Recent news reports have revealed that Facebook has been hit with another data scandal.
The anonymised data of approximately 3 million Facebook users has reportedly been published on a poorly protected website. This data was originally collected via a Facebook quiz app called “myPersonality”. The myPersonality app was developed as part of the “myPersonality project” run by academics at the University of Cambridge’s The Psychometrics Centre.
Around 6 million quiz participants answered a number of personality trait questions using the myPersonality app. Half of those quiz participants agreed to share data from their profile. This data, along with quiz answers, were anonymised by the University of Cambridge academics and then placed on a website. Researchers could register to collaborate on the myPersonality project and gain access to the anonymised data on the website. According to New Scientist, more than 280 people from about 150 institutions (universities and companies) registered to access the website.
However, if you were not a researcher there were other ways to access the anonymised data. A username and password to access the website could be found online from a single web search.
On 7 April 2018, Facebook suspended the myPersonalty app from the Facebook platform as part of its clean up of third party applications and its investigation into misuse of user data.
This incident continues to shed light on Facebook’s practice of allowing third parties, such as researchers to use the Facebook platform to gather users’ data. However what is more revealing is the poor approach the academics took to protect the data by third parties with the means to re-identify the data. Providing access to anonymised data is not necessarily a problem per se. However, according to New Scientist the data could be easily re-identified.
Anonymised data will be considered personal information under the Australian Privacy Act if it can be de-anonymised and identify the personal information about an individual. Therefore, care must be taken when dealing with and creating “anonymised datasets” as that data will only fall outside the remit of the Australian Privacy Act if other data cannot be used with the anonymised data to reveal the personal information about an individual. If an anonymised dataset can be de-anonymised then it should be properly protected in accordance with the Australian Privacy Act.