When considering whether to share data it is important to understand the risks. This is at the heart of safe data sharing: evaluating the benefits of sharing the data against the risks and whether those risks can be mitigated.

One of the key areas of risk is the nature of the data to be shared and whether it is sensitive or not. The Privacy Act 1988 (Cth) considers sensitive information in relation to personal information, however, there are many other types of sensitivity associated with data. When you are asked about whether data is sensitive on Dataplace, you should consider the broader aspects of the sensitivity of data.

Once you have identified that data is sensitive, Dataplace asks you to indicate what is the type of sensitivity. You might find more than one category is relevant, so pick the ones that apply:

• Cultural – the data could be about the location of sacred sites for example
• Vulnerable individuals or groups – the data could be about gender identification
• Commercial – the data could be about individual businesses, or market considerations
• Industry or sector – the data could be about groups of businesses
• De-identified data – the data may have been treated and/or access controls have or will be applied to make data de-identified. It may, however be appropriate to include additional controls to ensure it remains de-identified.
• Anonymised or generalised data – for data that is not about people but has still been treated or had access controls applied to make it anonymised. For example, this could be geographical information or information about endangered species. It may also be appropriate to include additional controls to ensure it remains anonymised.
• Unit level data –where each line of data includes information about a single thing (for example: transaction, person, business or location)
• Information that may be considered sensitive by a party – there may be other reasons that we haven’t thought of that means the data is sensitive
• The data is to be used for more than one project – this raises additional risks of re-identification that may not be present if sharing for one project

There is always a level of judgement involved about whether data is sensitive or not. A key test to ask yourself is whether unauthorised access or use of the data could cause harm or have an adverse impact (even if that is a perceived impact). Also, labelling data as sensitive is a good way of adopting the mindset to take greater care of the data and not assume it is safe to share. Because of the potential for harm, sensitive data will often require more controls to manage risk. You may ask for progress reports or an oversight group to be established and/or you may identify specific data treatments to make the data anonymised.

For example a highly detailed dataset with direct identifiers removed (such as names and address) might be considered personal information except for the fact that appropriate controls under the data sharing principles have rendered it de-identified. From a risk management perspective, it should still be considered sensitive because if those controls are not sufficient or change then the data may no longer be de-identified.

While this may seem that most data is sensitive, a good rule of thumb is that if someone has a reasonable expectation that the data is sensitive, then it should be treated as such for data sharing. For example, the Privacy Act 1988 (Cth) does not include a person’s income under its definition of sensitive information, but many people hold the reasonable position that their income is sensitive to them (and don’t want it disclosed unnecessarily).

Personal information is defined in the Privacy Act 1988 (Cth):

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.

For more details on personal information, refer to the OAIC website: What is personal information? - Home (oaic.gov.au)

Biometric data is defined in the Data Availability and Transparency Act 2022 (see section 9):

Biometric data:
(a) means personal information about any measurable biological or behavioural characteristic relating to an individual that could be used to identify the individual or verify the individual’s identity; and
(b) includes a biometric template containing representations of information mentioned in paragraph (a).
Biometric data includes facial features, fingerprints or a person’s gait and voice, as well as biometric templates. Under the DATA Scheme, this definition supports the privacy protection clauses, under which sharing of biometric data is only permitted with the express consent of the individual to whom the biometric data relates. Keep in mind that if data is not personal information it cannot be biometric data.

Biometric data includes facial features, fingerprints or a person’s gait and voice, as well as biometric templates. Under the DATA Scheme, this definition supports the privacy protection clauses, under which sharing of biometric data is only permitted with the express consent of the individual to whom the biometric data relates. Keep in mind that if data is not personal information it cannot be biometric data.

For both personal information and biometric data, if controls under the data sharing principles are applied to render them de-identified, it may well still be considered sensitive and should be treated as such.