The OAIC's tips for big data analytics that won’t break privacy rules

The Office of the Australian Information Commissioner (OAIC) has released its draft checklist for conducting big data activities without breaching the limits of the Privacy Act.

The guide kicks off more than two months of consultation by Privacy Commissioner Timothy Pilgrim, as his office works to iron out the peculiar wrinkles and challenges raised by using big data for business purposes without offending the privacy expectations of consumers.

Unlike the privacy laws, the guide is not legally binding, the OAIC pointed out - but it is an indicator of how it will treat certain circumstances in the event of an assessment or review.

The commission has seized the opportunity to remind organisations it always pays to get privacy mechanisms right from the outset, especially when it comes to obtaining the kind of consent needed to conduct big data analytics.

Analytics will nearly always fall into the category of “secondary purposes” in the context of the Act, the office said, and thus attracts a higher level of consent than more traditional uses of personal information like billing or service provision.

The OAIC warned that simply deciding to use “all the data for unknown purposes” is not good enough.

It recommended that organisations planning to get into the big data game use clear and well-timed APP 5 privacy notices to inform their customers of the kinds of purposes it might be used for, because having to go back to individuals for new forms of consent “can be costly and difficult”.

APP 5 notices prompt users to give their direct consent for their personal information to be used for specific cases, beyond standard privacy policies that all organisations must display.

The guide urges companies to think about “innovative approaches” to issuing privacy notices, like video formats, privacy dashboards, ‘just-in-time’ pop-up notices staged throughout an information collection process, plus using digital capabilities to deliver multi-layered notices so users can expand on the terms that are most relevant to them.

Organisations should also give individuals the opportunity to pick and choose between which uses and disclosures of information they are ok with, and which they’re not, the office said.

The draft big data guide also advises users to think about the de-identification of user data as a default approach, especially if they are considering a cloud-based analytics technology that could see that information hosted offshore.

“Successfully de-identified data is not personal information, meaning the Privacy Act will generally not apply,” the OAIC confirmed.

The office said it recognised that a lot of big data analytics will naturally involve information collected by third parties to be added into the mix.

It warned users to make sure they keep tabs on third parties to make sure they have met their consent and collection obligations under the Act.

The guide acknowledged that making sure information stored about individuals is up-to-date and accurate at all times - another of the demands set out in the Act - becomes a lot harder once organisations start using big data.

“Verifying big data with an individual involved is impractical,” the office conceded, “however there are other ways to check accuracy."

It urged companies to cover their bases by checking on the practices employed by third parties, and building accountability into tracking how each piece of data was collected or created.

The OAIC is encouraging feedback on the advice until 26 July. The commission is also planning to run a series of workshops and stakeholder seminars to gauge the industry’s stance on the issues.