odi privacy v0.3

FEELFREEA NEW APPROACHTO CYBER SECURITY

ODI – Open Data and Privacy

1© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved..

AGENDA

2© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

• Introduction

• It’s good to be positive. However…

• Stripping data and anonymisation

• When things go wrong

• Sources of Guidance

Introduction


• 17 years in information assurance and cybersecurity

• Worked with many of the large HMG data repositories across health, education, tax, law enforcement… from a security perspective

• Investigated opening up access to a large HMG dataset (~20m citizens)… in the Open Data context.


The Positive View!

• Open Data not always BIG DATA

• BIG DATA can be Open Data

• Tremendous value in unlocking the relationships within (and between) datasets

• Correlation vs causation

• New opportunities

• Increasing transparency


It’s good to be positive. However…

• Often assumed that Open Data will only be used by the Good Guys to deliver well-intentioned services

• Public is more cynical

• Need to sell the benefits to the data subjects!


It’s good to be positive. However…


Example -Health

http://www.patients-association.com/wp-content/uploads/2014/06/APPG-Report-on-Care-data.pdf


Example -Health

“The legal penalties to be imposed on individuals and organisations who misuse or abuse patient data remain to be resolved.”

http://www.patients-association.com/wp-content/uploads/2014/06/APPG-Report-on-Care-data.pdf

“Patients and the public are broadly supportive of the principle of using health data for research that is in the public interest.”

“However, all organisations agreed that the public had been inadequately consulted in the early stages of the Care.data programme and that it was therefore correct to halt the programme to allow further public consultation.”


Trust is important

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/367788/Sir_Nick_Partridge_s_summary_of_the_review.pdf


Trust is important


“It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly.”

“The data provided to these other organisations under data sharing agreements is not anonymised. Although names and addresses are normally removed, it is possible that the identity of individuals may be deduced if the data is linked to other data.”

588 data releases to a range of private sector organisationsincluding “four Data Sharing Agreements made by the NHS IC with three re-insurance companies which allow those re-insurers to continue to use the data until the agreements expire in 2015 and 2016”

3059 Releases of Data

Sell it to your data subjects!

11

DO:• Know the benefits before you begin• Data subjects should also benefit

• The public are cynical about private sector profiting from their data

- But happy to share if they also see or feel the benefit, e.g. social media

• Know and publicise the controls you will have in place• Anonymisation

• Data sharing agreements

• Consult with representatives of the data subjects• Obtain opt-in and consent

Benefits Risks

© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Sell it to your data subjects!

12

DO NOT:• Assume the public share a utopian vision of the benefits of Open Data• Attempt to provide vague assurances that their data will be secure – you

will get called out*

• Plough on regardless

* Or worse, held accountable – the ICO is watching….

Benefits Risks

© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

• Removing personally identifiable information ≠ anonymisation!

• Utility and value of data is inversely proportional to level of anonymisation

• Danger with Open Data lies in information gain not just re-identification• Can gain knowledge of characteristics without full re-identification

• Do not view your records in isolation, linked datasets make re-identification more straightforward

• What’s anonymous for Joe Bloggs is not anonymous for Celebrity X

• Family, Nosy Neighbours, Employers…

Stripping Data and Anonymisation


“Data protection law does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.”




Below table is taken from the Partridge Review of Data Releases by the NHS Information Centre. It’s an example only.

Enough to identify edge cases, e.g. tall, overweight, out of town

pupils. Likely also enough to enable many non-edge cases to be identified in small cohorts.

Link to National Pupil Database may also then enable information gain – ethnicity, financial status, academic attainment, exclusion

flags etc.



Pupil ID shared with other HMG databases?

Gives the month of birth of the child

Provides physical characteristics of the child

Provides geographic location of school

Provides geographic location of child

• AOL: release of “anonymised” search queries

• Media: The Freedom of Information Act attacks!

http://www.manchestereveningnews.co.uk/news/health/aes-frequent-flyers-one-woman-8370650

• Netflix: release of “anonymised” film reviews

• Target: the scary side of Big Data

When things go wrong…


http://www.manchestereveningnews.co.uk/news/health/aes-frequent-flyers-one-woman-8370650

What you can do…


• Aggregation, sampling, re-coding, perturbation, suppression, substitution etc

• Only release aggregates where you can! • With small numbers removed

• Re-code to remove uniqueness• E.g. Date of birth re-coded to age ranges

What you can do…


• k-privacy, t-closeness, l-diversity, differential privacy• k-privacy – impossible to unambiguously identify an individual as k

records have the same attributes• Does not prevent information gain• All k records share same attributes

• Tools exist to help• http://arx.deidentifier.org,

• http://neon.vb.cbs.nl/casc/mu.htm

http://arx.deidentifier.org/

http://neon.vb.cbs.nl/casc/mu.htm

What you can do…


• Create different data sets for different purposes• Tier your data based on levels of uniqueness

• Place tighter controls on more unique tiers

• Create and ENFORCE data sharing agreements• Still awaiting criminalisation of attempts to re-identity anonymised data

• Use Safe Havens where you can• Data remains in a controlled environment

• Usage can be monitored, controlled and investigated.

SOURCES OF GUIDANCE


SOURCES OF GUIDANCE


• UK AnonymisationNetwork:http://ukanon.net

• ISO 29100 (Privacy Framework)

• Us!

Anon

http://ukanon.net/

PARTING THOUGHTS


“In theory there is no difference between theory and practice. In practice there is.”

Yogi Berra

THANKYOUPRESENTATION BYLEE NEWCOMBE

E-mail:[email protected]

Mob: 07468711307

Twitter:@lee_newcombe

odi privacy v0.3

Data & Analytics

kpmg llp

swiss entity

big data big data

health data

data subjects

open data context

open data tremendous

abuse patient data