Privacy and Public Data audit
Today the Speaker of the Legislative Assembly tabled our report in Parliament on how two agencies manage privacy risks when releasing de-identified data.
The public entrusts government agencies with their personal information. All agencies must manage the risk of re-identification and protect personal information when publishing de-identified data.
Public data environments require extremely robust de-identification processes. Agencies must assess the re-identification risk in the data itself and the external environment. When public data is re-identified, it can have serious consequences for stakeholders, clients and staff.
A methodical risk management approach, supported by sound governance arrangements, helps agencies:
- identify and manage the risk of re-identification for each dataset released on public platforms
- apply appropriate treatments to reduce re-identification risk to an acceptable level
- monitor and review re-identification risks and their treatments.
Our audit identified good practice and areas for improvement, and made recommendations to all government agencies.