Australian Privacy Commissioner Timothy Pilgrim has warned businesses that de-identifying datasets will not absolve them of the need to meet the stringent information protection demands of the Privacy Act.
Speaking to the International Association of Privacy Professionals today, Pilgrim said even anonymised datasets should be treated the same as personally identifiable information to future-proof organisations against increasingly sophisticated data matching efforts.
“The current challenge facing all organisations that handle large data sets is that data sets of ‘anonymous data’ are fast becoming identifiable'" he told the conference.
“Personal information is not just that which does identify you, but that which may."
Anonymising data by stripping names, addresses and other identifying details from large datasets is a popular method of securing information against potential privacy breaches before it is aggregated and analysed.
A number of studies have already proven that purportedly de-identified data can be re-identified if it is matched against other information.
Researchers from the University of Texas famously unlocked a database of 500,000 seemingly anonymous Netflix users in 2008, while a US privacy researcher reverse-engineered celebrities’ taxi rides by pairing de-identified records from the New York Taxi and Limousine Company with social media pictures.
“Big data and data analytics mean that there are increasingly more methods of matching and identifying information previously thought not to be personal," Pilgrim said.
“So my advice to prudent organisations would be to work on the assumption that such data is personal information."
His guidance comes on the back of an ongoing privacy battle by Fairfax journalist Ben Grubb against Telstra, over a request that that telco hand over his metadata.
In May, Pilgrim ruled the metadata did in fact qualify as personal information and thus should be made accessible to a customer under the provisions of the Privacy Act.
Telstra said it would appeal the decision.
The senate is currently considering an amendment to welfare laws that would allow the government to release de-identified records of payments to policy makers and researchers.
Pilgrim also used the IAPP address to reveal he was still waiting to hear from the government about the introduction of a promised mandatory data breach notification bill.
The government committed to the scheme following the passage of data retention legislation earlier this year.