A new guide from the Office of the Australian Information Commissioner is intended to help organisations effectively de-identify their data.
The guide, The De-Identification Decision-Making Framework (PDF), was adapted from the UK Anonymisation Decision-making Framework and produced in conjunction with the CSIRO’s Data61.
The changes from the UK resource primarily relate to differences between the legal frameworks of the two countries and the use of Australian examples and terminology.
The Australian Bureau of Statistics (ABS) and the Australian Institute for Health and Welfare (AIHW) also contributed to the new framework.
“The interpretation and application of data has the potential to positively transform our lives and bring about great social and economic benefits,” Australian Information and Privacy Commissioner Timothy Pilgrim said in a statement.
“However, we need to remember that many of these data sets are made up of individuals’ personal information. So when we think about releasing it we need to anticipate the risks to ensure we are protecting the rights of individuals.”
The De-Identification Decision-Making Framework, or DDF, comprises 10 components groups into three core de-identification activities: A data situation audit; risk analysis and control; and impact management.
“De-identification is one solution for sharing and releasing data while meeting legislative demands and community expectations,” Pilgrim said.
“De-identification is not an exact science and, even using the DDF at this level, you will not be able to avoid the need for complex judgement calls about when data is sufficiently de-identified given your data situation,” the guide states.
“The DDF will help you in making sound decisions based on best practice, but it is not a step-by-step algorithm; it is an approach whose value depends on the extent of the knowledge and skills you bring to it. You may still need expert advice on some parts of the de-identification process, particularly with the more technical risk analysis and control activities.”
“At present, there is no publicly available, comprehensive risk management guide in Australia to assist organisations with de-identification,” said the guide’s lead author, Data61 research scientist Dr Christine O’Keefe.
The federal government last year unveiled proposed legislation to criminalise the re-identification of (supposedly) anonymised datasets released by government agencies.
The bill is currently stalled in the Senate, with Labor and Greens senators opposing it. Critics of the bill have said that it may criminalise legitimate information security research.
The government hastily introduced the bill in the Senate after security researchers revealed that the Department of Health had released improperly de-identified datasets.