Information commissioner Timothy Pilgrim has warned that effective data de-identification remains an elusive goal in the "data space race" consuming Australia’s enterprises.
He told the business community he was willing to consider de-identified data outside of the strict protection demands of the Privacy Act, but only when the ID stripping process meets the highest standards.
The OAIC is set to clarify these standards in upcoming draft guidance.
In a blog post written in the lead up to his CeBIT address in two weeks, Pilgrim reiterated the risks posed by undercooked de-identification.
“De-identification is a concept anyone can get, but not anyone can deliver,” he wrote.
“It is far more complicated than removing names or postcodes, and ... the risks of getting it wrong can be substantial and very public.
“I would say that’s ‘not rocket science’, but it kind of is."
However, he appears to have warmed to the process somewhat, stating that “when done correctly, de-identified information is no longer personal information and is therefore outside the scope of the Privacy Act”.
“The track record of expertly de-identified data in preventing data breaches is very strong," he said.
“The OAIC is in favour of organisations using de-identification as a tool to protect both their customers and their reputation; provided that checks and balances, audit and review, and quality control are built in to your processes."
But just last year he cautioned that organisations should still treat de-identified or anonymised data in the same way they treat personally identifiable information, to safeguard themselves in case their efforts were reversible.
He pointed to high-profile cases in the US where researchers have been able to re-identify data sets by combining them with new information.