Public Sector Data Management
FOI Document 3
Review
• The PM&C Review found current legislation
may pose
real or perceived barriers to
effective use, sharing, linking and release of
public data.
• Attempts to maximise the value of public
sector data are potentially being held back
due to
outdated understanding of legislation
and an overly cautious, low risk tolerance.
What the Privacy Act covers
• Applies to personal information: information
about an identified or reasonably identifiable
individual.
• Does not generally apply to de-identified
information:
information that is no longer
about an identifiable or reasonably
identifiable individual.
• The PM&C Review found this was not widely
known or understood across the APS.
De-identification under the Privacy Act
• De-identifying a single dataset within an agency is a
‘use’ of the information under the Privacy Act.
• This requires consideration of the Privacy Act and in
particular Australian Privacy Principle 6, but
is likely
to be possible in many cases unless a secrecy
provision in another law applies*.
• Linking
multiple datasets before de-identification
involves an additional use of the information.
– This again requires consideration of the Privacy
Act and any applicable secrecy provisions.
Privacy regulator’s de-identification
advice
• Where you have established the need and ability to
de-identify information:
– consider and
choose de-identification techniques
– undertake de-identification and
test effectiveness
–
assess the risks of re-identification
– reassess potential
risk of re-identification over time as
required.
(For more detail, see OAIC resource, De-identification of data
and information.)
Document Outline