The Office of the Australian Information Commissioner is seeking feedback on a draft guide to the interaction between so-called big data and Australian privacy law.
In particular the draft examines how the Australian Privacy Principles (APPs) apply to big data.
“There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation, and retention minimisation, — work in practice,” acting Australian Information Commissioner Timothy Pilgrim said in remarks prepared for the launch of Privacy Awareness Week.
“However, the APPs are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.”
“The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data,” Pilgrim said.
A key consideration in the guide is the potential for organisations to de-identify data they employ for analytics projects. De-identification when performed successfully means data is no longer considered personal information under Australian law.
“De-identifying personal information for the purposes of big data activities means the information may be used, shared and published without jeopardising personal privacy,” the draft states.
“This enables organisations to maximise the utility and value of the information while safeguarding privacy.”
However, it adds the caveat that there is the potential for de-identification to be done poorly, which raises the risk of re-identification.
At a Cebit cloud computing conference earlier this month Pilgrim said that because of the fast moving nature of the data analytics space and the variety of ways in which organisations employ analytics it is not possible to provide a “prescriptive, template based, tick-a-box guide to de-identification”.
The draft guide says that organisations should undertake a risk assessment to analyse the potential for data to be re-identified.
“In undertaking a risk assessment entities should consider the variety of information that will be brought together, the algorithms to be applied, and how the outcomes will be used or disclosed,” it states.
“For example, where the de-identified information will be made available to other entities or the public generally, the relevant factors to consider may include the cost, difficulty, practicality and likelihood that the information may be re-identified.
“Following a risk assessment, appropriate mitigation strategies should be implemented. This may include using different or additional de-identification techniques. It may also include placing restrictions on the use of the de-identified information.”
The draft advocates a privacy-by-design approach by organisations.
The document is available from the OAIC’s website. The deadline for submissions on the draft is 26 July.
The government in this year's budget backtracked on a decision to replace the OAIC.