Link Library

The Office of the Commissioner for Privacy and Data Protection (CPDP) has curated the list of resources below for the purpose of highlighting standout sources that provide insight into key areas of interest. A variety of types of sources have been purposefully selected to include academic research and thought leadership, exemplary guidelines and exploratory work from other jurisdictions, as well as useful tools, visuals and explanatory articles from the media, civil society organisations and industry professionals. CPDP has selected each source based on its valuable or interesting contribution to current discussion and debate; it does not imply CPDP endorsement of the viewpoints of each source listed.

This page is designed to be a living resource library that will continue to evolve as new issues, resources, technologies, and debates emerge. We welcome suggestions for additions from the public and organisations. Please send suggestions to This email address is being protected from spambots. You need JavaScript enabled to view it.

EU General Data Protection Regulation (GDPR)

Australian businesses and the EU General Data Protection Regulation (GDPR)
Office of the Australian Information Commissioner, May 2017

This privacy business resource offers practical guidance for Australian businesses on how to ensure compliance with the GDPR from 25 May 2018. This resource details the new data protection requirements for Australian businesses deemed data controllers or processors under the Regulation, including the implementation of a privacy by design approach to compliance and the adoption of transparent information handling practices. This resource also provides a useful comparison of the requirements under the GDPR and existing requirements for Australian businesses under the Privacy Act 1988 (Cth).

Overview of the General Data Protection Regulation (GDPR)
Information Commissioner’s Office (ICO), UK, August 2017

This interactive resource offers a clear explanation of the principles and requirements under the GDPR for practitioners, including an exploration of the enhanced individual rights for EU citizens under the Regulation. The UK ICO has also published a 12-step guide to allow businesses to prepare for the commencement of the GDPR.

Big Data

Guide to big data and the Australian Privacy Principles
Office of the Australian Information Commissioner, May 2016.

Currently in consultation, these draft guidelines provide practical advice to organisations subject to the Privacy Act 1988 on how to work with big data in accordance with the Australian Privacy Principles (APPs). Please note that Victorian public sector organisations are subject to the Information Privacy Principles (IPPs) under the Privacy and Data Protection Act 2014. While there are slight differences between the APPs and the IPPs, this guide nonetheless provides useful best practices for organisations to consider when working with big data.

Privacy by design in big data: an overview of privacy enhancing technologies in the era of big data analytics
European Union Agency for Network and Information Security, December 2015.

This paper provides a thorough understanding on what big data is, the uses and limits of big data analytics, what the privacy-related issues are, and basic privacy-enhancing technologies. It explains in a clear manner the challenges of data processing and analytics with a focus on using technological solutions to address privacy related concerns.

Big Data: Seizing Opportunities, Preserving Values
Executive Office of the President, The White House, Washington, May 2014.

Based on research gathered through consultations with industry, civil society, academia and government, this report focuses on how both the public and private sectors can maximise the benefits of big data. Although it is written from a U.S. perspective, this report contains some useful insights that can be applied to the Australian landscape. It emphasises the practical ways big data could be harnessed for economic growth, improvements in health and education, energy efficiency as well as uses for security and law enforcement.

Big data and data protection
Information Commissioner’s Office, UK, 2014.

This paper provides an overview of the issues concerning big data with a focus on the data protection aspect of privacy risk. Research for this paper was conducted over 2013 – 2014 and so several technological advancements have since occurred in the big data space. Nonetheless this paper contributes valuable insights to the underlying concerns related to big data and that its benefits cannot be traded with privacy risks.


Guidelines for de-identification for structured data
Information and Privacy Commissioner of Ontario, June 2016.

These guidelines provide useful best practice advice on the process of de-identification of structured data. While written from a Canadian perspective, this paper provides useful and relevant guidance on the process for de-identifying structured data, including the importance of effective de-identification governance. Please note that the scope of this paper is limited to structured data, and that de-identification processes will vary when being used for un-structured data – including big data.

A de-identification protocol for open data
Khaled El Emam, May 2016.

Written by one of the leading authorities in de-identification, Khaled El Emam describes de-identification techniques from a k-anonymity methodology in specific relation to open data platforms. Several important factors are highlighted in this article that are useful for organisations to consider when wishing to publish datasets to the public.

Shades of Gray: Seeing the full spectrum of practical data de-identification
Jules Polonetsky, Omer Tene and Kelsey Finch, Santa Clara Law Review, April 2016, Vol. 56, 2016, pp. 593-629.

The authors of this academic paper examine the current debate surrounding the merit of de-identification as a privacy-protecting tool. It takes a nuanced approach to explore the contentious issues related to the idea of what can be considered ‘identifiable’ and if, when, and how de-identification can be effective. It was written to correspond with the Visual guide to practical data de-identification [hyperlink:], published by The Future of Privacy Forum, April 2015, which visually lays out the degrees of what can be considered identifiable.

De-identification of personal information
Simon L. Garfinkel, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, October 2015.

This report presents a thorough understanding of de-identification from a technological perspective. It examines what is meant by de-identification – including some of the issues of terminology – and explains many of the current de-identification practices and processes. It also examines the challenges of de-identification such as the risk of re-identification, un-structured datasets and balancing privacy protection with data utility. While this report is relatively technical, it is presented in clear, plain English terms for readers who may not have a background in technology.

Artificial Intelligence

Why artificial intelligence may be the next big privacy trend
Joseph Jerome, Privacy Perspectives: International Association of Privacy Professionals, October 2016

Jerome examines how the same ethical questions posed by big data, such as fairness and accountability, can be extended to the future use of AI technologies and the inter-relationship between big data and AI.

Artificial intelligence: opportunities and implications for the future of decision making
Government Office for Science, UK, November 2016

This paper identifies a need for organisations to advance data science capabilities, including data quality and privacy protections, in order to facilitate the productive use of AI in the future. The paper provides a useful overview of the current ethical and legal risks arising from the use of AI and explores issues of accountability where decisions are made by machines.

Smart Cities

Securing Cities of Tomorrow
John Bigelow, Security Solutions, number 99, February 2016, page 60-66.

This article clearly and concisely articulates some of the key security challenges of smart cities form an Australian business and government perspective.

Privacy, security and data protection in smart cities: a critical EU law perspective
Lilian Edwards, European Data Protection Law Review, January 2016

While written from an EU perspective, this academic paper explores the deeper issues of smart cities in relation to individual privacy and the notions of ‘notice’ and ‘consent’. The core argument is that smart cities present a combination of the three greatest current threats to privacy: the Internet of Things, Big Data and the Cloud. Edwards contends that regulation has so far failed to deal with these phenomena both separately and combined in relation to privacy.

Cities as Living Labs, creating innovative, connected cities
Melbourne Networked Society Institute, The University of Melbourne, January 2015.

MNSI provide a high-level and concise overview of what smart cities are and what they mean for the future of Australia.

Identity Management

Building Canada’s Digital Identity Future
Digital Identification and Authentication Council of Canada, May 2015.

This report identifies the need for a ‘digital identification ecosystem’ that is robust, secure, scalable and privacy enhancing. With a strong focus on fostering trust for both organisations and individuals, there is much emphasis on ensuring individual personal information is kept private and secure. It clearly outlines seven universal requirements of a digital ecosystem and makes recommendations on the regulatory, technical and architectural models to create such a system.

Digital Identity Management and Electronic Authentication: Enabling innovation and trust in the Internet economy
The Organisation for Economic Co-operation and Development (OECD), 2011.

A culmination of work by the OECD from 2007-2011 to create a shared understanding among government policymakers about digital identity management, this document presents an overview of what digital identity management is and how it relates to the Internet economy. Specific acknowledgments of privacy and security are made on page 16, with further details on security and privacy policies on pages 48-51.


Privacy Organisations

Office of the Australian Information Commissioner
Health Services Commissioner (Victoria)
Asia Pacific Privacy Authorities
APEC Cross-border Privacy Enforcement Arrangement
Organisation for Economic Co-operation and Development (OECD) Privacy Principles
Privacy by Design
Victorian Civil and Administrative Tribunal (VCAT)

Other Related Links

Freedom of Information Commissioner (Victoria)
Victorian Equal Opportunity and Human Rights Commission
Victoria Police
Cross-border Privacy Enforcement Arrangement
Asia Pacific Privacy Authorities