Open Data Release Toolkit Review
This process is triggered if the target data is sensitive or protected in its raw form. The classification of data happens during the inventory process or on submission of the intake form if the data is not yet inventoried.
There are two editions of the toolkit:
- To assess risk related to privacy
- To assess risk related to security
The privacy edition of the toolkit provides a step-by-step process to assess the release of de-identified sensitive or protected datasets on the open data portal. It requires a balancing of competing factors, such as:
- the value of publishing the data,
- an individual’s expectation of privacy,
- repercussions to an individual or the organization from re-identification, and
- the likelihood of re-identification.
The 4 main steps are:
- Identify sensitive or protected raw data,
- Perform a risk assessment regarding the identifiability of the data,
- Choose and implement privacy solutions (e.g. de-identification methods), and
- Perform a risk assessment regarding the accessibility of the de-identified data.
The security edition is for datasets that pose security (versus privacy) risks. Your data may not contain any data about individuals, but it may contain data with the following kinds of risks:
- Life / safety
- Rights / Intellectual Property
The steps in the security edition are:
- Assess the Value of Publication
- Assess the Risk of Publication
- Identify risks and impact
- Assess the likelihood
- Assign a risk rating
- Compare the Value and Risk of publication
- Select Risk Treatment and Controls
- Select risk treatment
- Select controls
Next steps from the toolkit process
At a high level, going through either edition will result in:
- A decision to publish with controls (mitigations described in each toolkit)
- A decision not to publish (only in cases where the risks cannot be properly mitigated)
A department publisher, in consultation with DataSF staff, will then incorporate mitigations into the publishing approach.