The definition of ‘personal information’ in the Privacy Act is “information…about an identified individual, or an individual who is reasonably identifiable.” This is how the ease of re-identification by third parties comes into play.
The 2017 Full Federal Court decision in the Grubb case upheld an AAT decision that mobile phone meta data was not personal information under the Privacy Act because it is not ‘about an individual’ but about the Telstra services used by the individual. However, the Full Court did not rule definitively on whether telecommunications-generated information can ever be ‘personal information’ for Privacy Act purposes.
While the judicial technicality may be that mobile phone data is not ‘about an individual’, this information clearly can allow an individual to be ‘identified’. While 12 unique points are needed to identify a finger print, many less data points allow identification of individuals using their mobile phone data. Studies have shown that “the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy…. In fact, in a dataset where the location of an individual is specified hourly and with a spatial resolution equal to that given by the [mobile operator’s] antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” (See here).
As this is a very much a live issue, we thought it useful to pull together key resources for you.
The Future of Privacy Forum has a single pager summarising the different degrees of de-identification – it is important to keep the terminology straight when trying to understand what techniques will best clear the legal requirements. (Pseudonymous vs. de-identified vs. anonymous data).
The Office of the Australian Information Commissioner and the CSRIO have produced a framework for data anonymisation. The key Do’s and Don’ts are:
- Do: clearly understand the intended use of the data. Anonymisation is a process to produce safe data but it only makes sense if what you are producing is useful data.
- Don’t: make the mistake of thinking there will be zero risk of re-identification. This raises the vexed question of what level of risk amounts to “reasonably identifiable” for the Privacy Act. Legal restrictions on data users along the lines of “thou shall not attempt to re-identify” are important, but may not be enough.
- Do: therefore, you need to forensically understand the data: the structure in which the data is presented, the variables that allow the data to be ‘sliced’ in different ways, and topic sensitivities. This will help you test the controls being embedded in the data or for access to the data – and whether they are proportional to the risk.
- Don’t: decide whether the data is safe to share only by examining the transformed or aggregated data alone. Look at what external data is available and how it might be recombined with your data – the “reasonably identifiable” test in the Privacy Act allows a “this goes with that” matching of data from any source.
- Do: sketch where the data will flow through your organisation and externally. At each point, map the data environment, including who is using it, governance and security. If you find material risks, you may need to go back again to the data structure and controls step.
- Don’t: think that because you have anonymised the data there is no need to be transparent about what you are doing. Customers may have a different view than you about the point at which data has become so ‘scrambled’ that it is no longer ‘their’ data.
- Do: build trust with key stakeholders. Consult with data subjects, data providers, data consumers: Provide updates if things change. You may need to call on their trust when things go wrong.
- Don’t: assume nothing will go wrong. You will need a crisis management strategy dealing with breach management, breach notification and communications – as these need to happen in parallel, it may be best to have different people or teams on each stream.
- Do: keep monitoring the use of the data, especially keep an eye on new external data being made available which may change your risk assessment of re-identification.