Oceania privacy & security update: private sector data matching

Untitled

For some time we have seen a growing number of Federal Government agency data matching programs and increasing community privacy concerns being raised as a result. This culminated in specific laws for data matching using Tax File Numbers and mandatory guidelines for data matching using certain health information (DM Rules) being introduced. Also, in June 2014, the Office of the Australian Information Commissioner (OAIC) issued revised voluntary “Guidelines for data matching in Australian Government Administration” (Guidelines) which are recommended for all agency data matching programs not specifically falling under the DM Rules.

While many see the DM Rules as restricting the data matching activities of agencies, others view the DM Rules and the Guidelines as the legal basis or framework in which agencies are permitted to undertake data matching programs. Many also see the failure to legislate or issue guidelines on data matching by private sector organisations is a conscious policy decision (i.e. not to provide the leeway that is given to agencies). In any case, private sector data matching (where data from organisations and/or sources other than that of the organisation doing the data matching is compared in order to match) is becoming much more prevalent.

Read more about EY’s IP/IT Data Privacy services here.

Is private sector data matching allowed at all?

Given the DM Rules had to be introduced to enable the Federal public sector to engage in data matching, some argue that without its own set of enabling guidelines or specific legislation there is no general right for the private sector to engage in data matching. However (and while there are significant privacy issues to overcome), as data matching is not expressly prohibited by the Privacy Act and Australian Privacy Principles (APPs), we believe the better view is that private sector data matching is permissible.

What law applies to private sector data matching?

The DM Rules and the Guidelines do not apply to the private sector (i.e. organisations”). Private sector data matching activities fall to be considered under the APPs. While the Guidelines provide a good indication of the OAIC’s thinking on data matching programs and privacy generally (and we recommend that all private sector organisations review the Guidelines prior to implementing a data matching program), until specific private sector guidelines are introduced, private sector data matching programs must be considered against and comply with the APPs. While circumstances and specifics vary markedly between different proposed data matching programs, we highlight the main privacy issues we have seen arise in respect of private sector data matching programs.

Threshold questions!

The four threshold questions that must be addressed for all private sector data matching programs are:

a) Is the personal information (including re-identified data) to be collected by the organisation reasonably necessary for one or more of the entity’s functions or activities (APP 3.2)?
b) Does the purpose stated for collection (at the time of the original collection) of the personal information allow/permit data matching and the proposed related uses (APP 6.1)?
c) Is the personal information (including re-identified data) collected ‘by lawful and fair means’ (APP 3.5)?
d) For any personal information not collected directly from the individual, is it truly ‘unreasonable or impracticable’ (as such terms are understood in privacy law: that is, not simply more convenient and/or cheaper) to collect that personal information directly from the individual?

Notification/consent obligations

Of course, if any ‘sensitive information’ is to be collected (or re-identified) or used as part of the data matching program then the specific consent of the individual to such is required (APP 3.3 and APP 6.2). Given the way ‘sensitive information’ is treated under the APPs, the relevant consents need to be specific consents to data matching and the proposed related activities. Also, we query how long such a ‘consent’ will last.

For non-sensitive personal information APP 5.1 requires that, at or before (or, if not practicable at that time, as soon as practicable after) the collection of the personal information:

“the entity must take such steps (if any) as are reasonable in the circumstances:

a) to notify the individual of such matters referred to in [APP] 5.2…; or
b) to otherwise ensure that the individual is aware of any such matters.”

For personal information (or re-identified data originally) collected from a third party, the organisation has its own separate and independent privacy obligations that it is required to meet (including as to notification) once it receives that (or re-identifies) personal information. It cannot rely on the fact that the third party has complied with its privacy obligations when originally collecting the information. There are workarounds relying on APP 5.2(b) but all too often the wrong analysis is applied and either:

a) if it is difficult or costly to notify the individuals; or
b) the third party notified the relevant matters in APP 5.2 in respect of that third party’s collection of the personal information, organisations wrongly believe they have no further notification obligation under the APPs.

If data can be re-identified is it ever ‘not personal‘ information”?

‘Personal information’ is defined in s.6 of the Privacy Act as:

“information or an opinion about an identifiable individual, or an individual who is reasonably identifiable…”

This does not require that the individual be identifiable from the information or opinion in question or that re-identification has actually occurred, only that he/she is reasonably identifiable by the organisation or any other person by whatever reasonable means. Given the real risk/probability of re-identification of anonymous/de-identified data through data analytics, for example, as the information may be considered as reasonably identifiable at some point in the process it could be said that it is always personal information (under the definition in the Privacy Act) for the purposes of the APPs. If so, any de-identification or anonymization strategy employed to minimise the impact of the APPs/avoid the need for compliance with the APPs will be of questionable value.

Using government identifiers – just don’t do it!

As tempting as it may be, organisations may not adopt a government identifier of an individual as their own identifier for that individual or use such a government related identifier in their data matching programs, unless a limited specific exemption applies (APPs 9.1 and 9.2). We suggest that a practical, rather than literal, approach be taken as to whether a government related identifier identifies (or may identify) an individual.

Contact EY Digital Law Partner, Alec Christie