Open Data Certificate Help – Privacy

ALPHA

How do you protect people’s privacy?

1. Is this data about people or their activities?

No, the data is not about people or their activities

Data that is not about people or their activies is not subject to privacy law. Check that your data is not another type of sensitive data.

Yes, the data is about people or their activities

Data about people or their activies may be subject to privacy law.

Personal Information Resources

These Guides can help you determine if the data is personal information:

Privacy Laws

In Australia, privacy laws do not bind everyone. For example:

  • the Commonwealth Privacy Act 1988 binds Commonwealth Government departments and businesses with a turnover greater than $3 million and private health service providers.
  • the Queensland Information Privacy Act 2009 binds Queensland Government Ministers, Departments, Local Governments, public authorities, and their bound contracted service providers. Not all areas of government are bound, for example, Government Owned Corporations, courts or tribunals in relation to their judicial or quasi-judicial functions, among other exemptions.

Some sectors, particularly health services, may be bound by more than one privacy law.
The Australian Government provides a list of links to privacy regulation in the States and Territories and other Australian laws that relate to privacy.

Sensitive Data

The Open Data Certificate questionnaire focuses on privacy. Other elements of data sensitivity include:

  • commercial-in-confidence
  • secrecy
  • cultural heritage
  • environmental security.

It is important to consider all aspects of data sensitivity when publishing data.
These resources may assist you to address other elements of data sensitivity:

2. Has the data about individuals been de‑identified?

No, it contains data that could identify individuals.

Individual identities are visible in the data or could be reasonably ascertained through cross-referencing with other available information.

Yes, the data has been de‑identified.

De-identification techniques such as aggregation, data masking, pseudonymisation, and reducing the precision of information can reduce the risk of individuals being identified in the data.

Data De-identification Resources

These Guides describe how you may be able to publish the data if you can de-identify individuals:

3. Do you have permission to publish this personal data online?

You may be able to publish data about individuals online if either, the data is required or permitted to be published by law, or you have permission from the affected individuals.

Yes

If permission is not granted by all individuals, you should inform data re-users that the dataset is incomplete.

No

You should only publish personal data without de-identification if you are required or permitted to do so by law or the affected individuals have granted permission.

Have you published without permission?

If you have already published the data without permission, you should review the Privacy Breach Resources to determine your next steps to protect people’s privacy

To Do: Individual Consent Resources

These guides (yet to be identified / written) help you to ask for an individual’s consent. Guides may cover the following scenario and provide real-life examples:

  • A government agency conducts a survey concerning its services. Participants are informed that the survey results will be published online and this can include their names and contact details. Participants are given the option to provide anonymous responses. Those who do not take up this option have agreed to the publishing of their details online.
  • The Open Data Census submission page can be used as a example however your can only see the page after logging in. Seek a public example.

4. Where do you document your right to publish this data?

Provide a URL to the law or individual permission that allows you to publish this data about individuals.

Disclosure Rationale URL

Reference the Law

To help people use the data with confidence, in the data description or documentation provide a reference to the law that permits the data publication. Include:

  • the name of the law
  • a reference to the clause in the law that permits the data publication
  • a hyperlink to the law or clause within the law.

Example

The Queensland Financial Accountability Act 2009 (section 63) requires all departments and statutory bodies prepare annual reports for tabling in the Legislative Assembly. The supporting Financial and Performance Management Standard 2009 (section 49 (5)) requires that the annual report includes information defined in the Annual report requirements for Queensland Government agencies prepared by the Department of the Premier and Cabinet. A number of annual reporting requirements are addressed through publication of information through the Queensland Government Open Data website and some datasets include the names of officers who travelled overseas, their position, the destination, reason for travel, cost of travel, etc.

The data documentation in this case could include the following statement:

The Department of Transport and Main Roads 2015–16 Annual Report – Overseas Travel data is required to be published under the Financial Accountability Act 2009 (section 63) and as specified in the Annual report requirements for Queensland Government agencies.

To do: Reference Individual Constent

These guides help you to show that you have consent from affected individuals to publish the data.

  • Yet to be identified / written

5. Has your de-identification process been independently audited?

Yes

No

6. Have you assessed the privacy risks of publishing this data?

You should assess the likelihood of personal data being disclosed and the consequences to individuals of the disclosure.

Yes

No

Risk Assessment Resources

Guides to help you assess the risk of a possible privacy breach:

7. Where is your risk assessment published?

Provide a URL to where people can check how you have assessed the privacy risks to individuals.

Risk Assessment URL

8. Has your privacy risk assessment been independently audited?

Yes

No

Privacy Risk Assessment Independent Audit Resources

9. Are you prepared to respond if publishing this data compromises the privacy of individuals?

Have you documented the steps you will take in the event of a privacy breach?

Yes

No

You should document the steps you will take in the event of a privacy breach

Privacy Breach Resources

If the publishing of your dataset online results in the identity of the individuals whose data is contained in the dataset being reasonably ascertainable – you have potentially breached the privacy of these individuals. In the event that this comes to your attention, there are a number of steps that can be take to remedy a privacy breach.
Guides to help you plan for a possible privacy breach: