An information disclosure risk assessment framework for organisational data sharing

Research output: ThesisDoctoral Thesis

40 Downloads (Pure)

Abstract

Organisations rely on analytical data to improve decision-making and service delivery, often sharing this data with external entities, such as research institutes, to acquire collaboration and innovation. However, shared data frequently contains personal information, posing significant privacy risks, including potential re-identification risk if not adequately protected. Most governments including Australia, United States, and the European Union countries, mandate privacy regulations to protect individual privacy. Unfortunately, these regulations are often vague and lack practical technical guidance on effective data protection measures. Additionally, ambiguity arises from a limited understanding of the technical requirements necessary for proper implementation, complicating organisation’s efforts to ensure that data is adequately protected for external data sharing.
This research examines the challenges organisations face in aligning with privacy regulations, implementing effective privacy measures, and assessing privacy risks after data anonymisation. More specifically, the first research objective is to investigate the research gap between privacy regulations and industrial privacy frameworks. Our findings identify the dynamic nature of data sharing and the important role of both privacy regulations and industry-specific frameworks in protecting individual privacy rights. We closely examine the Cambridge Analytica scandal as a case study to demonstrate the potential consequences of inadequate data protection from different data sharing model perspectives. Additionally, we analyse popular privacy frameworks, such as the National Institute of Standards and Technology (NIST) guidelines and the Five Safes framework, to evaluate their effectiveness in mitigating privacy violations.
The second part of the research focuses on a specific privacy vulnerability with significant implications for both organisations and individuals. We investigate the potential of (𝑐,𝑘)-anonymisation, a widely used privacy-preserving method, in a healthcare scenario that aims to protect patient information. Our analysis reveals that adversaries can re-identify patient records when auxiliary data is available, presenting substantial risks. To address these risks, we propose a comprehensive privacy framework designed to identify and mitigate vulnerabilities in data protection post-anonymisation. This framework allows proactive detection and resolution of vulnerabilities before data is shared with external entities, thereby improving the overall privacy of shared analytical data.
The implication of our study is significant for organisations aiming to improve their data-sharing practices while ensuring compliance. Our research helps bridge the gap between regulatory requirements and practical implementation, thus improving privacy-conscious data sharing in the digital era. We emphasise the necessity for robust privacy methods and continuous data assessments to protect user privacy. Our proposed privacy framework offers practical technical guidance, helping organisations manage data protection complexities and maintain the trust of individuals. We validated the framework though multiple scenarios, demonstrating effective techniques for assessing privacy risks and vulnerabilities in anonymised dataset.
This study shows the importance of aligning privacy regulations with practical industry frameworks to effectively protect personal information. By addressing organisational data-sharing challenges, our framework helps in developing more privacy-aware data-sharing practices. This work not only offers valuable insights for policymakers and industry leaders but also emphasises the ongoing need for improved protection to adapt evolving data-sharing and privacy threats.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • Charles Sturt University
Supervisors/Advisors
  • Zia, Tanveer, Principal Supervisor
  • Bewong, Michael, Co-Supervisor
  • Jiang, Yinhao, Co-Supervisor
Award date31 Jul 2024
Place of PublicationAustralia
Publisher
Publication statusPublished - 2024

Fingerprint

Dive into the research topics of 'An information disclosure risk assessment framework for organisational data sharing'. Together they form a unique fingerprint.

Cite this