Close this search box.

We are creating some awesome events for you. Kindly bear with us.

OAIC and CSIRO’s Data61 release guide to help Australian organisations de-identify data effectively

OAIC and CSIRO’s Data61 release guide to help Australian organisations de-identify data effectively

The Office of the Australian Information Commissioner (OAIC) and the CSIRO’s (Commonwealth Scientific and Industrial Research Organisation) Data61 have released a guide, called ‘The De-Identification Decision-Making Framework (DDF)’, to assist organisations to de-identify their data effectively.

The framework is meant to be a practical and accessible guide for Australian organisations that handle personal information and are considering sharing or releasing it to meet their ethical responsibilities and legal obligations, such as those under the Privacy Act 1988.

The guide is adapted from the UK resource, The Anonymisation Decision-Making Framework, and it is the result of a close collaboration between CSIRO and OAIC, with input from the Australian Bureau of Statistics (ABS) and the Australian Institute for Health and Welfare (AIHW).

The framework can help data custodians to identify and address the key factors relevant to their particular data sharing or release situation, including privacy risk analysis and control, stakeholder engagement, and impact management. The DDF focuses on assessing and managing re-identification risks within the context of the data release or share. It encourages organisations to think more broadly and consider the data release environment, as well as the techniques and controls applied to the data.

The DDF is made up of ten components:

  1. Describe your data situation
  2. Understand your legal responsibilities
  3. Know your data
  4. Understand the use case
  5. Meet your ethical obligations
  6. Identify the processes you will need to assess disclosure risk
  7. Identify the disclosure control processes that are relevant to your data situation
  8. Identify who your stakeholders are and plan how you will communicate
  9. Plan what happens next once you have shared or released the data
  10. Plan what you will do if things go wrong

Presentation of the DDF components as a numbered list is not intended to suggest that this is the right order to do them. For example, stakeholder engagement plays an important role in shaping purpose of the data access arrangements, costs, breach policies, outputs and public messaging.

The ten components of the DDF are grouped into three core de-identification activities:

A data situation audit (Components 1-5): This activity will help identify and frame those issues relevant to the data situation. The organisations will encapsulate and systematically describe the data, what theyare trying to do with it and the issues thereby raised. A well-conducted data situation audit is the basis for the next core activity.

Risk analysis and control (Components 6-7): Here the technical processes are considered that will have to be used in order to both assess and manage the disclosure risk associated with the data situation.

Impact management (Components 8-10): Here the measures are considered that should be in place before data is released or share to help communicate with key stakeholders, ensure that the risk associated with data remains negligible going forward, and work out what the organisation should do in the event of an unintended disclosure or security breach.

The report cautions that de-identification is not an exact science and, even using the DDF, it requires complex judgement calls. The DDF is intended to help data custodians make sound decisions based on best practice, but it is not a step-by-step algorithm or a linear checklist. It recommends that users seek expert advice on the de-identification process, particularly with the more technical risk analysis and control activities.

Timothy Pilgrim, Australian Information and Privacy Commissioner, commented, “De-identification is one solution for sharing and releasing data while meeting legislative demands and community expectations. It is an exercise in risk management, rather than an exact science, and it’s important that we strike the right balance between maintaining useful data and making sure it’s safe.”

“Deciding whether data should be released or shared – and if so, in what form – requires careful consideration. A range of factors needs to be considered, from ethical and legal obligations to technical data questions. Integrating the different perspectives on the topic of de-identification into a single, comprehensible framework is what this guide is all about,” he added.

Dr. Christine O’Keefe, the lead author of the guide and Research Scientist at Data61 explained, “At CSIRO’s Data61 we are a trusted advisor to government and industry organisations and we help them access the power of their data by applying deep science, engineering and design to derive insights from it and make it accessible to others without compromising privacy. At present, there is no publicly available, comprehensive risk management guide in Australia to assist organisations with de-identification. That’s why we have set out to create this standalone guide as an adaptation of the existing UK version, the Anonymisation Decision-Making Framework — and make it freely available.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.