Finntech startup Adatree becomes first company in Australia to de-identify data under the regulated Consumer Data Right
● Adatree has created the first and only framework in Australia to de-identify data
● Organisations will no longer need to delete customer data at the of the CDR consent lifecycle – it can be de-identified for internal or external purposes to leverage it to solve problems, provide insights internally and provide value-add for customers
● Consumer privacy will be protected by removing all ‘identifiers’ in customer and transaction data
Immediate release, Thursday 13 October 2022, Sydney, Australia: In what is set to change the way organisations access and leverage consumer data, award-winning data intermediary and recipient platform Adatree (adatree.com.au) has created the first and only framework in Australia to de-identify data in the regulated Consumer Data Right (CDR), which will enable a multitude of benefits for data recipients and consumers.
De-identifying data refers to removing all identifiers to an individual – such as their name and address to their client number or tax file number – so they are no longer identifiable. Under CDR legislation, individuals give consent to accredited data recipients to use and store their data for a set period of time. At the end of the consent lifecycle, consumers have two options: to have their data deleted or de-identified.
However, up until now, no organisation has been successful in creating a de-identification framework for CDR data nor is there any provider in Australia offering this service due to its complex nature. Other data recipients have had to delete all consumer data and any associated reporting or insights, even if they’re only for internal use. For example, Netflix had released some ‘de-identified’ customer usage data but university researchers found they were able to re-identify a portion of the data and connect it with their IMDb user movie ratings.
Adatree spent the past 12 months developing and testing methods for data de-identification on small data sets. As part of the fintech’s greater objective to ensure de-identified data cannot be re-identified, Adatree then engaged Australia’s leading data privacy researchers CSIRO – via its CSIRO Kick-Start initiative which provides startups with funding support and access to their research expertise and capabilities – to seek advice and better understand what methods could be used to further mitigate risks. CSIRO provided visibility to Adatree on potential gaps in the data based on best practice of the complex issue.
Following CSIRO’s research and recommendations, Adatree independently chose a method of deidentification that they believe will deliver the highest assurance compliance. Adatree undertook research and testing to verify the data could not be re-identified via the reverse process.
With data de-identification offered to Adatree’s clients, there is now an alternative to the mandated deleting of CDR data. Organisations can benefit from ongoing access to key sources of de-identified customer information that could assist with business modelling and trend reporting. For consumers, the choice to continue sharing their de-identified data offers the potential for new and improved solutions and services.
CEO and co-founder of Adatree Jill Berry, says: “While the Consumer Data Right caters for data de-identification, no other intermediary is providing this solution and service. If an individual's data can be deidentified while enabling organisations to continue learning from that data, there is no need to delete it. This, of course, can only happen with the consumers’ explicit consent and Adatree’s ability to meet assurance compliance of the de-identification practices.
“In establishing a robust de-identification framework for the Consumer Data Right, all parties involved in this complex ecosystem will benefit: the Government, the businesses accessing the data, and the end customers enjoying improvements to their products and services.
“Adatree is thrilled to be the first company in Australia to de-identify data in the CDR. Offering data de-identification as a service is the next step in the Consumer Data Right, and we’re eager to bridge the gap between consumers owning their data and organisations leveraging it.”
Adatree is currently de-identifying data for internal uses only, and will offer data de-identification as a service (DDaaS) in the coming months