see the criminalisation of those who re-identify de-identified data.

The proposed laws -- which the Senate recommended be passed -- followed its swift introduction by Attorney-General George Brandis in September, who said at the time that open data is a vital part of modern government, and claimed "privacy of citizens is of paramount importance" to the government.

Come May 2018, Australian organisations -- including government -- that hold information on citizens of the European Union will need to provide a high level of protection and explicitly know where every piece of data is stored, under the EU's General Data Protection Regulation (GDPR).

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or, in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Editorial standards