How can businesses protect their customers as well as the value of data?

Data in the right hands has the potential to unlock innovation, improve productivity and guide decision making. McKinsey estimates that there is between US$3.2 trillion and US$5.4 trillion in economic value at stake around the potential of open data in sectors like education, transportation, consumer products and healthcare to name a few.

But the recent Cambridge Analytica scandal is a timely reminder to Australian business leaders about their responsibility to protect customer data. This week, Facebook launched a data abuse bounty program that will pay users up to $US40,000 if they find companies using unauthorised data.

The explosive growth in big data adoption (which reached 53 per cent in 2017 for all companies interviewed, up from 17 per cent in 2015), alongside the widespread use of social media, has raised very pertinent discussions around the ethical context of data usage.

Despite the alarming revelations from the Facebook fallout, we should recognise that Australia has a great opportunity to lead the world in data privacy.

With the right conversations and research focus, our country could shape the way the world approaches corporate data privacy — through creating technology that will allow our society to freely share data and increase efficiencies, while still maintaining the integrity of an individual’s privacy and without revealing proprietary information.

We are already seeing the emergence of these data sharing principles and technologies in Australia with the adoption of blockchain and initiatives like the recent Open Banking Review. But the financial services sector is only the tip of the iceberg.

If employed correctly, a data-sharing framework could exist in many industries, for example take agriculture and supply chain integrity. Farmers and producers could combine data about yields of their crops without having to share the actual data, to make more accurate predictions about increasing crop yield in different environments.

Combined with transport and logistics data, more optimal delivery routes and times could be established between parties on the supply chain through better sharing of data operating our infrastructure at higher levels of operational efficiency.

So what could this data sharing future look like? How can Australian organisations preserve the utility of data, while still honouring customer’s privacy? It is still early days, but that makes it all the more important that we are having the right discussions, as the correct measures need to be put in place now, rather than once a breach happens.

The ethical use of customer data is a fine balancing act. Many businesses collect data that has the potential to be incredibly useful for improving productivity, economic growth, efficiency and even overall quality of life for end users, yet working out how to derive these insights for the creation of better products and services, without compromising the privacy of an individual can be a challenge.

At Data61 we are researching and developing models and products that will allow organisations to have the best of both worlds. These safety measures can come in a few forms:

Data encryption to enable private analytics

One method that Australian businesses can employ, is to use technology platforms to process data distribution or particular requests ‘without seeing the original data’ using special forms of encryptions that allow computation over encrypted data.

Whether leveraging notions like homomorphic encryption or using distributed secure multi-party computation techniques, these platforms would operate encrypted versions of the data and generate an encrypted output which, when decrypted, match the request results as if they were performed on the original non-encrypted data.   

This is a technique that in some scenarios can be extremely powerful. Extracting analytics cross-organisations, or even between government departments (for example the Australian Bureau of Statics and the Department of Health) where there is a crucial need to not reveal any of the data of the participating entities, and this becomes not only possible but also robust and secure.

Privacy preserving transformation of data

When handling sensitive data sets, organisations should adopt rigorous definitions of privacy in which residual risks are quantified and well understood. They can employ algorithms that enable mathematically proven private data sharing, influencing data in such a way that the general ‘shape’ and statistical features of the data remain the same.

This offers optimal privacy-utility trade-offs while giving full control over the privacy protections. The rigour of mathematics gives control back to data custodians so they can understand and manage the risks of sharing and processing data. Provably private algorithms relying on notions such as differential privacy are useful in several scenarios ranging from the streaming of IoT-data to the aggregation and collection of energy or transportation data.

While privacy considerations are often inhibiting the process of sharing data, and as such become obstacles to build algorithms to make smarter infrastructure. Provably privacy protections algorithms could enable the collaboration amongst organisations which would unlock the economic growth from accurate analytics extraction.

Risks quantification and data management framework

We have also developed quantitative and qualitative privacy risk assessment tools for data stakeholders to understand the risks of re-identification associated with sharing or releasing data. The tools leverage information theory frameworks to provide accurate estimation of the residual risks associated with the sharing of sensitive data.

Lastly, we’ve released a practical guide for government agencies and businesses including not-for-profit and private sector organisations to manage data privacy. While this is not a method for enhancing individual data privacy as such, our framework can help data custodians identify and address the key factors relevant to particular data sharing or release situations, including privacy risk analysis and control, stakeholder engagement, and impact management.

As a data researcher, I could not be more excited to be living in such a time of global exploration and discovery into the uses and importance of data on our society. With the right processes and technologies in place, Australia is in an enviable position to become a global leader in protecting individual rights while still benefiting from the incredible utility and value of our data.

Dali Kaafar is Leader Information Security and Privacy Group at CSIRO’s Data61 and a professor at Macquarie University.