De-Identification

From ADA Public Wiki
Revision as of 23:02, 26 August 2019 by Dahaddican (talk | contribs)
Jump to navigation Jump to search

As has been mentioned, De-identification is considered context dependent. Information of any type, including data, may be de-identified in one context but Personal Information in another. As an example, a vehicle license number in isolation and in the absence of any other information to a random member of the public is not Personal Information. If this number were held by an employee of a registry agency that had access to a database where the license number could be looked up, it could help to identify other details associated with the individual and would therefore be considered a Direct Identifier.

With this in mind, although the Privacy Act 1988 APP’s are not normally applicable for de-identified information or data, some APP’s continue to be relevant based upon the potential for transfer to another environment. These are not as a matter of law, but should be considered as a matter of risk management in preventing potential re-identification where it is expected that the information could become a Direct Identifier in the possession of others.

The term de-identification is used by the ADA in a broader sense, and is consistent with the meaning in the Privacy Act 1988. It is important to be aware that de-identification involves:

  • the removal or alteration of all Direct Identifiers, followed by
  • the addition of other data controls to remove, obscure, aggregate, alter and/or protect the data in some way so that it is no longer possible to reasonably identify an individual, organisation or entity, or any characteristics about them.

The removal of Direct Identifiers, such as an individual’s name, address or other directly identifying information is relatively straightforward. The second step is arguably more challenging and requires the removal or alteration of other information that may allow an individual or their characteristics to be re-identified (for example, the removal or alteration of a rare characteristic of an individual or a combination of unique or remarkable characteristics that enable re-identification), and/or the addition of controls and safeguards in the data access environment, which will manage the risk of re-identification.

Unfortunately, it is often a blurred line between de-identified information and Personal Information and to assess if something is reasonably de-identified is not an exact science. A number of things need to be considered, including the nature and amount of information, who will hold the information and who will have access to it, the combined effect of any other information being available to the user and finally the practicability of using that information to identify an individual. The term reasonably de-identified means that where it is possible to identify an individual, objectively speaking, is it likely when considering all of the above factors. It may be technically possible to identify an individual but highly unlikely. Whereas an individual will be reasonably identifiable (or the de-identification process will not have been successful) if it is technically possible for re-identification to occur, and there is a reasonable likelihood of it occurring.

When using this approach and determining if de-identification is appropriate, the Data Owner should consider the type of information or data that is to be de-identified, who is likely to be granted access to the data in the future, whether the information contains unique or uncommon characteristics that could enable re-identification, whether the information or data will be targeted for re-identification because of who or what it relates to, whether there is other information or data available that could be matched up or used to help re-identify the de-identified data, and what harm may result if the information or data is re-identified. Choosing appropriate Data protection techniques for the data and combining these with other Data Sharing Principles will help to ensure that the balance between data utility and data modification is correct. On some occasions there will be an unavoidable trade-off in order to share data widely (Open Data), requiring the information or data to be altered significantly. In other cases the modification of the data may be minimal, requiring more rigid controls and safeguards to be applied elsewhere. This is a legal and ethical requirement placed upon Data Owners and Data Custodians, and failure to achieve de-identification will lead to a confidentiality breach or disclosure.

Information on some suitable methods for Data Protection can be found on the next page.

The Importance and Benefits of De-Identification

Correct Data de-identification provides a number of benefits, including satisfying the Privacy Act 1988 APP's by protecting the privacy of individuals, organisations and entities. It therefore increases the opportunity to safely share and reuse the data, reduces the risk of breaches, builds trust, and meets the expectations of Data Owners regarding the handling of their data.