This process is triggered if the target data is sensitive or protected in its raw form. The classification of data happens during the inventory process or on submission of the intake form if the data is not yet inventoried.
There are two editions of the toolkit: 1. To assess risk related to privacy 2. To assess risk related to security
The privacy edition of the toolkit provides a step-by-step process to assess the release of de-identified sensitive or protected datasets on the open data portal. It requires a balancing of competing factors, such as:
the value of publishing the data,
an individual’s expectation of privacy,
repercussions to an individual or the organization from re-identification, and
the likelihood of re-identification.
The 4 main steps are:
Identify sensitive or protected raw data,
Perform a risk assessment regarding the identifiability of the data,
Choose and implement privacy solutions (e.g. de-identification methods), and
Perform a risk assessment regarding the accessibility of the de-identified data.
The security edition is for datasets that pose security (versus privacy) risks. Your data may not contain any data about individuals, but it may contain data with the following kinds of risks:
Life / safety
Rights / Intellectual Property
The steps in the security edition are:
Assess the Value of Publication
Assess the Risk of Publication
Identify risks and impact
Assess the likelihood
Assign a risk rating
Compare the Value and Risk of publication
Select Risk Treatment and Controls
Select risk treatment
At a high level, going through either edition will result in:
A decision to publish with controls (mitigations described in each toolkit)
A decision not to publish (only in cases where the risks cannot be properly mitigated)
A department publisher, in consultation with DataSF staff, will then incorporate mitigations into the publishing approach.