The Office of the Australian Information Commissioner (OAIC) recently published a draft “Guide to big data and the Australian Privacy Principles” (Guide), and asked industry participants for comments. The guide is intended to help companies understand how the Australian Privacy Principles (under the Australian Privacy Act 1988) apply to big data that contains information about “an identified individual, or an individual who is reasonably identifiable.” Often, there is a question whether or not information contained in big data is really personally identifiable, or is “de-identified,” (Guide, p. 3) which to OAIC, is information that is sufficiently de-identified that “the information is no longer about an identified individual or an individual who is reasonably identifiable.” (Guide, p. 3). When sufficiently de-identified, the Guide indicates, the privacy principles would not apply.

In the Guide, OAIC recommends companies use a privacy by design approach, including providing notice at the time information is collected from an individual about use of information for big data purposes. With respect to information collected from third parties – a common practice in the big data space – the Guide indicates that a company’s privacy policy should indicate “how, when and from where the personal information was collected.” (Guide, p. 13). The Guide anticipates “innovative” ways of giving notice, including video and privacy dashboards.

The Guide also addresses information sharing, reminding companies that information can be shared under the Privacy Act only if it relates to the purpose for which it was collected, or inter alia if the individual has expressly consented or would expect such sharing. The Guide also addresses overseas transfers, reminding companies that under the Privacy Act, the Australian sender must take “reasonable steps” to make sure the recipient follows the Australian Privacy Principles.

TIP: This guidance may be a useful resource for companies engaging in big data practices that are subject to the Australian privacy laws. There are not many specific or concrete directions in the Guide as currently drafted on steps companies can take. Interested parties can submit comments up until 26 July 2016.