The Privacy Act 1988
- 2. Deposit Preparation
- Collect and Prepare Data File(s)
The Privacy Act 1988 details the Australian Privacy Principles (APP's) that must be complied with by organisations or entities who collect, use, disclose and store Personal Information. These principles therefore apply to both Data Owners and Data Custodians. Where this Personal Information (including that contained in data files) has been appropriately de-identified, it renders information that would otherwise be subject to the Privacy Act 1988 into a form that is no longer identifiable. In doing so, it releases the information from the APP restrictions, allowing it to be used or shared more freely. However, de-identification is context dependent as you will see in the De-Identification section. Therefore a limited number of the APP's may still need to be considered when determining if the data should be released.
Sensitive Information is considered to be a sub-set of Personal Information under the Privacy Act 1988, and is therefore also subject to the APP's. In fact, often more stringent obligations are placed upon entities who handle Sensitive Information and therefore it is especially important to protect this data accordingly.
The Privacy Act 1988 does not require the de-identification process to remove the risk of re-identification entirely, in most cases this would make data useless. However those sharing or releasing the data must reduce the risk to such a level that there is no reasonable likelihood of re-identification. The De-Identification section of the wiki provides additional guidance in this area.
Described in the Data Protections section are a number of techniques that may be employed to help de-identify data, and therefore to minimise the likelihood of re-identification. If you are unsure as to the best or most appropriate method of data protections for your study, you should contact the ADA for expert advice.
Risk Management with respect to the APP's
All of the APP’s apply to Personal Information that has not been de-identified. However, as has been mentioned, even following de-identification, in some cases the APP’s still need to be considered to minimise the risk of re-identification and disclosure. Specifically this includes APP’s 6, 8 and 11.
- APP6 – Use and disclosure, states that Personal Information can be used or disclosed (shared/released) only for the same purpose for which it was obtained, unless an exception applies. This APP will not typically be relevant in relation to de-identified information, provided that the change in environment associated with its disclosure does not change the status of the information to personal information.
- APP8 – Overseas transfers, prohibits the disclosure (sharing or release) of Personal Information with an entity outside of Australia unless certain steps have been taken. This APP may be equally relevant for de-identified data, preventing its release outside of Australia where there is no control over its use.
- APP11 – Security, states that entities must take reasonable steps to protect Personal Information from ‘misuse, interference and loss’ and ‘unauthorised access, modification or disclosure’. This is probably the most important APP to keep in mind when handling de-identified data. As for all valuable data, de-identified data should, as a matter of risk management, be protected and stored securely to prevent any unauthorised access. Particularly so in light of the obligations which now apply as a result of the commencement of the Privacy Amendment (Notifiable Data Breaches) Act 2016.
Other Specific Privacy Act 1988 Regulations
In addition to the above information regarding de-identification and risk management with respect to the APP’s, there are some specific context cases under the Privacy Act 1988 that Data Owners and Data Custodians need to ensure are adhered to. These relate to the specific regulations regarding Tax File Numbers (TFNs), Credit Related Research and Health Information Research.
- TFNs - Data Owners should be aware of the obligations imposed by the Privacy (Tax File Number) Rule 2015 issued under Section 17 of the Privacy Act 1988. An entity is required to take reasonable steps to securely destroy or permanently de-identify TFN information that is no longer required to be retained by law, or is no longer necessary for a purpose under taxation law, personal assistance law or superannuation law.
- Credit Related Research Rule - De-identification obligations for credit reporting bodies and credit providers also apply in relation to credit-related Personal Information. Credit reporting bodies must comply with Section 20M of the Privacy Act 1988, which prevents the use and disclosure of de-identified credit reporting information except when that use and disclosure is for the purpose of conducting research in accordance with the Privacy (Credit Related Research) Rule 2014.
- Health Information for Research for Public Health or Safety Purposes - Entities cannot collect health information about individuals for one of the research or public health or safety purposes permitted under Section 16B(2) of the Privacy Act 1988 if de-identified information would serve the same purposes. If de-identified information would not serve the same purpose (and if other conditions imposed in Section 16B(2) have been met), the entity can only collect the information in accordance with guidelines approved by the Information Commissioner under Section 95A about use of health information for research or public health or safety purposes.
Notes
Privacy Act 1988: https://www.legislation.gov.au/Details/C2019C00025
Australian Privacy Principles:
Privacy Amendment (Notifiable Data Breaches) Act 2016: