The Office of the Australian Information Commissioner (OAIC) recently published a draft “Guide to big data and the Australian Privacy Principles” (Guide), and asked industry participants for comments. The guide is intended to help companies understand how the Australian Privacy Principles (under the Australian Privacy Act 1988) apply to big data that contains information about “an identified individual, or an individual who is reasonably identifiable.” Often, there is a question whether or not information contained in big data is really personally identifiable, or is “de-identified,” (Guide, p. 3) which to OAIC, is information that is sufficiently de-identified that “the information is no longer about an identified individual or an individual who is reasonably identifiable.” (Guide, p. 3). When sufficiently de-identified, the Guide indicates, the privacy principles would not apply.
The Guide also addresses information sharing, reminding companies that information can be shared under the Privacy Act only if it relates to the purpose for which it was collected, or inter alia if the individual has expressly consented or would expect such sharing. The Guide also addresses overseas transfers, reminding companies that under the Privacy Act, the Australian sender must take “reasonable steps” to make sure the recipient follows the Australian Privacy Principles.
TIP: This guidance may be a useful resource for companies engaging in big data practices that are subject to the Australian privacy laws. There are not many specific or concrete directions in the Guide as currently drafted on steps companies can take. Interested parties can submit comments up until 26 July 2016.