When to use suppression

Suppression should be applied to aggregate data that is released publicly. ¹ In general, suppression is not needed when data is for internal use only or is unlikely to be publicly released.

Internal use is defined as use exclusively by departmental employees. The universal application of the suppression rules is appropriate as all staff are required to abide by the department’s code of conduct and data use policies.

The application of an appropriate data suppression approach is especially important for data about individuals from vulnerable groups, as they are more susceptible to harm from data breaches or misuse. When data relates to small groups of people, small cell counts across multiple cells can require significant secondary suppression (suppressing a cell so that another can’t be deduced). 

All data must be used according to the consent provided for its use, which means that the terms outlined in a data collection notice take precedence over the suppression standard. Where suppression (or lack there of) would affect data collection methodologies or data quality, this should be addressed by stipulating the intended use in the collection notice.

Staff may contact the Chief Data Office to discuss how to approach specific data suppression scenarios via Data.Reform@det.nsw.edu.au or CESE.Corro@det.nsw.edu.au.
 

Best practice

The Australian Bureau of Statistics has identified the following as best practice principles for applying data suppression to specific data products in a way that effectively protects privacy while maintaining data integrity:
 

• Identify sensitive data: Define which fields need suppression.
   
• Apply suppression thresholds: Set minimum count thresholds for groups to avoid showing data that could reveal individual identities.
   
• Use consistent suppression: Apply rules uniformly to ensure data reliability.
   
• Aggregation and generalisation: Aggregate or generalise data (e.g., using ranges or high-level categories) to reduce identifiability.
   
• Audit and monitor: Regularly review suppression practices to maintain compliance and improve protection strategies.

Following these practices helps ensure confidentiality and reduces re-identification risks in shared data (see Appendix A for worked examples).
 

Data suppression rules

Department staff are expected to align with the following rules when preparing aggregate data for public release, or sharing aggregated data with external parties:

Rule of 10

The rule of 10 is the suppression of any cell in a table² with a frequency of 10 or fewer and the subsequent suppression of larger cells that could be used to calculate the target cell. This rule is the default suppression method used in the department and is an important mechanism for protecting individual privacy.

The rule of 10 is the default threshold used for data about people and is generally not necessary for data about other entities (e.g., schools, directorates, objects) unless the school information could be used to identify individuals. Public reporting of individual school data may, however, be limited by Section 18A of the Education Act.

This threshold is consistent with ABS practice and balances the need for confidentiality with NSW’s commitments to open data. A rule of 10 is considered quite conservative, with data.gov identifying thresholds of 3, 5 and 10 as common across Australian government agencies. This includes agencies with sensitive data such as Australian Institute of Health and Welfare who use a threshold of 4 or fewer, the federal Department of Education who use a threshold of 5 or fewer, and the NSW Department of Communities and Justice who published Guidelines for publishing results with small sample sizes which recommended a threshold of 5 or fewer for demographic data.

Percentages should be suppressed if the numerator or denominator is less than 10. Small percentages, in and of themselves, are not an identification risk.

When preparing data in consultation with external agencies with different suppression thresholds, the agencies involved should use the most conservative threshold. Unit Record Data sharing is not covered by the standard.

Aggregation

Data can become meaningless if the rule of 10 results in a large percentage of cells being suppressed through initial or subsequent suppression. In these cases, selecting different aggregations should be considered.   

The point where suppressed data is no longer able to be used effectively will depend on the purpose and audience. As a rule of thumb, if more than a quarter of the cells are suppressed, the data is unlikely to be fit for purpose.

Common aggregation approaches include:
 

• combining categories such as: remote and very remote geographical areas; substantial and extensive adjustments for students with disability; or, grouping grades or ages; or
   

• collapsing calendar years.

It is appropriate to use aggregation as the first suppression process, with the Rule of 10 applied to any remaining small cell counts.

Dominance rule

Dominance rules are applied to tables that present magnitude data (e.g., income or turnover), where knowing a dominant group would risk the inappropriate identification of an individual entity such as a company (see Appendix B). The Rule of Dominance relates to commercial considerations, so has limited use in the department.

Exclusions

The roles and responsibilities for ensuring appropriate data sharing are covered by the Data Governance Framework (under development).

There are a range of factors that impact whether data is shared that are not related to whether suppression is adequate or appropriate. These are covered by the department’s Data Sharing Guide and include ensuring that the provision of data is in line with the data collection notice, the level of security available in the user’s environment, welfare considerations, and determining whether the publication of the data is in the public interest.  Where data is being shared, clear guidance on expectations should be provided (see Safety Assessment in the Data Sharing Guide). This standard relates to how suppression should be applied to data and does not address these factors.

Data custodians may be apprehensive about sharing data where an individual or team has previously used data inappropriately or shared it beyond the agreed terms. In general, this is not an issue to be addressed through suppression, but rather it should be remedied through applying the data breach policy or raising the issue through the Chief Data Office. If this approach is inadequate or unsuccessful, it may be suitable to use data suppression on internal data reporting to reduce the risk of unauthorised sharing.

Raw data within source systems is not for public release and is therefore not suppressed.

¹ Perturbation may be an appropriate method of de-identification in some cases. The appropriate use of this method is outside the scope of this standard.

² Note that representing suppression in data visualisations is outside the scope of this standard.

• Australian Bureau of Statistics. (2021). Data confidentiality guide. https://www.abs.gov.au/about/data-services/data-confidentiality-guide
   
• New South Wales Government. (1998). Privacy and Personal Information Protection Act 1998. https://legislation.nsw.gov.au/view/whole/html/inforce/current/act-1998-133
   
• New South Wales Government. (2002). Health Records and Information Privacy Act 2002. https://legislation.nsw.gov.au/view/whole/html/inforce/current/act-2002-071#sec.6
   
• New South Wales Government. (2024). NSW government open data policy. https://data.nsw.gov.au/nsw-government-open-data-policy
   
• NSW Department of Education. (2024). Enterprise Data Standards. https://education.nsw.gov.au/policy-library/policies/pd-2004-0036-05
   
• NSW Department of Education. (2024). Data sharing guide. https://education.nsw.gov.au/information-management/Information-management-resource-hub/data-sharing-guide
   
• NSW Department of Education. (2025). Data breach. https://education.nsw.gov.au/policy-library/policies/pd-2024-0485-12
   
• NSW Department of Education (2025). Remoteness standard. https://facsnsw.aristotlecloud.io/item/12863/classification/remoteness-standard

• Australian Bureau of Statistics. (2021). Input and output clearance. https://www.abs.gov.au/statistics/microdata-tablebuilder/datalab/input-and-output-clearance 
   
• Australian Bureau of Statistics. (2014). Indigenous status standard. https://www.abs.gov.au/statistics/standards/indigenous-status-standard/latest-release  
   
• Australian Government. (n.d.). Data integration projects: Part 4. https://toolkit.data.gov.au/data-integration/data-integration-projects/part-4.html  
   
• Australian Government Department of Education. (2025). Higher education statistics data. https://www.education.gov.au/higher-education-statistics/higher-education-statistics-data  
   
• Australian Government Department of Health. (2021). Voluntary Indigenous identifier (VII) framework. https://www.health.gov.au/sites/default/files/documents/2021/08/voluntary-indigenous-identifier-vii-framework.docx  
   
• Australian Institute of Health and Welfare. (2017). Guidelines for the use and disclosure of secondary health information. https://www.aihw.gov.au/getmedia/d15f8bf7-f29f-406a-a27d-41f483b17ff1/guidelines-use-and-disclosure-of-secondary-health-information-endorsed-15-june-2017.pdf.aspx 
   
• Data NSW (2024) Making data safe for sharing. https://data.nsw.gov.au/making-data-safe-sharing  
   
• Indigenous Health Partnership Forum. (2024). Technical appendix: Statistical terms and methods. https://www.indigenoushpf.gov.au/resources/technical-appendix/statistical-terms-and-methods  
   
• Information and Privacy Commission NSW. (2020). NSW privacy laws: PPIP Act. https://www.ipc.nsw.gov.au/privacy/nsw-privacy-laws/ppip  
   
• Nationally Consistent Collection of Data on School Students with Disability. (2022). Nationally consistent collection of data on school students with disability. https://www.nccd.edu.au/ 
   
• NSW Department of Communities and Justice. (2020). POCLS guidelines for publishing results. https://dcj.nsw.gov.au/documents/about-us/facsiar/pocls/pocls-publications/pocls-guidelines-for-publishing-results.pdf 
   
• NSW Department of Education. (2024). EAL/D education. https://education.nsw.gov.au/teaching-and-learning/multicultural-education/english-as-an-additional-language-or-dialect/eald-education 
   
• NSW Department of Health (2015) HealthStats NSW: Privacy issues and the reporting of small numbers. https://www.health.nsw.gov.au/hsnsw/Publications/privacy-small-numbers.pdf 
   
• Office of the Australian Information Commissioner. (n.d.). Your personal information. https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information