Photo via ARN
Australian businesses and the IT partners that handle their digital assets have been handed a helping hand by the Government aimed at minimising the risk of inadvertent breaches of personal or sensitive data.
The Australian Government's Office of the Australian Information Commissioner (OAIC), in partnership with the CSIRO's Data61 data innovation group, has released new guidelines to help organisations deal with how an individual's personal information is shared or released, whether for ethical or legal reasons.
The new guide, which was adapted from the UK's The Anonymisation Decision-Making Framework, was also informed by input from the Australian Bureau of Statistics (ABS) and the Australian Institute for Health and Welfare (AIHW).
The De-identification Decision-Making Framework guide, which can be found here, focuses on assessing and managing data re-identification risks within the context of the data release or share.
The guidelines themselves encourage organisations to consider the current data release environment, as well as the techniques and controls applied to the data.
Lead author of the guide and Data61 research scientist, Dr Christine O'Keefe, explained that individuals were increasingly conscious of how their data was being used, as well as the risk of data breaches, which underlined the importance in how well de-identification is carried out.
Australian Information and Privacy Commissioner, Timothy Pilgrim, said that deciding whether data should be released or shared - and if so, in what form - required careful consideration.
"A range of factors needs to be considered, from ethical and legal obligations to technical data questions. Integrating the different perspectives on the topic of de-identification into a single, comprehensible framework is what this guide is all about," Pilgrim stated.
"The interpretation and application of data has the potential to positively transform our lives and bring about great social and economic benefits. However, we need to remember that many of these data sets are made up of individuals' personal information.
"So when we think about releasing it we need to anticipate the risks to ensure we are protecting the rights of individuals," he said.
Pilgrim said de-identification was an exercise in risk management, rather than an exact science, and it was important to strike the right balance between maintaining useful data and making sure it's safe.
"The OAIC looks forward to engaging further with organisations and technical experts on de-identification," he said.
Ultimately, the guide is aimed at reducing the risks of data breaches among local organisations and minimising the chances of individuals' personal details being released into the public sphere.
Indeed, such an incident hit the Government's own public service workplace authority, the Australian Public Service Commission (APSC), late last year when confidential information of more than 96,000 public servants was compromised after a data populated with confidential information set was inadvertently made publicly available.
Sign up for Computerworld eNewsletters.