Privacy and Public Data Audit Report
This report outlines how two agencies manage privacy risks when releasing de-identified data.
Public data supports transparent and accountable government. The benefits of public data include evidence-based policy design, innovation, and better service delivery.
However, when agencies publish de-identified data, they should manage privacy risks the same way they do for risks in other activities. This includes managing the risk of re-identification and protecting personal information.
De-identification is technically complex and involves more than removing direct identifiers. The external environment is constantly evolving and can make assessing the re-identification risk challenging.
Public data environments require extremely robust de-identification processes. Agencies must assess the re-identification risk in the data itself and the external environment. When public data is re-identified, it can have serious consequences for stakeholders, clients and staff.
A methodical risk management approach, supported by sound governance arrangements, helps agencies:
- identify and manage the risk of re-identification for each dataset released on public platforms
- apply appropriate treatments to reduce re-identification risk to an acceptable level
- monitor and review re-identification risks and their treatments.
While we made specific recommendations to each audited agency, the audit raised critical issues relevant to the broader sector. The audit identified good practice and areas for improvement, and made recommendations to all government agencies.