On 18 September 2017 the Office of the Australian Information Commissioner (OAIC) launched the De-Identification Decision-Making Framework (DDF) which had been compiled by the OAIC in close collaboration with the CSIRO, Data61, the Australian Bureau of Statistics and the Australian Institute of Health and Welfare. The DDF builds on the pre-existing OAIC Privacy Business Resource 4 and is an Australian adaptation of the UK resource “The Anonymisation Decision Making Framework”.
The new DDF adapts the UK model for Australian language and legislation and is far more comprehensive than the 2014 guidance in Privacy Business Resource 4. The new DDF provides a framework within which to make decisions about de-identification that consider legal and ethical considerations and treat the process as a risk management exercise, recognising that the risk of re-identification in a world of ever increasing data can never be nil.
The DDF builds on the Commissioner’s 2016 draft consultation guide to big data and the Australian Privacy Principles. The draft guide released in May 2016 provided guidance for the use of big data in an Australian Privacy Principle (APP) context. See our article on the guide here.
The DDF provides guidelines for taking data sets and particularly big data sets outside the context of the Privacy Act by de-identifying them so that those data sets and data elements are then available for purposes that would not necessarily be legally available if the data were not de-identified.
For anyone involved in big data, data analytics and looking at ways organisations can monetise their data, this publication sets out a way to implement and operationalise a risk management framework. A number of diagrams and examples are used in the guide to bring the subject to life. In this short note we reproduce below figure 2 which is a diagrammatic representation of the DDF setting out the 10 key points and the 3 steps being the data situation, audit, the risk analysis and control and the impact management stage.
The DDF also speaks to the issue of consent within the context of data use and as such provides guidance as to how the various tools to protect use including consent can be used.