New draft Guide released
Last week the Office of the Australian Information Commissioner (OAIC) released a consultation draft "Guide to Big Data and the Australian Privacy Principles". While this draft is for consultation and submissions are open until 25 July 2016, the Guide is useful in setting out the OAIC view on big data and big data analytics interface with the Australian Privacy Principles (APPs).
The OAIC has already released some guidelines in relation to de-identifying personal information in its publication Business Resource 4: de-identification of data information. While the focus of business Resource 4 is the ways in which personal information may be de-identified so as not to breach Privacy laws, in itself a significant and complex undertaking, the Guide then considers how information that is de-identified may be used.
What does it say?
This Guide considers the application of each of the 13 APPs in the context of big data. It is clear from a review of the Guide that the OAIC is concerned with individuals being fully informed about the uses to which their personal information may be put. This places an enhanced focus on the form, content and delivery of collection notices and consents that allow a multi-layering of uses. The clear communication of secondary uses that may arise as a consequence of data analytics involving personal information would potentially create a challenge for many organisations.
The Guide also points to the importance of the relationship between privacy notices in communicating information handling practices, and of the carrying out of Privacy Impact Assessments (PIA) as a tool for informing the design of big data usage and big data practices to minimise the risk of breaching the APPs. The use of PIAs to formally record the risks that have been considered and the steps that have been put in place to mitigate them provides a basis to demonstrate privacy compliance in the event of a breach.
In addition, the Guide suggests PIAs be undertaken in conjunction with the use of information security risk assessments, so that the technical and legal risks and mitigations can be aligned.
A further issue considered in the guide is re-identification of personal information where various data sets are combined such that new personal information is created by the analytics. In this case compliance with consent and collection notices becomes highly problematic for organisations.
What action should I take?
For those organisations that propose to use big data they hold for analytics, either on their own or together with data from other sources, the Guide is a worthwhile starting point to consider the design principles that might be employed to ensure compliance with the Privacy Act. As it raises the likely common compliance issues it also sets out a roadmap for addressing them.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
