The OAIC's draft guide encourages entities to take a risk management approach and use existing privacy tools to manage privacy risks while maximising the benefits of big data activities.
The Office of the Australian Information Commissioner (OAIC) has published a consultation draft of its Guide to big data and the Australian Privacy Principles, providing guidance on how the Australian Privacy Principles (APPs) apply to big data and tips for privacy law compliance. The draft guide has been developed in recognition of the growing use of big data and its potential to bring about social and economic benefits for both public and private sectors.
What is "big data"?
The draft guide adopts Gartner's "three Vs" definition of "big data": high-volume, high-velocity and / or high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision-making, and process optimisation.
Large and disparate volumes of data that previously could not be analysed cost-effectively can now be processed quickly and relatively cheaply using sophisticated software that applies algorithms to find correlations, giving entities an ability to quickly identify trends, challenges and opportunities.
From the privacy law perspective big data is no different to any other type of data. If it includes personal information, entities which are subject to the Privacy Act must comply with the requirements of the APPs when collecting, using and otherwise handling that data. However, given the nature of big data and the manner in which it is collected and used, big data presents challenges for compliance with key privacy requirements, particularly in the areas of notice and consent, data collection and retention minimisation.
The draft guide considers the application of key APPs in the big data context and encourages entities to take an innovative approach in tailoring their personal information handling practices for big data.
Privacy impact assessments
The draft guide recommends that entities take a risk management approach to their big data activities, including conducting a privacy impact assessment as part of their planning for any proposed big data activity. A privacy impact assessment or PIA is a tool designed to identify the impact of a new project or process on privacy and provide recommendations for managing, minimising or eliminating privacy risks. PIAs help entities adopt a "privacy by design" approach by encouraging entities to develop their big data activities with privacy in mind, rather than as a bolt-on afterwards, in order to minimise the risk of breaching the APPs.
De-identified personal information
The draft guide encourages entities to consider whether de-identified personal information could be used for their big data activities. Data that has been successfully de-identified is no longer personal information and may be used, shared and published without jeopardising personal privacy. De-identifying information enables entities to maximise the utility and value of big data while safeguarding privacy.
Risk assessments should be conducted to consider:
- the nature of the personal information and whether de-identification may be appropriate;
- the de-identification techniques that may be used; and
- the context in which the de-identified data will be handled (including whether there is a risk of re-identification).
Privacy notices have a key role to play in privacy compliance in the big data context. Since big data activities are in most cases unlikely to be the primary purpose of collection of the relevant data, privacy notices will be critical to enable entities to notify individuals about the collection and use of their personal information for big data activities, manage consumer expectations and obtain consents where necessary.
The draft guide highlights that research shows many people do not read privacy notices and it encourages entities to develop privacy notices that are multi-layered and user-centric to assist with readability and navigability, and timed to ensure information is given in context at the right time.
The draft guide encourages entities to take innovative approaches to privacy notices, such as using "just-in-time" notices which work by appearing on the individual's screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used.
How does the guide affect me?
The guide will not itself be legally binding, but will be referred to by the OAIC when undertaking its functions under the Privacy Act in relation to big data activities. For this reason, entities that are subject to the Privacy Act should consider the draft guide carefully. It also provides useful guidance for entities that are not subject to the Privacy Act.
The draft guide is open for public comment until 26 July 2016. Our Privacy team can assist you to understand the impact of the guide or make a submission.
You might also be interested in...
- Big data and the public sector
- When bright lines blur: when is personal information "de-identified" and why does it matter?
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.