The OAIC’s draft guide encourages entities to take a risk management approach and use existing privacy tools to manage privacy risks while maximising the benefits of big data activities.
The Office of the Australian Information Commissioner (OAIC) has published a consultation draft of its Guide to big data and the Australian Privacy Principles, providing guidance on how the Australian Privacy Principles (APPs) apply to big data and tips for privacy law compliance. The draft guide has been developed in recognition of the growing use of big data and its potential to bring about social and economic benefits for both public and private sectors.
What is “big data”?
The draft guide adopts Gartner’s “three Vs” definition of “big data”: high-volume, high-velocity and / or high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision-making, and process optimisation.
Large and disparate volumes of data that previously could not be analysed cost-effectively can now be processed quickly and relatively cheaply using sophisticated software that applies algorithms to find correlations, giving entities an ability to quickly identify trends, challenges and opportunities.
Privacy challenges
From the privacy law perspective big data is no different to any other type of data. If it includes personal information, entities which are subject to the Privacy Act must comply with the requirements of the APPs when collecting, using and otherwise handling that data. However, given the nature of big data and the manner in which it is collected and used, big data presents challenges for compliance with key privacy requirements, particularly in the areas of notice and consent, data collection and retention minimisation.
The draft guide considers the application of key APPs in the big data context and encourages entities to take an innovative approach in tailoring their personal information handling practices for big data.
Privacy impact assessments
The draft guide recommends that entities take a risk management approach to their big data activities, including conducting a privacy impact assessment as part of their planning for any proposed big data activity. A privacy impact assessment or PIA is a tool designed to identify the impact of a new project or process on privacy and provide recommendations for managing, minimising or eliminating privacy risks. PIAs help entities adopt a “privacy by design” approach by encouraging entities to develop their big data activities with privacy in mind, rather than as a bolt-on afterwards, in order to minimise the risk of breaching the APPs.
De-identified personal information
The draft guide encourages entities to consider whether de-identified personal information could be used for their big data activities. Data that has been successfully de-identified is no longer personal information and may be used, shared and published without jeopardising personal privacy. De-identifying information enables entities to maximise the utility and value of big data while safeguarding privacy.
Risk assessments should be conducted to consider:
- the nature of the personal information and whether de-identification may be appropriate;
- the de-identification techniques that may be used; and
- the context in which the de-identified data will be handled (including whether there is a risk of re-identification).
Privacy notices
Privacy notices have a key role to play in privacy compliance in the big data context. Since big data activities are in most cases unlikely to be the primary purpose of collection of the relevant data, privacy notices will be critical to enable entities to notify individuals about the collection and use of their personal information for big data activities, manage consumer expectations and obtain consents where necessary.
The draft guide highlights that research shows many people do not read privacy notices and it encourages entities to develop privacy notices that are multi-layered and user-centric to assist with readability and navigability, and timed to ensure information is given in context at the right time.
The draft guide encourages entities to take innovative approaches to privacy notices, such as using “just-in-time” notices which work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used.
How does the guide affect me?
The guide will not itself be legally binding, but will be referred to by the OAIC when undertaking its functions under the Privacy Act in relation to big data activities. For this reason, entities that are subject to the Privacy Act should consider the draft guide carefully. It also provides useful guidance for entities that are not subject to the Privacy Act.
The draft guide is open for public comment until 26 July 2016. Our Privacy team can assist you to understand the impact of the guide or make a submission.
This article was originally published on www.lexology.com and can be viewed in full
(0)
(0)Archive
- October 2024(44)
- September 2024(94)
- August 2024(100)
- July 2024(99)
- June 2024(126)
- May 2024(155)
- April 2024(123)
- March 2024(112)
- February 2024(109)
- January 2024(95)
- December 2023(56)
- November 2023(86)
- October 2023(97)
- September 2023(89)
- August 2023(101)
- July 2023(104)
- June 2023(113)
- May 2023(103)
- April 2023(93)
- March 2023(129)
- February 2023(77)
- January 2023(91)
- December 2022(90)
- November 2022(125)
- October 2022(117)
- September 2022(137)
- August 2022(119)
- July 2022(99)
- June 2022(128)
- May 2022(112)
- April 2022(108)
- March 2022(121)
- February 2022(93)
- January 2022(110)
- December 2021(92)
- November 2021(107)
- October 2021(101)
- September 2021(81)
- August 2021(74)
- July 2021(78)
- June 2021(92)
- May 2021(67)
- April 2021(79)
- March 2021(79)
- February 2021(58)
- January 2021(55)
- December 2020(56)
- November 2020(59)
- October 2020(78)
- September 2020(72)
- August 2020(64)
- July 2020(71)
- June 2020(74)
- May 2020(50)
- April 2020(71)
- March 2020(71)
- February 2020(58)
- January 2020(62)
- December 2019(57)
- November 2019(64)
- October 2019(25)
- September 2019(24)
- August 2019(14)
- July 2019(23)
- June 2019(54)
- May 2019(82)
- April 2019(76)
- March 2019(71)
- February 2019(67)
- January 2019(75)
- December 2018(44)
- November 2018(47)
- October 2018(74)
- September 2018(54)
- August 2018(61)
- July 2018(72)
- June 2018(62)
- May 2018(62)
- April 2018(73)
- March 2018(76)
- February 2018(8)
- January 2018(7)
- December 2017(6)
- November 2017(8)
- October 2017(3)
- September 2017(4)
- August 2017(4)
- July 2017(2)
- June 2017(5)
- May 2017(6)
- April 2017(11)
- March 2017(8)
- February 2017(16)
- January 2017(10)
- December 2016(12)
- November 2016(20)
- October 2016(7)
- September 2016(102)
- August 2016(168)
- July 2016(141)
- June 2016(149)
- May 2016(117)
- April 2016(59)
- March 2016(85)
- February 2016(153)
- December 2015(150)
