Blog icon

The challenge

Sharing and releasing data can raise privacy concerns

Thanks to booming growth in online services and interconnected devices, data is constantly being generated and stored. Many organisations – both businesses and governments – are now seeing the benefit of using this data to solve problems that can improve all our lives and make them easier.

Since much of the data being generated is about people, de-identification is widely being used to reduce the risk to individuals' privacy. De-identifying data can help an organisation to meet its ethical responsibilities, fulfil its legal obligations, and satisfy community expectations.

However, when de-identification is not carried out properly, a data release can raise privacy concerns. There's a growing body of examples where this has been the case, so the need for well-thought-out de-identification has never been more acute.

Our response

Bringing together different perspectives on de-identification into a simple framework

The main question for decision-makers who want to share or release data is, should we release this data or not and if so in what form? Answering this question is complex, and relies on a range of considerations from ethical and legal obligations to technical data questions. Integrating the different perspectives on the topic of de-identification into a single comprehensible framework is what this book is all about.

Adapted from the UK resource The Anonymisation Decision-Making Framework, the guide is the result of a close collaboration between CSIRO and the Office of the Australian Information Commissioner (OAIC), with input from the Australian Bureau of Statistics (ABS) and the Australian Institute for Health and Welfare (AIHW).

The De-identification Decision-Making Framework guides custodians through the entire process of de-identifying data including the legal responsibilities, ethical obligations and  stakeholder communications - to planning in the event of a crisis.

Specific points under three sub headings include:

Data situation audit

  • describe your data situation
  • understand your legal responsibilities
  • know your data
  • understand the use case
  • meet your ethical obligations

Risk analysis and control

  • identify the processes needed to assess disclosure risk
  • identify the disclosure control processes relevant to your data situation

Impact management

  • identify your stakeholders and plan how you will communicate
  • plan what happens once you have shared or released the data
  • plan what you will do if things go wrong
The De-identification Decision-Making Framework guides custodians through the entire process of de-identifying data including the legal responsibilities, ethical obligations and stakeholder communications - to planning in the event of a crisis.

The results

A practical guide to help data custodians reduce privacy risk in sharing or releasing data

We've developed a practical guide to de-identification for government agencies and businesses including not-for-profit and private sector organisations.

The De-Identification Decision-Making Framework report cover
The De-Identification Decision-Making Framework

Our framework can help data custodians to identify and address the key factors relevant to their particular data sharing or release situation, including privacy risk analysis and control, stakeholder engagement, and impact management.

De-identification is not an exact science and, even using the De-Identification Decision-Making Framework (DDF), it requires complex judgement calls. The DDF is intended to help data custodians make sound decisions based on best practice, but it is not a step-by-step algorithm. We recommend that users seek expert advice on the de-identification process, particularly with the more technical risk analysis and control activities.

Our report on this was produced in 2017. Science and technology in this area often move very fast, and the data context has also changed. It may no longer be ideal for current purposes.

We are reviewing the report to make it fully relevant to the context of 2021, and will be publishing the revised version shortly.

If you would like to talk about it now, please get in touch. We’re happy to discuss it with you. If, for any reason, you want to access the 2017 document, please let us know.

Download the report

Contact us

Find out how we can help you and your business. Get in touch using the form below and our experts will get in contact soon!

CSIRO will handle your personal information in accordance with the Privacy Act 1988 (Cth) and our Privacy Policy.


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

First name must be filled in

Surname must be filled in

I am representing *

Please choose an option

Please provide a subject for the enquriy

0 / 100

We'll need to know what you want to contact us about so we can give you an answer

0 / 1900

You shouldn't be able to see this field. Please try again and leave the field blank.