Adatree becomes the first Australian company to de-identify CDR data

Jill Berry, Chief Executive Officer at Adatree

In what is set to change the way organisations access and leverage consumer data, award-winning data intermediary and recipient platform Adatree (adatree.com.au) has created the first and only framework in Australia to de-identify data in the regulated Consumer Data Right (CDR), which will enable a multitude of benefits for data recipients and consumers.

De-identifying data refers to removing all identifiers to an individual – such as their name and address to their client number or tax file number – so they are no longer identifiable.

What does the solution mean for Adatree clients?

Under CDR legislation, individuals give consent to accredited data recipients to use and store their data for a set period of time. At the end of the consent lifecycle, consumers have two options: to have their data deleted or de-identified. However, up until now, no organisation has been successful in creating a de-identification framework for Consumer Data Right (CDR) data nor is there any provider in Australia offering this service due to its complex nature.

Other data recipients have had to delete all consumer data and any associated reporting or insights, even if they’re only for internal use. For example, Netflix had released some ‘de-identified’ customer usage data but university researchers found they were able to re-identify a portion of the data and connect it with their IMDb user movie ratings. Adatree spent the past 12 months developing and testing methods for data de-identification on small data sets.

As part of the fintech’s greater objective to ensure de-identified data cannot be re-identified, Adatree then engaged data privacy researchers CSIRO – via its CSIRO Kick-Start initiative which provides startups with funding support and access to their research expertise – to seek advice and better understand what methods could be used to further mitigate risks.

CSIRO provided visibility to Adatree on potential gaps in the data based on best practice of the complex issue. Following CSIRO’s research, Adatree chose a method of deidentification that they believe will deliver the highest assurance compliance. Adatree undertook testing to verify the data could not be re-identified via the reverse process. With data de-identification offered to clients, there is now an alternative to the mandated deleting of CDR data.

Firms can benefit from ongoing access to key sources of de-identified client information that could assist with business modelling and trend reporting. For consumers, the choice to continue sharing their de-identified data offers the potential for new and improved solutions.

What were the executive’s thoughts on the solutions?

CEO and co-founder of Adatree Jill Berry, said: “While the Consumer Data Right caters for data de-identification, no other intermediary is providing this solution and service. If an individual’s data can be deidentified while enabling firms to learn from that data, there is no need to delete it. This, of course, can only happen with the consumers’ explicit consent and Adatree’s ability to meet assurance compliance of the de-identification practices.”

“In establishing a robust de-identification framework for the Consumer Data Right, all parties involved in this complex ecosystem will benefit: the Government, the businesses accessing the data, and the end customers enjoying improvements to their products and services.”

“Adatree is thrilled to be the first firm in Australia to de-identify data in the CDR. Offering data de-identification as a service is the next step in the Consumer Data Right, and we’re eager to bridge the gap between consumers owning their data and companies leveraging it,” she said.

At the moment, Adatree is de-identifying data for internal uses only, and will offer the new solutions, data de-identification as a service (DDaaS), in the coming months.