OAIC's new recommendations for privacy and big data13 June 2016
In an effort to assist entities to comply with their privacy obligations under Privacy Act 1988 (Cth) (Privacy Act) when undertaking big data activities, the Office of the Australian Information Commissioner (OAIC) has released a consultation draft of its Guide to big data and the Australian Privacy Principles.
Although the final version of the Guide will not be legally binding, it provides guidance on how the OAIC will exercise its functions under the Privacy Act on big data issues.
What is "big data"?
There is no single definition of big data, but the OAIC has quoted Gartner's definition of "high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision making, and process optimization".
Balancing big data activities with privacy
The OAIC recognises that big data analytics has the potential to bring social and economic benefits, as entities use them to identify trends and challenges as well as to identify opportunities.
However, this benefit must be balanced with entities' privacy obligations. In particular, big data activities present practical challenges around fundamental privacy issues such as notice and consent, data collection and retention, and use limitation.
The Guide makes two key recommendations for entities that are considering engaging in big data activities:
- Consider whether de-identified personal information can be used. De-identified information is not personal information, meaning that the Privacy Act will generally not apply.
- Embed "privacy by design" across the organisation and in individual projects and activities. Privacy by design describes an approach to integrate privacy throughout the entity's culture, practices and processes, systems and initiatives.
Key Australian Privacy Principles (APP) considerations
The OAIC's recommendations for entities undertaking big data activities to comply with APP obligations, include:
- Only collect personal information that is reasonably necessary to undertake its functions or activities. This is not consistent with the big data concept of collecting all data for "unknown purposes".
- Be aware that big data analytics may lead to the creation of and, consequently, the collection of personal information.
- Consider whether information used in big data activities is likely to include information from third parties and, if so, whether the exceptions to collecting directly collecting information from the individual and giving the appropriate notice are met.
- Ensure that privacy notices allow big data activities. Note, this will often be a secondary purpose to the purpose for which the information was initially collected.
- Using big data for direct marketing may require complying with additional APP obligations if it includes facilitating other entities' direct marketing.
- Conduct due diligence before disclosing personal information to overseas recipients, noting that the entity will generally be accountable for an act of the overseas recipient that would breach the APPs.
- Where entities create personal information by their big data activities, they may need to take more rigorous steps to ensure the information is accurate, complete and up-to-date.
- Only keeping personal information if it is needed and is for a permitted purpose.
- Ensuring reasonable steps to protect the security of the personal information are identified and implemented.
Privacy impact assessment—the tool of choice
The OAIC notes that conducting a privacy impact assessment (PIA) will identify and manage many of the privacy issues that may arise when the entity undertakes big data activities.
The Guide specifically recommends a PIA be used when an entity is developing or reviewing a big data project to:
- identify how it can impact on an individual's privacy
- recommend steps to manage, minimise or eliminate privacy impacts
- consider whether using de-identified information would be appropriate in the context of the project's aims and data use
- plan the collection of the personal information in a manner that complies with the APPs
- consider whether personal information is likely to be created through big data activities, how it will be used and the implications of this
- consider whether sensitive information is being collected and what APP requirements will need to be complied with
- what information should be included in privacy notices and how it should be provided, and
- consider what personal information is needed and for what purpose, and whether the information can be de-identified at this stage.
Where to from here?
The OAIC invited comments on the draft Guide by the closing date of Monday 25 July 2016.
We will continue to keep you informed of developments.