This new commentary, written by the members of the Privacy in the Digital Economy Working Group, advocates for more transparency and guidelines in New Zealand around the de-identification of personal information.
De-identification is when personal information is modified to decrease the risk of identification of individuals. Many agencies (private, public) use de-identification to protect personal information and keep it usable at the same time. For example, Statistics NZ de-identifies some of the data it collects about New Zealanders so it can be made publicly available.
There are many, sometimes very sophisticated methods of de-identification and many of them are worth using, but they are never perfect. That is, as the authors wrote previously, using de-identification does not turn the information into anonymised information. It leaves some risk of re-identification of the individuals that has potential to harm them. This risk depends on many factors (e.g. information itself, the way it is used and the context) but nevertheless it needs to be properly managed. For example, if the institution produces the list of employees, their positions and salaries but removes their surnames, there is still a risk of identifying how much someone earns if she or he is, say, the only Disability Advisor in that institution. Publishing that list would effectively disclose someone’s financial information to other people.
The new commentary explains the background of de-identification and calls for the Privacy Commissioner or other relevant institution to issue guidelines around how to de-identify personal information in a manner that is proportional to the risk involved. This is very timely in light of many upcoming initiatives in the public and private sectors that seek to use de-identified personal information.
Seeing the forest and the trees: using de-identification effectively to protect privacy