Privacy ReIdentification Risk Assessment

The Australian Privacy Act requires those sharing or releasing data to mitigate the risk until there is no reasonable likelihood of re-identification occuring.

OAIC recommends that (APP regulated) entities take a risk-management approach when handling de-identified data which acknowledges that while the APPs may not apply to data that is de-identified in one specific context, the same data could become personal information in a different context.

Robust de-identification governance practices may include activities such as:

  • ongoing and regular re-identification risk assessments (to check that methods used are still effective and appropriate at managing the risks involved)

  • auditing data recipients to ensure that they are complying with the conditions of any data sharing agreements

Cognitivo can help implement a data risk management framework and deploy tools to periodically (and on event-driven basis) assess or quantify the re-identification risk of your shared datasets.

Cognitivo is an authorised partner reseller of CSIRO’s Data61 Re-identification Risk Ready Reckoner.

R4 is a risk assessment tool designed to help evaluate the potential for re-identification of records in datasets (including 'de-identified' datasets), so as to support decision making on what data can be shared in what context. The tool examines the risk of re-identification for single attributes and combinations of multiple attributes in the dataset, and presents a dashboard to view overall risk and examine problematic attributes or records in finer detail. Its graphical user interface and risk ranking provide a one-look view of the re-identification risk of a dataset, and allows easy drill-down to the most relevant data affecting that risk.

R4 also simplifies the process of preparing a dataset for sharing or release by highlighting problematic records, and offering mitigation methods such as aggregation and perturbation to be applied to chosen attributes. Once a mitigation is applied R4 re-analyses the modified data, so that it can be used in a cycle of risk mitigation and assessment until the residual risk is considered acceptable.

R4 helps data custodians and managers better understand the risk of re-identification so as to make informed decisions about their data, and to reduce that risk through treatment of problematic attributes or records.

Refer to CSIRO’s Data61 R4 website for full description of product features.

Let us know if you would like to find out more or would like a demo of the R4 tool