Preview
Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre

Resources

Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

April 16, 2013

De-identification of personal information held by businesses

The Office of the Australian Information Commissioner (OAIC) is seeking comment on Privacy Business Resource 2 — De-identification of data and information which will provide guidance to businesses and researchers about why, when and how to de-identify personal data and information held by a business.

Organisations are required under National Privacy Principle (NPP) 4 to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. From 12 March 2014 the NPPs will be replaced by the Australian Privacy Principles (APPs), which include new de-identification obligations in APPs 4 and 11. New de-identification obligations for credit reporting bodies will also apply from this date.

As a general rule an information asset that does not need to include personal identifiers should be de-identified.

De-identifying information in an information asset may enable the business or researcher to share or publish it without compromising individual privacy.

Before releasing information or data, organisations and researchers should confirm whether de-identification has been successful by using two suggested tests:
•Apply the ‘motivated intruder’ test — this test considers whether a reasonably competent motivated person with no specialist skills would be able to identify the data or information (the specific motivation of the intruder is not relevant). It assumes that the motivated intruder would have access to resources such as the internet and all public documents, and would make reasonable enquiries to gain more information.
•Look at re-identification ‘in the round’ — that is, assess whether any agency, organisation or member of the public could identify any individual from the data or information being released — either in itself or in combination with other available information or data.

Print This Post Print This Post

Posted 16th April 2013 by David Jacobson in Privacy, Risk Management