{"id":56130,"date":"2020-05-25T13:00:01","date_gmt":"2020-05-25T03:00:01","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=56130"},"modified":"2020-05-26T17:13:14","modified_gmt":"2020-05-26T07:13:14","slug":"anonymous-no-more-make-it-a-crime-to-re-identify-personal-data","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/","title":{"rendered":"Anonymous no more? Make it a crime to re-identify personal data"},"content":{"rendered":"
<\/figure>\n

On 14 May, the Australian parliament passed legislation<\/a> setting out the framework for the collection and use of data from the COVIDSafe contact-tracing app. The law amended the Privacy Act 1988<\/em> \u2018to support the COVIDSafe app and provide strong ongoing privacy protections\u2019.<\/p>\n

Much focus has rightly fallen on who can access the data gathered by the app, and for what purpose; however, little attention has been given to a provision that permits the collection and analysis of de-identified data for statistical purposes.<\/p>\n

This provision is not, of itself, troubling. De-identification or anonymisation is the process of stripping out characteristics that can identify the people who provided the data. For data analysts, it\u2019s a routine way to use large datasets to uncover trends and insights while protecting the privacy of individuals .<\/p>\n

But de-identification, while laudable in principle, suffers from a technical problem\u2014it is possible to re-identify, or de-anonymise, the individuals.<\/p>\n

This isn\u2019t a far-fetched or theoretical event. A notable example was the revelation<\/a> by University of Melbourne researchers in 2017 that confidential, de-identified federal patient data could be re-identified without the use of decryption. In another study<\/a>,<\/u> the same researchers were able to re-identify users of Victoria\u2019s public transport system, demonstrating that only two data points were needed to re-identify individuals from large datasets.<\/p>\n

The problem of re-identification is likely to be made worse by advances in artificial intelligence. In a recent UK report on AI<\/a>, Olivier Thereaux of the Open Data Institute noted that even with \u2018pretty good\u2019 de-identification methods, AI systems can re-identify data by cross-referencing against other datasets.<\/p>\n

So, there are trade-offs. The more effective a technology is at drawing out insights from data, the more likely it is that individuals\u2019 privacy will be undermined. And the more we attempt to strip out information to protect privacy, the less useful the dataset becomes for legitimate research.<\/p>\n

This is not inherently problematic, or new. UK Information Commissioner Elizabeth Denham says in the same report that there\u2019s \u2018no such thing as perfect anonymisation; there is anonymisation that is sufficient\u2019. Her comments are in the context of the UK Data Protection Act, which criminalises illegitimate dataset re-identification.<\/p>\n

If Australia is serious about protecting data collected by government departments, agencies and other organisations to which the Privacy Act applies, it should follow the UK example.<\/p>\n

The government has considered this issue before. In response to the 2017 incident with the patient dataset, the Coalition introduced a bill<\/a> to criminalise illegitimate re-identification of datasets. However, the bill died in review<\/a> because of concerns that it would have a chilling effect on cybersecurity research.<\/p>\n

Those concerns are legitimate. Researchers shouldn\u2019t feel under pressure to stop calling out poor privacy practices. It\u2019s in the public interest for organisations to improve how they collect and publish datasets.<\/p>\n

But the need to enable legitimate cybersecurity research is also not a difficult obstacle to overcome. An exception could be made in the act for public-interest research by bodies such as universities, think-tanks and NGOs. That could be done in one of two ways.<\/p>\n

Researchers could be given the right to apply for the equivalent of a licence to re-identify government datasets. Something similar has been done under the Defence Trade and Controls Act, which includes a requirement for researchers to get a licence if they want to collaborate internationally on certain technologies.<\/p>\n

Such an approach would ensure that anyone seeking to re-identify data is thoroughly checked. But it\u2019s also overkill. Australia\u2019s original data privacy bill called for licensing or obtaining ministerial permission for such work, but it was criticised<\/a> for failing to provide a clear exemption for public-interest research.<\/p>\n

The other way is to write a defence or an exception to liability into the law that would place the legal burden of proof on the state. Licensing would require researchers to demonstrate that their work is in the public interest.<\/p>\n

That approach has the benefit of providing a clear exemption for researchers, and it\u2019s unlikely that prosecutors will be able to prove that university research isn\u2019t in the public interest.<\/p>\n

Britain took that approach in its Data Protection Act, which includes a public-interest defence to criminal liability.<\/p>\n

Of course, neither approach blocks the ability to re-identify datasets, any more than criminalising murder prevents people from murdering. But it would be an effective deterrent and moral indicator of unacceptable data practices.<\/p>\n

Moreover, such a provision would demonstrate the government\u2019s commitment to protecting privacy. This is especially important now as the government tries to persuade 10 million of us to download a tracing app.<\/p>\n

The concerns raised by the COVIDSafe app suggest that Australians care a lot about privacy, at least when information to be held by the government is involved. Facebook\u2019s data-collection policies don\u2019t appear to cause nearly as much concern. Let\u2019s turn that passion into action, starting with bolstering the privacy protections on large datasets.<\/p>\n","protected":false},"excerpt":{"rendered":"

On 14 May, the Australian parliament passed legislation setting out the framework for the collection and use of data from the COVIDSafe contact-tracing app. The law amended the Privacy Act 1988 \u2018to support the COVIDSafe …<\/p>\n","protected":false},"author":758,"featured_media":56132,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[2658,2138,2175,215],"class_list":["post-56130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-coronavirus","tag-cybersecurity","tag-data","tag-privacy"],"acf":[],"yoast_head":"\nAnonymous no more? Make it a crime to re-identify personal data | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Anonymous no more? Make it a crime to re-identify personal data | The Strategist\" \/>\n<meta property=\"og:description\" content=\"On 14 May, the Australian parliament passed legislation setting out the framework for the collection and use of data from the COVIDSafe contact-tracing app. The law amended the Privacy Act 1988 \u2018to support the COVIDSafe ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-25T03:00:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-26T07:13:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2020\/05\/GettyImages-a0124-000083.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"677\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jessica Clarence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jessica Clarence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2020\/05\/GettyImages-a0124-000083.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2020\/05\/GettyImages-a0124-000083.jpg\",\"width\":1000,\"height\":677},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/\",\"name\":\"Anonymous no more? Make it a crime to re-identify personal data | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#primaryimage\"},\"datePublished\":\"2020-05-25T03:00:01+00:00\",\"dateModified\":\"2020-05-26T07:13:14+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/347acb3291fd2e897e14ed34f2beacfb\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Anonymous no more? Make it a crime to re-identify personal data\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/347acb3291fd2e897e14ed34f2beacfb\",\"name\":\"Jessica Clarence\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/19282f2aa642cd55ddb227f1cfb62b42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/19282f2aa642cd55ddb227f1cfb62b42?s=96&d=mm&r=g\",\"caption\":\"Jessica Clarence\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/jessica-clarence\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Anonymous no more? Make it a crime to re-identify personal data | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/","og_locale":"en_US","og_type":"article","og_title":"Anonymous no more? Make it a crime to re-identify personal data | The Strategist","og_description":"On 14 May, the Australian parliament passed legislation setting out the framework for the collection and use of data from the COVIDSafe contact-tracing app. The law amended the Privacy Act 1988 \u2018to support the COVIDSafe ...","og_url":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2020-05-25T03:00:01+00:00","article_modified_time":"2020-05-26T07:13:14+00:00","og_image":[{"width":1000,"height":677,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2020\/05\/GettyImages-a0124-000083.jpg","type":"image\/jpeg"}],"author":"Jessica Clarence","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Jessica Clarence","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2020\/05\/GettyImages-a0124-000083.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2020\/05\/GettyImages-a0124-000083.jpg","width":1000,"height":677},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/","url":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/","name":"Anonymous no more? Make it a crime to re-identify personal data | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#primaryimage"},"datePublished":"2020-05-25T03:00:01+00:00","dateModified":"2020-05-26T07:13:14+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/347acb3291fd2e897e14ed34f2beacfb"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/anonymous-no-more-make-it-a-crime-to-re-identify-personal-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Anonymous no more? Make it a crime to re-identify personal data"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/347acb3291fd2e897e14ed34f2beacfb","name":"Jessica Clarence","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/19282f2aa642cd55ddb227f1cfb62b42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/19282f2aa642cd55ddb227f1cfb62b42?s=96&d=mm&r=g","caption":"Jessica Clarence"},"url":"https:\/\/www.aspistrategist.ru\/author\/jessica-clarence\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/56130"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/758"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=56130"}],"version-history":[{"count":5,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/56130\/revisions"}],"predecessor-version":[{"id":56183,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/56130\/revisions\/56183"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/56132"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=56130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=56130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=56130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}