Media release: Privacy and Public Data Audit Report
The Office of the Information Commissioner’s audit report on privacy and public data was tabled in Parliament today (14 July 2020).
This report presents our findings on how two government agencies manage privacy risks when releasing de-identified data.
The report makes recommendations to all Queensland government agencies.
The Information Commissioner Rachael Rangihaeata said, “The public entrusts government agencies with their personal information. Agencies must manage re-identification risk and protect personal information when releasing data to avoid serious consequences for the community. Re-identification of public data shouldn’t be as easy as a Guess Who game. We expect to agencies to proactively manage this risk to protect vulnerable people, including victims of family and domestic violence.”
While public data supports transparent and accountable government, agencies publishing de-identified data should manage privacy risks the same way they do for risks in other activities.
A methodical risk management approach, supported by sound governance arrangements, assures agencies that the risk treatments applied to de-identified public data remain effective over time.
“The audit raised critical issues relevant to the broader sector. When public data is re-identified, it can have serious consequences for stakeholders, clients and staff.”
“De-identification is technically complex and involves more than removing direct identifiers. The external environment is constantly evolving and can make assessing the re-identification risk challenging.”, Ms Rangihaeata said.
Agencies need to:
- review all published data and identify datasets containing de-identified data
- assign a custodian to each published de-identified dataset
- implement and maintain policies or procedures that govern de-identified data releases
- adequately capture, assess and treat re-identification risk in published de-identified data
- monitor the external data environment and the effectiveness of risk treatments
- regularly review re-identification risks.