3 October, 2016
Australian privacy laws will be updated to make it a criminal offence for anyone to re-identify individuals from anonymised government datasets, the country's attorney general has said.
George Brandis QC said the reforms to Australia's Privacy Act would also make it an offence to "counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset".
The amendments to the legislation will be brought before parliament later this year and, if approved, will be back-dated to take effect from 28 September 2016, Brandis said.
Brandis said: "In accepting the benefits of the release of anonymised datasets, the government also recognises that the privacy of citizens is of paramount importance. It is for that reason that there is a strict and standard government procedure to de-identify all government data that is published. Data that is released is anonymised so that the individuals who are the subject of that data cannot be identified."
"However, with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future. The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset," he said.
The announcement of the change to legislation was made shortly before Australia's privacy commissioner opened an investigation into "a potential vulnerability" with data published on the Australian government's websites. The data stems from the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme, the watchdog said. The Department of Health in Australia has suspended access to the data for the time being.
Australia's privacy commissioner Timothy Pilgrim said: "The primary purpose of the investigation is to assess whether any personal information has been compromised or is at risk of compromise, and to assess the adequacy of the Department of Health’s processes for de-identifying information for publication."
In a statement, the Department of Health said it had acted to remove the dataset from government's online data portal after an academic at Melbourne University said it was possible to "decrypt some service provider ID numbers".
It said: "The dataset does not include names or addresses of service providers and no patient information was identified. However, as a result of the potential to extract some doctor and other service provider ID numbers, the Department of Health immediately removed the dataset from the website to ensure the security and integrity of the data is maintained."
"No patient information has been compromised, and no information about the health service providers has been publicly identified or released. The Office of the Australian Information Commission has been made aware of the issues and is currently investigating the matter and providing independent oversight. The Department of Health is undertaking a full, independent audit of the process of compiling, reviewing and publishing this data and this dataset will only be restored when concerns about its potential vulnerabilities are resolved," the government said.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said there are "too many misconceptions about anonymisation". Dautlich said computer scientists have warned for years that "perhaps as few as three or four data points are sufficient to re-identify many datasets", citing one such paper published in 2000 (34-page / 311KB PDF) by Latanya Sweeney of Carnegie Mellon University.
These findings seem only recently to have gained traction amongst policymakers, such as the Australian privacy commissioner and the national data guardian in England, Dame Fiona Caldicott, Dautlich said.
Recently, Dame Fiona, in a report into NHS data privacy and security, said the UK government should "consider introducing stronger sanctions to protect anonymised data".
Dame Fiona said: "This should include criminal penalties for deliberate and negligent re-identification of individuals."
Kuan Hon of Pinsent Masons said the British Computer Society is likely to comment on the issue of criminal penalties for de-anonymisation as well as other issues in a response due to be published to Dame Fiona's review. Hon is a member of the BCS' information privacy expert panel.
For further information, please contact:
David Rennick, Partner, Pinsent Masons
david.rennick@pinsentmasons.com
