The power of data analytics is front and center in the news with Facebook and Cambridge Analytica. In a timely release, the Office of the Australian Information Commissioner recently issued two new guides providing detailed advice on the application of the Privacy Act 1988 and the Australian Privacy Principles in regard to data analytics. The use of data analytics is increasingly common across government agencies and the private sector as a result of the availability of large data sets and increased computational power and storage capacity. Data analytics provide organizations with the potential to deliver better products and services and personalize users’ online experiences.
Despite the use of these large data sets, the Guide to Data Analytics and the Australian Privacy Principles warns organizations conducting data analytics to be aware of the individual privacy risks. As data used may include personal information, the activities will, therefore, be subject to the Privacy Act. Data analytics activities have a tendency to collect data from a wide variety of sources and retain data for a longer period of time, which may expose organizations to compliance risks.
To avoid many of the privacy risks identified in the Guide to Data Analytics and the Australian Privacy Principles, the OAIC has identified de-identification as a privacy-enhancing tool that can enable organizations to improve their data governance practices. De-identification involves the removal or alteration of information that identifies or is reasonably likely to identify a person and the application of any additional protections that prevent identification. Information that has undergone an appropriate and robust de-identification process is therefore not personal information, and consequently not subject to the Privacy Act.
However, De-identification and the Privacy Act (the other guide recently released by the OAIC) confirms the applicability of privacy obligations where there is a risk for data to be re-identified. Organizations should, therefore, handle de-identified data in a way that would prevent any breaches of the APPs occurring.
If you want to comment on this post, you need to login.