Adatree creates framework to de-identify data
Fintech startup Adatree says it has created the first and only framework in Australia to de-identify data in the regulated Consumer Data Right (CDR).
De-identifying data refers to removing all identifiers to an individual — such as their name and address, client number or tax file number — so they are no longer identifiable. Under CDR legislation, individuals give consent to accredited data recipients to use and store their data for a set period of time. At the end of the consent lifecycle, consumers have two options: to have their data deleted or de-identified.
According to Adatree, no organisation has been successful in creating a de-identification framework for CDR data nor is there any provider in Australia offering this service due to its complex nature. Other data recipients have had to delete all consumer data and any associated reporting or insights, even if they’re only for internal use. For example, Netflix had released some ‘de-identified’ customer usage data but university researchers found they were able to re-identify a portion of the data and connect it with their IMDb user movie ratings.[1]
The company spent the past 12 months developing and testing methods for data de-identification on small datasets. As part of the fintech’s greater objective to ensure de-identified data cannot be re-identified, Adatree then engaged CSIRO — via its CSIRO Kick-Start initiative, which provides startups with funding support and access to expertise — to seek advice and better understand what methods could be used to further mitigate risks. CSIRO provided visibility to Adatree on potential gaps in the data based on best practice of the complex issue.
Following CSIRO’s research and recommendations, Adatree independently chose a method of de-identification that it believes will deliver the highest assurance compliance. The company undertook research and testing to verify the data could not be re-identified via the reverse process.
With data de-identification offered to Adatree’s clients, there is now an alternative to the mandated deleting of CDR data. Organisations can benefit from ongoing access to key sources of de-identified customer information that could assist with business modelling and trend reporting. For consumers, the choice to continue sharing their de-identified data offers the potential for new and improved solutions and services.
“While the Consumer Data Right caters for data de-identification, no other intermediary is providing this solution and service. If an individual’s data can be de-identified while enabling organisations to continue learning from that data, there is no need to delete it. This, of course, can only happen with the consumers’ explicit consent and Adatree’s ability to meet assurance compliance of the de-identification practices,” said Adatree CEO and co-founder Jill Berry.
“In establishing a robust de-identification framework for the Consumer Data Right, all parties involved in this complex ecosystem will benefit: the government, the businesses accessing the data and the end customers enjoying improvements to their products and services.
“Adatree is thrilled to be the first company in Australia to de-identify data in the CDR. Offering data de-identification as a service is the next step in the Consumer Data Right, and we’re eager to bridge the gap between consumers owning their data and organisations leveraging it.”
The company is currently de-identifying data for internal uses only and will offer data de-identification as a service (DDaaS) in the coming months.
CrowdStrike to buy Adaptive Shield
CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...
LockBit named nastiest malware of 2024
LockBit, a ransomware malware known to have been used to attack Australian targets, has been...
Extreme Networks launches ZTNA solution
Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...