The Office of the Australian Information Commissioner is calling for submissions on its draft Guide to big data and the Australian Privacy Principles.
The document will not be legally binding or replace the APPs, but will be used by the OAIC as a reference point. As such, some elements of the guide are broad-brush – such as the recommendation not to be “creepy” – while other recommendations are more specific.
Key recommendations in the draft include:
- consider the use of de-identified information, especially where processing data offshore or using offshore-based cloud services;
- perform a privacy impact assessment when developing big data projects;
- perform risk assessments when de-identifying personal information, including in relation to the risk of re-identification;
- implement strategies to ensure that personal information is accurate and up to date, recognising that many big data projects will involve the collection of information via third parties;
- create multi-layered, user-centric privacy notices with dynamic timing;
- include, in the PIA process, information security risk assessments, especially because of the increased risk that arises where large quantities of personal information are held for lengthy periods for data analytics purposes.
The guide takes a process-driven approach to embed privacy compliance into projects and systems from the outset, reinforcing the importance of privacy compliance programs and processes for data.
Submissions are due on 25 July 2016.