Privacy Help for Open Data Certificates is ready for review


#1

A small team of ODI Queensland volunteers (@ellen.broad, @lemm.ex, @earl.butterworth, @b.appleyard, and others) are localising Open Data Certificates for Australia. Part of the project is creating online help for the three topics in the Legal section: Rights, Licensing and Privacy.

The help for the privacy questions is ready for your review.

The web page simulates the flow of the Open Data Certificate questionnaire. Select the answer to a question and you’ll be taken to the next relevant question. You can view the logic in a flowchart available on the page.

Please reply below with your feedback on the:

  • wording of the questions and answers
  • the question flow
  • the extra help and examples (shown in green or yellow shaded boxes)

#2

Question 7: Where is your privacy risk assessment published?

  1. What would happen if you don’t have a URL for the risk assessment?

  2. Where should you publish it to; the Queensland Publications Portal?

Will you still get a Gold Open Data Certificate is you provide a URL for the privacy risk assessment, but “No” to Question 8 - Has you privacy risk assessment been independently audited?


#3

Good pick up Earl. I’ll update the flowchart to show that providing a URL is optional. This should also apply to Question 4.

You can publish your privacy risk assessment anywhere on the web. If you’re asking what practice should Queensland Government adopt, perhaps @therese.cumner, @ray.latchmanan, @paul.cavallaro or @david.z.ainscough may be able to provide a suggestion.

I still need to do some testing on the logic of awarding of badges. I’ll report back here when done. Here’s a description of the 4 badge levels.


#4

Hi Steve,
Still working through the material, but some very early thoughts:

  • Under Question three (do you have permission to publish this personal data online?), an answer of “no” ends this section - should it also come with guidance to avoid publishing and/or remove this published material and instigate processes for a breach of PII? Not awarding a certificate is one thing; leaving a dataset that breaches privacy legislation online and untreated is another

  • Question 4 - here’s a potential example for the yellow box -
    “The Financial Accountability Act 2009 (FAA) (section 63) requires all departments and statutory bodies prepare annual reports for tabling in the Legislative Assembly. The Financial and Performance Management Standard 2009 (FPMS) (section 49 (5)) mandates the disclosure of information detailed in the document Annual report requirements for Queensland Government agencies prepared by the Department of the Premier and Cabinet (DPC).” - example would apply to publishing Departmental officers names that travelled overseas as part of the annual report process, taken from here - https://www.premiers.qld.gov.au/publications/categories/guides/assets/annual-report-requirements-new-2015-2016.pdf

  • Question 4 - not aware of any guides in Oz, but NZ have a wealth of collateral about how they tackled this through their https://www.realme.govt.nz/ service

  • W.r.t the publication of risk assessments, might be a good question for @lemm.ex to see if there’s value in keeping a library of these together? Might help support privacy awareness activities beyond open data?

Thanks,
Dave.


#5

Great suggestions Dave.

@lemm.ex, @clare.z.foster or other privacy experts, do you know of a place where privacy risk assessments are collated? Sounds like it would be a great resource.


#6

I’m not sure about other agencies Stephen, but here in TMR the project owner becomes the ultimate owner of the Privacy Impact Assessment (PIA), which means that the final document remains with the relevant area. And as the document is a ‘living’ thing, which can change if the project objectives change, what we hand back to the project owner may not necessarily be what the end result is. Also, publishing the final document in it’s entirety may come with additional risks around ‘in-confidence’ issues, however I do see value in having a publicly available list of the PIA’s conducted by agencies, with a brief description of the project.


#7

Some of our privacy specialists have reviewed the Open Data Certificate questions and associated help for:

  1. completeness; and
  2. useability by data custodians/manager.

In relation to point 1, no additional questions were identified, and the team supported the recommendation for questions 4 and 7 to be optional.

As each of the questions links to Office of the Information Commissioner resources (and other resources), we don’t have any further feedback overall. In relation to point 2, it may be prudent to ask some data custodians/managers to test the certification process and provide feedback.

On a very minor note, there are a couple of typos as follows:
• Q3. Typo in header Individual Consent Resources.
• Q.9 header I believe should read Privacy Breach Resources


#8

Thanks for the feedback Earl. :+1: Typos are fixed. :relaxed:

Will we be testing the questions with data custodians when the certificate goes into Beta. Based on their feedback, we’ll adjust before moving to Final.


#9

I believe I’ve updated the help page to cater for all feedback provided so far. Text in red boxes on the help page remains to be done. This includes:

  • Help text for question 3
    • verifying laws that permit you to publish personal data.
    • how to ask for an individual’s consent to publish personal data.
  • Help text for question 4
    • how to show that you have consent from affected individuals to publish personal data.

Suggestions on this content are very welcome.

Thanks @Earl_Butterworth, @david.z.ainscough and @clare.z.foster for your feedback :heart_eyes:
Let me know if you’re happy with the implementation.