I don’t know about you, but I’ve often found the expression, “it’s not rocket science”, a little curious.
It’s deployed to make an idea seem simple, like anyone can ‘get’ it. The irony is that the basic idea behind rocket propulsion is itself reasonably straightforward. But the successful and safe execution of that idea is terribly complicated.
Rocket science is something anyone can get. But it’s something not anyone can do. And, given the consequences of getting it wrong, it is a practice that is best left to experts.
I’ve been reminded of this phrase, and of the 1960s space race itself, as I prepare to speak about deidentification at CeBIT 2016. Because right now Australian agencies and businesses are in something of a data space race; and deidentification may well be privacy’s rocket science – the technology that unlocks the potential of where we want to go, while protecting individual rights.
My office, the Office of the Australian Information Commissioner (OAIC) understands the great value of information, and that this value is often best realised when it can be shared, used and built upon.
We know that Australian organisations, both public and private, are rapidly embracing big data and data innovation as powerful tools to develop better products and services.
But we also know that when data includes personal information, Australia’s citizens retain rights as to how that data is used or reused, which the OAIC regulates and upholds.
You may ask, “if only there were a way to separate the ‘personal’ from the ‘information’?”
Deidentification is a smart and contemporary response to the privacy challenges of big data — using the same computing technology that allows data analytics to strip data sets of their personal identification potential, while retaining the research utility of the data.
When done correctly, deidentified information is no longer personal information and is therefore outside the scope of the Privacy Act. At first glance then, it has the potential to solve the privacy dimensions of data analytics – to be the privacy key to our big data moon shots.
But don’t rush to your launch pads yet, because like the rocket science of the 1960s, deidentification is a concept anyone can get, but not anyone can deliver. It is far more complicated than removing names or postcodes, and – like in space flight – the risks of getting it wrong can be substantial and very public.
Famous examples of ‘reidentification’ by hackers and privacy advocates point to the risks of poorly attempted deidentification strategies – that is, ‘deidentifications’ that were not conducted to known industry standards.
But, fortunately, the track record of expertly deidentified data in preventing data breaches is very strong, and the OAIC is in favour of organisations using deidentification as a tool to protect both their customers and their reputation; provided that checks and balances, audit and review, and quality control built in to your processes.
To assist businesses and agencies, OAIC will soon release new draft guidance dealing with issues raised by big data and deidentification, and we look forward to working with organisations and technical experts to refine our approach to regulating privacy in the big data age.
Deidentification is a topic that you will be hearing a lot more from OAIC on in the coming year. It’s one that I’m looking forward to exploring at CeBIT 2016 and at during our great business events during Privacy Week 2016.
It’s not the only approach available to manage the privacy dimensions of big data, but it is a one with powerful potential.
It is certainly a potential solution that Government, business and academia should work together on now to explore, test and refine, using our combined skills and expertise.
Because if there’s one thing we can all understand about deidentification, it’s that getting the execution right is critical.
I would say that’s “not rocket science”, but it kind of is.
This is a guest post by Timothy Pilgrim, Australia’s Acting Information Commissioner.