A team from the University of Melbourne has been able to take de-identified data of 2.9 million Australians and put it back together to identify who the data pertains to. This has potentially placed the personal data on more than one in ten Aussies in public, with sport stars and other public figures likely to be targeted.
The data comes from publicly accessible and de-identified Medicare and Pharmaceutical Benefit Scheme (PBS) data. By using easily accessed data such as dates of birth and when people had particular procedures the researchers have been able to reconstruct quite personal information. The Office of the Australian Information Commissioner (OAIC) has said they are investigating the matter.
The report, published by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague from the University of Melbourne’s School of Computing and Information Systems said, “We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth”.
With so much data being collected today, one of the promises that many agencies have made is that any data that is put into the public domain will be de-identified so individual privacy can’t be compromised.
Based on the research of the Univeristy of Melbourne team, this is plainly a flawed claim. Although it might be possible to de-identify one data set, the tools and methods now exist to take multiple data sets and assemble them to glean more information than was previously realised. While the OAIC’s investigation is not new – it was launched over a year ago – the consequences of this data sharing and how it might be misused should be of significant concern to everyone, particularly as we move into a new era where electronic heath records are being created for every Australian unless they specifically opt out.