What is personal information?
Personal information is information or an opinion, including information or an opinion forming part of a database, about an individual whose identity can be reasonably ascertained. Companies do not have personal information and neither do deceased people.3
What are the privacy principles?
The privacy principles are set out in the IP Act and regulate how agencies collect, store, use and disclose personal information. The privacy principles also include specific rules about the transfer of information outside Australia and how contractors to government handle personal information.
What is data analytics?
Data analytics is the process of examining data sets in order to draw conclusions about the information they contain. It involves processes that include analysing existing datasets and extracting new insights into various patterns, relations, and connections.
When an agency wants to use data analytics on data that includes personal information, regardless of whether that personal information was collected by the agency or not, there can be significant privacy challenges.
Should I use de-identified data?
The privacy principles only apply to personal information, which is information that can be linked to an identifiable individual. If the information can be de-identified, or broken down into aggregated unidentified data, such as statistics, then it will no longer be personal information and the privacy principles will not apply.
Agencies considering data analytics projects that use data containing personal information may want to consider whether de-identified data could be used. De-identifying personal information enables it to be used, shared, or made publicly available without the agency having to consider compliance with the privacy principles4.
It is important to note that de-identification is a risk-management exercise, not an exact science. De-identified datasets always carry the risk of re-identification. Datasets that don’t contain obvious personal information could be linked with additional datasets or be the subject of further deeper analysis from which re-identification of personal information could occur. Agencies should refer to the Privacy and De-identification Guideline for more information.
It is recommended that agencies seek specialist expertise when undertaking a de-identification exercise, particularly if the de-identified information is to be made public.
For some data analytics activities, however, de-identified data may not be suitable. Where datasets contain personal information, agencies must comply with the privacy principles.
Using and disclosing personal information
Under IPP 10 and NPP 2 an agency can only use personal information for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.
The exceptions include that the use or disclosure is necessary for conducting research in the public interest5.
For health agencies this exception applies to health information only. Health information means:
- personal information about an individual, including the individual’s health or disability at any time, their expressed wishes about future provision of health services to them, or
- a health service that has been provided, or is to be provided, to them, or
- personal information about the individual collected for the purpose of providing, or in providing, a health service; and
- personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.6
Limits of authority
The IP Act is intended to operate subject to the provisions of other Acts relating to the use or disclosure of personal information, such as the Child Protection Act 1999 or the Hospital and Health Boards Act 2011. This means that the ability to disclose information under the privacy principles does not override legislation that prohibits disclosure.
An agency intending to disclose data containing personal information to another agency or private entity should consider whether there are any other legislative provisions that may apply.
What does in the public interest mean?
Research in the public interest would commonly involve something beneficial to the well-being of society as a whole, or a specific segment of it, with an emphasis on areas for which the government has responsibility.
If an agency’s data analytics projects seeks to improve the way government policies are developed or government services are delivered, it would likely fall into this category.
More information on using and disclosing data for public interest research can be found in the use and disclosure for public interest research guidelines7.
Do I need to let people know about the data analytics activities?
When an agency collects personal information from the individual it is about, it must take all reasonable steps to provide that individual with certain information8. These obligations are generally referred to as a collection notice, and require an agency to make an individual generally aware of:
- why their personal information is being collected
- details of any law that allows or requires the collection; and
- any entity to whom it is the agency’s usual practice to give the information.
These requirements may be challenging for some data analytics activities: it may be difficult to clearly and specifically articulate the objectives and/or results and in some cases they may be unknown or unexpected, but agencies will still need to comply to the best of their abilities.
As a general rule, where personal information is being used for research, it should be done with either the individual's agreement or their reasonable awareness.
Agreement is one of the primary exceptions under IPPs 10 and 11 and NPP 2, and is the preferred approach to research using personal information about individuals.
When collecting information that may have research value, agencies may want to consider any future research needs at the time it is collected, as its potential use for future research can be built into collection notices provided under IPP 2 or NPP 1. Mentioning research in every collection notice as a matter of course is not an acceptable approach, but if agencies have identified that the information is may involve a legitimate future research need, they should take the necessary privacy steps to account for it.
If the research becomes more than one-off or occasional9, for example, when an exploratory data analytics project that uses personal information transitions into a regular and constant activity, collection notices must be updated to reflect that research is now one of the primary purposes of collection.
Limits on Disclosure
Where non-health agencies disclose information under one of the exceptions in IPP 11, they must take all reasonable steps to ensure the receiving entity does not use or disclose it for a purpose other than why the agency disclosed it to them. One way they can meet this obligation is by establishing a binding instrument with the receiving entity, limiting their use and disclosure of the information.
The Queensland Government Chief Information Office (QGCIO) Information sharing authorising framework (ISAF) provides guidance and advice for agencies seeking to establish and manage an information sharing activity across Queensland Government.
What if I want to outsource data analytic activities?
If an agency is considering outsourcing data analytics activities that involve personal information, it must take all reasonable steps to ensure the contracted service provider is bound to comply with the privacy principles.
Once bound, the contracted service provider is responsible for complying with the relevant privacy principles. If the contracting agency does not take all reasonable steps to bind the contracted service provider, the contracting agency will be responsible for any breach of privacy arising from the actions of the contracted service provider.
For more information about the privacy considerations when outsourcing, please see OIC’s guidance on the privacy considerations when entering into a service arrangement.
Security of personal information
The privacy principles require agencies to ensure they apply appropriate security protections to the personal information they control.10 This means that, even where documents are being held by another body or person, if the agency has the ability to exercise control over them it must take the steps necessary to ensure they are protected.11
In most cases, agencies will already have safeguards in place to appropriately protect the personal information they hold. The same security considerations should apply to analytical data that may be a variation on the personal information already held by the agency.
Access to agency personal information holdings for data analytics purposes should be limited both to those who have a business need to do so, and to the specific information required.
Can I use cloud services for data analytic activities?
In some cases, agencies may consider carrying out data analytics using overseas-based cloud services. Agencies will need to carefully consider steps that may need to be taken to ensure compliance with overseas transfer obligations under section 33 of the IP Act.
Privacy by Design
Privacy by design is an approach that builds in privacy up front—into the design specifications and architecture of new technologies and business processes. It makes privacy an integral component of the functions being delivered.
A privacy impact assessment (PIA) is an assessment tool that can map the data flows involved in a project to make sure that data can be collected, used, processed, stored and shared in a manner in line with an agency’s privacy principle obligations.
If there are any conditions that need to be met or safeguards to be put into place, a PIA can help identify them and ensure the necessary measures are adopted in the project plan.
A PIA can also clearly identify the benefits associated with a data project so that risk mitigation measures can be evaluated with the benefits of the project in mind.
Some key questions a PIA can consider include:
- Does the project involve any new or changed ways of handling personal information?
- Is the project likely to have a significant impact on individuals?
- Does the project involve datasets that have been matched or combined, for example involving data from different projects set up for different purposes?
- Is the project likely to be perceived as privacy intrusive?
As the objectives and purpose of the data analytics project shift, new privacy considerations may emerge. Agencies will need to continue to review the PIA to ensure the privacy solutions are working as expected, and how emerging risks will be addressed.
For more information, refer to Privacy Impact Assessments.
- 1 Agency includes a Minister.
- 2 Which include the National Privacy Principles (NPPs) for health agencies and the Information Privacy Principles (IPPs) for all other agencies.
- 3 Refer to What is Personal Information for more information.
- 4 Refer to OIC’s Privacy and De-Identification Guidelines
- 5 Under IPPs 10(1)(f), 11(1)(f), and NPP 2(1)(c).
- 6 Schedule 5, IP Act.
- 7 Use or disclosure for public interest research for the IPPs and Health agencies - use or disclosure of health information for research for the NPPs.
- 8 IPP 2 and NPP 1.
- 9 Relying on the exceptions in the privacy principles.
- 10 IPP 4 and NPP 4.
- 11 Refer to OIC’s Guidelines on Protection and Security of Personal Information
Current as at: July 19, 2019