Last week the Office of the Australian Information Commissioner
(OAIC) released a consultation draft "Guide
to Big Data and the Australian Privacy Principles".
While this draft is for consultation and submissions are open until
25 July 2016, the Guide is useful in setting out the OAIC view on
big data and big data analytics interface with the Australian
Privacy Principles (APPs).
The OAIC has already released some guidelines in relation to
de-identifying personal information in its publication Business
Resource 4: de-identification of data information. While the
focus of business Resource 4 is the ways in which personal
information may be de-identified so as not to breach Privacy laws,
in itself a significant and complex undertaking, the Guide then
considers how information that is de-identified may be used.
What does it say?
This Guide considers the application of each of the 13 APPs in
the context of big data. It is clear from a review of the
Guide that the OAIC is concerned with individuals being fully
informed about the uses to which their personal information may be
put. This places an enhanced focus on the form, content and
delivery of collection notices and consents that allow a
multi-layering of uses. The clear communication of secondary
uses that may arise as a consequence of data analytics involving
personal information would potentially create a challenge for many
The Guide also points to the importance of the relationship
between privacy notices in communicating information handling
practices, and of the carrying out of Privacy Impact Assessments
(PIA) as a tool for informing the design of big
data usage and big data practices to minimise the risk of breaching
the APPs. The use of PIAs to formally record the risks that
have been considered and the steps that have been put in place to
mitigate them provides a basis to demonstrate privacy compliance in
the event of a breach.
In addition, the Guide suggests PIAs be undertaken in
conjunction with the use of information security risk assessments,
so that the technical and legal risks and mitigations can be
A further issue considered in the guide is re-identification of
personal information where various data sets are combined such that
new personal information is created by the analytics. In this case
compliance with consent and collection notices becomes highly
problematic for organisations.
What action should I take?
For those organisations that propose to use big data they hold
for analytics, either on their own or together with data from other
sources, the Guide is a worthwhile starting point to consider the
design principles that might be employed to ensure compliance with
the Privacy Act. As it raises the likely common compliance issues
it also sets out a roadmap for addressing them.
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Concerns about privacy and data control are often cited as major impediments to the growth and wide adoption of Cloud.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).