The Office of the Australian Information Commissioner (OAIC) is seeking comment on Privacy Business Resource 2 — De-identification of data and information which will provide guidance to businesses and researchers about why, when and how to de-identify personal data and information held by a business.

Organisations are required under National Privacy Principle (NPP) 4 to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. From 12 March 2014 the NPPs will be replaced by the Australian Privacy Principles (APPs), which include new de-identification obligations in APPs 4 and 11. New de-identification obligations for credit reporting bodies will also apply from this date.

As a general rule an information asset that does not need to include personal identifiers should be de-identified.

De-identifying information in an information asset may enable the business or researcher to share or publish it without compromising individual privacy.

Before releasing information or data, organisations and researchers should confirm whether de-identification has been successful by using two suggested tests:
•Apply the ‘motivated intruder’ test — this test considers whether a reasonably competent motivated person with no specialist skills would be able to identify the data or information (the specific motivation of the intruder is not relevant). It assumes that the motivated intruder would have access to resources such as the internet and all public documents, and would make reasonable enquiries to gain more information.
•Look at re-identification ‘in the round’ — that is, assess whether any agency, organisation or member of the public could identify any individual from the data or information being released — either in itself or in combination with other available information or data.