The Office of the Australian Information Commissioner (OAIC) has released a draft Guide to big data and the Australian Privacy Principles for consultation.
What is big data?
The guide adopts Gartner’s ‘three Vs’ definition of big data: “[…]high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision making, and process optimization.”
The term ‘big data activities’ is used in the guide to include big data analytics, as well as the handling of personal information before and after analysis. This includes how personal information is managed, collected, dealt with and maintained.
Big data analytics has changed the way organisations use data to identify trends and challenges, by analysing large data sets, often from a variety of sources, quickly. Big data analytics can be used to streamline service delivery, create opportunities for innovation, and identify new service and policy approaches as well as support the effective delivery of existing programs across a broad range of operations.
Privacy issues
The draft Guide raises a number of privacy issues relating to big data:
- Is the data de-identified? Successfully de-identified data is not personal information, meaning the Privacy Act will generally not apply.
- Even if information is de-identified you should undertake a risk assessment to consider the risk of re-identification and collection of personal information during or following big data activities.
- Could personal information be collected by ‘creation’? This may occur when information is created or generated from other information the organisation holds.
- Is personal information used in big data activities likely to include information collected from third parties?
- Do you use or disclose individuals’ personal information to tailor the direct marketing communications (such as online advertisements) you send to and target at those individuals?
- Do you keep track of the types of information you are collecting. This will reduce the risk of using or disclosing sensitive information for direct marketing purposes without individuals’ consent?
- Do you consider individuals’ expectations about how their information will be used and disclosed in light of the original purposes for which their information was collected and any notices they were provided?
- Do your big data activities involve using overseas cloud (or internet) based platforms? The APPs do not prevent the sending of personal information overseas or engaging an overseas cloud service provider. However, you will need to carefully consider steps that may need to be taken to ensure compliance with the APPs. If information cannot be de-identified, and it is necessary to disclose personal information overseas, you are required to take reasonable steps to ensure that the overseas recipient does not breach the APPs.
- Because big data analytics use large amounts of information, often collected from a variety of third party sources which may have been retained for long periods of time the information may not be accurate, complete or up-to-date. In these circumstances, more rigorous steps are likely to be required to ensure the quality of personal information to ensure ensured incorrect assumptions are not drawn about individuals or groups of people.
- Because big data activities often hold larger amounts of data and for longer periods of time you need to consider what security risks exist and take reasonable steps to protect the personal information you hold. This includes both internal (eg staff) and external risks.
- It is expected that organisations handling large amounts of personal information for big data purposes will conduct an information security risk assessment (also known as a threat risk assessment). This will enable you to identify and evaluate security risks, including threats and vulnerabilities, and the potential impacts of these risks to personal information.