The Improbability of Privacy Act Compliance, Pt 3

One of the biggest challenges privacy regulators face is the onset of 'Big Data' — the hoovering up of large unstructured datasets for analysis at insanely affordable prices.

In amending Australia's Privacy Act, the Office of the Australian Information Commissioner (OAIC) has studied this trend in detail.

But after discussing the Act with a panel of experts for our best practice report, its hard to see how organisations embarking on such data capture exercises are going to find it easy to comply.

Also in this blog series:

As I briefly touched on in the close of yesterday's blog post on how the Privacy Act treats offshore cloud computing, a key theme of the amendments is a strengthening of requirements around user consent.

The amended Act requires the express, informed consent of a user at the point personal information is collected, with clear communication on the intended purpose for collecting the information.

The amendments also introduce the concept of keeping consent relevant.

"Obtaining consent for a service ten years ago for everything you might want to do with the data today might not cover a new process, for say the outsourcing of a call centre to the Philippines," noted Mark Vincent, partner at ShelstonIP and co-author of our forthcoming report. "You may need to revisit that consent."

The amendments also require organisations caught by the Act (those with revenues over $3 million) to offer customers the ability to demand what data an organisation holds on them, and ask for it to be corrected or deleted. We'll touch on this further in tomorrow's blog post.

Finally, the amended Act requires organisations to delete data once it has been used for the purpose it was collected. If contact details are collected for a competition, for example, and a winner is chosen, the expectation is that the data will be deleted. If address data was collected specifically for delivery of a product purchased online, and the goods have been delivered, the Act suggests the data should subsequently be deleted.

In my view, if an organisation was to comply with the amended Act to the letter, marketers can just about kiss any 'Big Data' plans goodnight.

"The whole industry of Big Data is how to get value out of or monetise 'useless' information," noted InfoSec specialist Paul Steen at our roundtable. "It's all about the data that has been considered useless since the beginning of IT. And now there is this entire industry that says, 'Hang on a bit — his is all very valuable information'.

"So, what defines if data is not useful anymore? We obviously don't know what data is important. Yesterday, the data we thought wasn't important is today worth millions of dollars.

"Data is always useful. You can make an argument that I can always find a use for data. So do I make my consent clause broad and open-ended?"

Unfortunately, the Privacy Commissioner has already stated that broad and open-ended approaches to collecting consent will be frowned upon in any audit. It won't please the Office of the Australian Information Commissioner (OAIC) to see something as generic as, 'We may choose to use your data to improve our services over time'.

Neither is the traditional "clickwrap" approach taken by most US-based online services going to cut it (they are bound by the Privacy Act if they have any operations in Australia or a link to Australian customers).

The Commissioner has stated that he does not look well upon coupling consent with permission to use the service or bundling consent up with a large number of other terms and conditions in a long and arduous agreement few users would be likely to read.

Vincent nonetheless offers that with the right approach to consent, future use of customer data might still be considered.

"Express" and "informed" consent would be best sought from a customer in a brief, standalone format, (rather than bundled with other conditions), and if necessary, linked to a longer privacy policy.

Our report recommends stating a primary and secondary purpose for obtaining consent to cater for future uses of the data, and for the build of systems that record consent information and auto-generate triggers for when consent ought to be revisited.

Attendees at our roundtable noted that building consent into new systems and processes is simple enough, but is a "nightmare" for customers with hundreds of legacy systems.

The rules about consent are "not about limiting your activity," Vincent said. "It is simply an obligation to be transparent about what you're doing."

To Delete or to Destory?

Australian Privacy Principle (APP) 11 requires an organisation to destroy or de-identify personally identifiable information (PII) when it is no longer needed for any purpose for which it was collected.

"This "destruction" obligation can be expensive and problematic where IT systems are not designed to allow compliance," Vincent noted. "Simple 'deletion' is not enough if the data can be retrieved.

"Consider, for example, destruction of all of an individual's PII across legacy systems or destruction or de-identification of all instances of particular information across distributed cloud architecture, including from backup and archive systems. Do your cloud contracts allow you to comply with these privacy obligations? "

Vincent also notes that like obligations in the amended Act concerning transborder data flow, the legislation graciously allows for some 'get out of gaol' cards.

"There might be competing regulations that insist you keep the data," he said. "If there is competing legislation — such as retaining data for taxation or litigation purposes — this can be considered over some obligations under the Privacy Act."

Organisations confident in their IT security posture are likely to wager that — with a well-crafted approach to consent at the point of data capture — they can only really come unstuck in the unlikely event of an OAIC audit or a severe breach of PII data that is played out in public.

I expect the requirement to destroy or de-identify data might be more honoured in the breach than the observance.

InfoSec writer Darren Pauli posits that the value in personal information after its initial use might actually be in the metadata rather than the PII component.

"Instead of destroying the data, can you simply de-identify data at the point at which it has been used for the purpose it was collected? If there is value in the metadata, can you simply de-couple that from the name?"

It's a wise suggestion — provided, as we discussed a few days back, that you can be assure that data can't later be re-identified.

Tomorrow I'll dive into one more problematic area of the amended Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.