UK Government opts for sensible approach in permitting researchers test anonymisation measures

January 14, 2018 |

The mantra by regulators that data which is anonymised can be used for research and published has resulted in significant embarrassment when said anonymisation resulted in re identification. It has spawned a busy subset of academic articles on how this happens and generally advising caution, see for example All or Nothing: The False Promise of Anonymity in the Data Science Journal.

 Re identification occurs were there has been insufficient de identification and the methods of re identifying are generally one or both of pseudonym reversal or by combing data sets.

In Australia the Government introduced the Privacy Amendment (Re-identification Offence) Bill 2016.  If enacted it will prohibit the re-identification or attempted re-identification of de-identified information released by, or on behalf of, Commonwealth Government agencies, as well as prohibiting the disclosure of any such re-identified personal information. Re-identification of previously de-identified government information would be an offence, with penalties of up to two years in prison or a fine of $21,600. Such conduct could also be the subject of a civil penalty of up to $108,000 for individuals or up to $540,000 for bodies corporate.  It also requires entities which re-identify previously de-identified government information to notify the Commonwealth agency that originally released that information.  There are exceptions for:

  • a government agency acting in connection with the performance of it’s function or activity or as required by law or court order;
  • entities providing services to Commonwealth agencies for the purpose of meeting their contractual obligations to the agency that originally released the de-identified information;
  • entities that enter into agreements with the Commonwealth agency that originally released the de-identified information to perform functions or activities on behalf of that agency, where the act is done in accordance with that agreement; and
  • acts done in accordance with a ministerial exemption (including cryptology or information security researchers).

It is fair to say that the Bill has languished.  IT has not even had a second reading in the Senate, where it was introduced.

In the UK the original version of the Data Protection Bill proposed new offence relating to the re-identification of anonymised data. In more particular terms it would be an offence to take steps, knowingly or recklessly, to re-identify information that has been “de-identified”.  There is the defence that the action could be justified in the public interest, a nebulous defence indeed.  The Government has proposed amendments which involves a more nuance approach.  The amendments provide that that security researchers will avoid criminal conviction when testing whether anonymisation measures work.  People who satisfy “effectiveness testing conditions” would have a defence.  The defence is in two parts:

  • the person acted: with a view to testing the effectiveness of the de-identification of personal data, without intending to cause, or threaten to cause, damage or distress to a person, and in the reasonable belief that, in the particular circumstances, reidentifying the information was justified as being in the public interest,” according to the amendment proposed.
  • the person notified the Information commissioner or the controller responsible for de-identifying the personal data about the reidentification: without undue delay, and where feasible, not later than 72 hours after becoming aware of it.

Anonymisation and re identification pose real policy and legal problems.  Chasing down and prosecuting those who re identify data out of intellectual curiosity and advise or even publicise what they have done is of questionable benefit.  It may even appear vindictive.  Those who de identify and then use that information to commit crimes, such as fraud and identity theft, could be prosecuted for those crimes.

The public policy issues are huge. It is not an issue that is currently vexing the Australian Parliament.

One Response to “UK Government opts for sensible approach in permitting researchers test anonymisation measures”

  1. UK Government opts for sensible approach in permitting researchers test anonymisation measures | Australian Law Blogs

    […] UK Government opts for sensible approach in permitting researchers test anonymisation measures […]

Leave a Reply