The challenge
Sharing and releasing data can raise privacy concerns
Thanks to booming growth in online services and interconnected devices, data is constantly being generated and stored. Many organisations – both businesses and governments – are now seeing the benefit of using this data to solve problems that can improve all our lives and make them easier.
Since much of the data being generated is about people, de-identification is widely being used to reduce the risk to individuals' privacy. De-identifying data can help an organisation to meet its ethical responsibilities, fulfil its legal obligations, and satisfy community expectations.
However, when de-identification is not carried out properly, a data release can raise privacy concerns. There's a growing body of examples where this has been the case, so the need for well-thought-out de-identification has never been more acute.
Our response
Bringing together different perspectives on de-identification into a simple framework
The main question for decision-makers who want to share or release data is, should we release this data or not and if so in what form? Answering this question is complex, and relies on a range of considerations from ethical and legal obligations to technical data questions. Integrating the different perspectives on the topic of de-identification into a single comprehensible framework is what this book is all about.
Adapted from the UK resource The Anonymisation Decision-Making Framework, the guide is the result of a close collaboration between CSIRO and the Office of the Australian Information Commissioner (OAIC), with input from the Australian Bureau of Statistics (ABS) and the Australian Institute for Health and Welfare (AIHW).
The De-identification Decision-Making Framework guides custodians through the entire process of de-identifying data including the legal responsibilities, ethical obligations and stakeholder communications - to planning in the event of a crisis. Specific points under three sub headings include:Data situation audit
Risk analysis and control
Impact management
The results
A practical guide to help data custodians reduce privacy risk in sharing or releasing data
We've developed a practical guide to de-identification for government agencies and businesses including not-for-profit and private sector organisations.
Our framework can help data custodians to identify and address the key factors relevant to their particular data sharing or release situation, including privacy risk analysis and control, stakeholder engagement, and impact management.
De-identification is not an exact science and, even using the De-Identification Decision-Making Framework (DDF), it requires complex judgement calls. The DDF is intended to help data custodians make sound decisions based on best practice, but it is not a step-by-step algorithm. We recommend that users seek expert advice on the de-identification process, particularly with the more technical risk analysis and control activities.
Our report on this was produced in 2017. Science and technology in this area often move very fast, and the data context has also changed. It may no longer be ideal for current purposes.
We are reviewing the report to make it fully relevant to the context of 2021, and will be publishing the revised version shortly.
If you would like to talk about it now, please get in touch. We’re happy to discuss it with you. If, for any reason, you want to access the 2017 document, please let us know.