Published on the 12/05/2016 | Written by Clare Coulson
The re-identification of anonymous data sets holds vast potential for enterprises wanting to better understand and target new customers, but should it be allowed?…
The Honourable Amy Adams, in her capacity as Minister for Justice, delivered the opening address at a privacy forum in Wellington this month. While her speech touched on many areas of privacy and data security, the question of data re-identification was notable. Using the Fitbit as an example, Ms Adams said the wearables discretely collect data such as how far the wearer has walked, their heartrate and how well they have slept. That’s all well and good, you say, since the data is anonymous, but Ms Adams claims to have seen reports that show these data sets can be cross-referenced so that people are re-identified purely by the way they walk. This re-identified personal information could then be used, for example, by marketers to gain useful insights to offer tailored goods and services to specific people and customer segments.
“Are we okay with that?” she asked. “What do we think about commercial uses of re-identified data like your health insurer buying information that shows you don’t walk more than 1000 steps a day when that information is sensitive? Or a credit agency seeing from location information that you spend a lot of time at the casino?”
It’s a big question, and one that will elicit different responses depending upon which side of the enterprise-customer fence you are sitting. Do we want to prohibit one or all of these examples? There is no right or wrong answer but Ms Adams is calling for businesses and Government to now focus more on how information is used and whether those uses benefit people and society, or cause harm (as opposed to focusing on how information about a person is obtained, such as whether it is provided, observed, derived or inferred).
Ms Adams is working with The Data Futures Partnership – an independent cross-sector group which provides a collective voice on, and helps lead, the development of the data-use system in New Zealand – which will be including the theme of re-identification in its public debate in the second half of this year. She said the debate will in part address the topic of the ‘social license’ to use data in new and interesting ways.
The discussion will likely beg the question of how ‘private’ information is defined in the Facebook age. As Ms Adams put it, does a relationship status update posted on a public social media profile alter the privacy protection that applies to use of that information? Who can use that information in the future and for what purpose?
The potential gains from the use of data (including open data and personal data) could be huge. According to its website, The Partnership says that data-driven innovation has already been estimated as contributing $2.4 billion to gross value added in New Zealand in 2014 and suggests that if New Zealand adopts data-driven innovation at the same average rate estimated for Australian business, the value would be $4.8 billion per annum. But, it says that economic and social value will only be created by sharing data appropriately, hence the question mark over re-identification of anonymous data.
It is impossible to consider today and tomorrow’s data issues through an antiquated privacy lens. The Privacy Act was passed in 1993, long before social media was a thing and even before email was ubiquitous so we need to “continually re-calibrate society’s view” on the issues of data privacy and ownership, says Ms Adams.
It also requires updates to the privacy laws – something that the Government is working towards following a review of the Privacy Act undertaken by the Law Commission. Proposed changes include stronger powers for the Privacy Commissioner, mandatory reporting of breaches, new offences and increased fines. With significant information held offshore by companies like Google and Facebook, new measures will also address privacy concerns about cross-border information flows. Ms Adams intends to introduce the Bill into Parliament in 2017.
The Privacy Forum, which also runs in Auckland, forms part of the Government’s Privacy Week and features presentations and discussions about privacy and data protection. The full transcript of Ms Adam’s opening address can be read here.
