EY Law Privacy & Security Update (Oceania)

Transcription

1 EY Law Privacy & Security Update (Oceania) Special Big Data Edition At a Glance Welcome to the July Special Edition of the EY Law Data Privacy & Security Update (Oceania) which aims to keep you current with developments in privacy and information security in Oceania. Still Waters Run Deep: Data Lakes, Big Data, Data Analytics Programs and Privacy Big Data/data analytics is used to reduce fraud, predict outbreaks of disease, further scientific research, in economic modelling, to improve business processes, assist in creating new, innovative and wanted products and to assist governments to allocate scarce resources. However, there is also a perceived dark side to Big Data/data analytics, especially in circumstances where it is considered to be an interference with an individual s privacy or unfair. Australian law does not specifically regulate Big Data or data analytics (i.e. there is no Big Data law). The Privacy Act and the Australian Privacy Principles (APPs), however, generally regulate the collection, use and disclosure of information or an opinion about an identified individual or an individual who is reasonably identifiable (Personal Information) by imposing mandatory notification (or requiring consent in certain circumstances) and other obligations on entities collecting or using such information, including where such is part of Big Data/data analytics programs. Also, and often forgotten in the privacy context, the Australian Consumer Law (ACL) regulates the interaction between business and consumers/individuals, in particular relating to misleading or deceptive conduct and unfair terms. EY Law Privacy & Security Update Special Edition July

2 OAIC guide to big data & privacy As reported in EY s June 2016 Privacy & Security Update (P&S Update), the Office of the Australian Information Commissioner/Privacy Commissioner (OAIC) recently released a consultation draft Guide to big data and the Australian Privacy Principles (Draft Guide). The Draft Guide applies to Big Data/data analytics, traditional data matching and data aggregation activities and to both private sector organisations and Federal Government agencies. Although not legally binding, the OAIC will refer to the Draft Guide (once finalised) and one s compliance with it when considering the range of enforcement activities (and possibly penalties) under the APPs. The Draft Guide is stated to have been developed by the OAIC in order: to facilitate big data activities while protecting personal information. The Draft Guide clearly confirms that the APPs apply to Big Data/data analytics where Personal Information is used. The Draft Guide contemplates, and will assist those new to, Big Data/data analytics programs by single agencies or businesses (even across a group of related companies) predominately using their own data to better know their clients/customers or develop better services or products. However, there are significantly more expansive and complex Big Data/data analytics programs than those contemplated by the Draft Guide currently being undertaken. These include massive data lakes fed by as much (if not more) third party data as the entity s data, with data collected from numerous countries around the globe and global access to the results of the analytics (if not also the original data), with no pre-defined questions or limit on the questions that may be asked. Often, the Big Data is being constantly examined and re-examined to discover insights that may be of interest to the agency or business, irrespective of whether such insights are related to its functions or activities. The Draft Guide also reminds us of the wider agenda of the OAIC: The Draft Guide outlines key privacy requirements and encourages the implementation of the Privacy Management Framework. Taking this approach will embed privacy by design in entities culture, systems and initiatives from the design stage onwards. The Draft Guide thus serves a number of purposes but, as noted in the P&S Update, unfortunately misses the opportunity to address either the (i) more difficult privacy issues arising in relation to the complex Big Data/data analytics programs or (ii) inherent inconsistencies and contradictions between some of the APPs and the raison d etre of many current Big Data/data analytics programs. In this Special Edition of EY s Privacy & Security Update we explore a few of the more difficult privacy issues and inherent inconsistencies with the APPs facing the more complex Big Data/data analytics programs, highlighting the Draft Guide s guidance on such matters (where such exists). What are we talking about? Big Data is the tracking and aggregation of a large volume of data (including Personal Information) from search engine histories, s, sales transaction histories, reward/loyalty programs, app downloads, historical interactions and the like. The Draft Guide notes, citing Gartner s three Vs definition that Big Data is: high-volume, high velocity and/or high variety information aspects that demand cost-effective, innovative forms of information processing for enhanced insight, decision making and process optimisation. The extensive amounts of Personal Information we reveal as we transact online, by carrying our smart devices around or by simply going about our daily lives, together with the significant advances in analytics and computing capabilities, have taken the EY Law Privacy & Security Update Special Edition July

3 relationship between customer profiling, predicting trends and marketing to a significantly higher level, even to where it was just five years ago. Today Big Data/data analytics is capable of tracking movements, behaviours, preferences and predicting the behaviour of individuals and groups and of identifying individuals from anonymous information with unprecedented accuracy. Businesses and agencies are finding more and more ways of combining their data with that of third parties or other agencies (as well as publically available information) in order to analyse more variables and to slice and dice the data in more and different ways. The more access one has to Big Data/data analytics, the better one can target advertising and products or services that match (or rather predict) the specific interests of both existing and potential customers or the needs of individuals. However, in practice, this is often done without clear notice to, let alone with the consent of, the individuals concerned. The collection and use of de-identified information is not regulated by the APPs and businesses and agencies are free to collect, analyse and use such data as they see fit (i.e. without worrying about any obligations under the APPs). In recent years, however, there has been an increasing ability to track (and an interest in tracking) the movements and predicting the behaviour and interests of identified individuals. In the last five years we have seen the growth of the analysis of Big Data with no specific question in mind, simply to look for trends in, or what insights are revealed by, the data itself. Over this time we have also seen the rise of third party or standalone data aggregation and analytics businesses that have little or no direct collection relationship with the individuals whose Personal Information they acquire from third parties and analyse in order to provide data analytics services for hire. Personal information vs de-identified information The concepts of personal information, de-identified information and the applicability of the APPs to Big Data/data analytics appear, on reading the Draft Guide and the face of the APPs, simple enough. In practice, however, the determination of when information is truly de-identified (i.e. not Personal Information) at what stage of the Big Data/data analytics program (including in the results produced) is far from straightforward. The main circumstances in which this de-identified information versus Personal Information issue arises is in the context of: (i) (ii) Unintentional re-identification: the unintentional creation of Personal Information or re-identification of de-identified/anonymous source data due to the combination of data from various sources and the analytics algorithms run; an Optional re-identification: where, even though the data used in the analytics and the results of such analytics appear to be in a de-identified form (at least to the entity running the analytics), one of the entities to which the results of the analytics will be provided has the option (and capacity at little or no additional cost and without difficulty) to re-identify those results (i.e. link them to identified individuals, often being their existing customers) (Option). The Draft Guide does not provide much guidance on this issue, except to say: Where an entity is proposing to de-identify personal information for big data activity they should undertake a risk assessment to consider the risk of re-identification and collection of personal information during or following big data activities If, however, personal information is re-identified during big data activities the Privacy Act regulates how it is to be handled, managed, dealt with and maintained. The OAIC issued its final summary reports in mid-july on its assessments under section 33C (1)(a) of the Privacy Act of the loyalty programs of Coles and EY Law Privacy & Security Update Special Edition July

4 Woolworths (Assessments). However, the Assessments do not advance the thinking on this issue given the conclusion that, despite the contradictory finding that the data analytics is performed primarily to assist targeted (i.e. individual specific) marketing, these loyalty programs only use de-identified information for and in their data analytics programs. (i) Unintentional re-identification Even if the data is de-identified and the business or agency is seeking to track/predict trends or the behaviours of groups rather than identified individuals, the range of current data sources and analytics capabilities are such that the aggregation of different data sets from multiple sources (each of which may be individually de-identified) and the analytics tools available may reasonably enable (if not actually lead to) the re-identification of the individuals who the results information relate to. Of course, as soon as any de-identified information is re-identified or new personal information is created it is Personal Information and its collection, use and disclosure will be subject to the obligations and restrictions imposed by the APPs. As confirmed in the Draft Guide, this conclusion is clear and uncontroversial (although there may be some discussion as to how some of the specific APP obligations apply in the circumstances). However, does this increased likelihood of re-identification mean that all de-identified data used in a data analytics program must always be treated as Personal Information throughout the entire program (i.e. from collection to the providing of the results)? While not the subject of specific guidance in the Draft Guide, we believe not. At least, not in all cases. The circumstances of each data analytics program will need to be considered and a common sense approach taken. That is, if both the nature of the data being used and the questions being asked of the analytics are such as to be more likely than not to lead to personally identified, or reasonably personally identifiable, results then the data should be considered Personal Information from the commencement of (and throughout) the data analytics program. Otherwise, the information will only be Personal Information once it is actually re-identified or created. For example, if the data includes customer data from Bank X and Ultra-Luxury Car Brand Y and the question being asked is how many Bank X customers in suburb Z own an Ultra-Luxury Car Brand Y car and the result is, say, 5 people (and this result was in the expected range), it should be expected that the results would be reasonably identifiable and thus Personal Information at all times. This is because, in the hands of Bank X, the 5 Bank X customers in suburb Z with Car Brand Y can be easily identified or re-identified. On the other hand, analytics to answer how many Bank X customers in Sydney (i.e. all suburbs) are also Supermarket A customers will not necessarily be expected to result in identifiable information (unless Bank X also has access to the Supermarket A s loyalty program Personal Information). (ii) Optional re-identification Where an Option is built in to the data analytics program, even if for only one entity ( Entity A ) and only after the analytics have been completed and the results provided to Entity A, this will result in the data being Personal Information throughout the entirety of the program for all participants. This is because the definition of personal information for the APPs includes information that is about an individual that is reasonably identifiable. Whether the information is reasonably identifiable is not limited to being identifiable only (i) from that information itself, (ii) by the entity holding that information or (iii) at that immediate point in time. Where an Option exists, it is therefore difficult to justify EY Law Privacy & Security Update Special Edition July

5 treating the information as de-identified during the data analytics program and then, suddenly, Personal Information only once the results are back in the hands of Entity A. The fact that it is known from the beginning that the information provided as the results of the data analytics program can be easily re-identified by Entity A (if it wishes to) means the information must, by definition and from the commencement of the analytics program (and at all times throughout it), be information that is about a reasonably identifiable individual and thus Personal Information. The information is thus never de-identified (for the purposes of the APPs) where the Option exists because it is always reasonably identifiable by Entity A from the outset and thus must be treated as Personal Information in all participants hands from collection of the information, through processing to provision of the results to Entity A. The consequence of the above analysis for the optional re-identification analytics programs (i.e. where an Option is built in) is that the APPs and all privacy obligations will apply (and need to be considered and addressed) from the outset of the program (i.e. from collection onward) to all participants at all times. That is, the APPs will apply to the collection, use, holding and disclosure of the purportedly de-identified information by the entity undertaking the analytics (Processor), all entities disclosing such information to the Processor and, possibly, all entities receiving the results of the analytics from the Processor. Can we only collect personal information directly from individuals? No, but the issue is how much (i.e. what percentage of) Personal Information can one collect other than directly from the individual (i.e. via third parties)? As the Draft Guide confirms: Unless it is unreasonable or impracticable APP 3 also provides that personal information must be collected from the individual concerned. This does not mean that one cannot collect any Personal Information from third parties. The Draft Guide recognises that some [information] will be collected from other entities (that is, third parties). However, the APP 3 obligation is to only collect Personal Information directly from the relevant individual, unless the exception applies. In order to collect Personal Information other than directly from the individual it must be impracticable or unreasonable to collect that Personal Information directly from that individual, not simply more difficult or more costly. Inconvenience, cost (both time and money) and difficulty will only make direct collection impracticable or unreasonable if this burden is excessive (not simply more costly or more difficult relative to acquiring the Personal Information via a third party). The Draft Guide does not contemplate a situation where there is no direct collection relationship at all with the individual whose Personal Information one is collecting/using. That is, where none of the Personal Information is collected directly from the individual by the entity and all of it is collected via third parties. This is consistent with guidance in the OAIC s APP Guidelines dated 1 April 2015 which also speaks in terms of when it is unreasonable or impracticable to collect all Personal Information directly from the individual (i.e. assuming some of it will be collected directly from the relevant individual). There is no discussion of when it may be unreasonable or impracticable to collect any of the Personal Information directly from the relevant individual. This raises some doubt whether businesses may only use Personal Information that other entities (i.e. third parties) have collected (i.e. where they have collected none of that Personal EY Law Privacy & Security Update Special Edition July

6 Information from the relevant individual). At least for agencies the APPs specifically provide that they may obtain consent in order to be able to do this. In addition, as regards consumer individuals, a term in a third party s privacy policy or terms and conditions allowing that party to disclose an individual s Personal Information to whomever it likes (often unnamed) for whatever purpose it likes (not being to facilitate the disclosed purpose for which that party collected it), may be an unfair term under the ACL and thus void (i.e. not sufficient notice or consent, as the case may be). When is mandatory notice and/or consent to collect personal information required? If Big Data held by an agency or business includes Personal Information (including deidentified information which is reasonably capable of being re-identified), APP 5 requires that notice of certain mandatory matters (such as the purpose for collection and the types of entities to which it is likely to be disclosed) be provided to those individuals at or before the time of collection or, if this is not practicable, as soon as practicable after collection of their Personal Information. A focus of the Assessments was compliance with APP 5. While making some suggestions for improvement, the OAIC found both loyalty programs met the requirements of APP 5. In the Assessments the OAIC states: APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters. This obligation is not avoided if you do not collect directly from the individual, collection of Personal Information via a third party also triggers this obligation. APP 5.2(b) specifically requires one to take reasonable steps to notify individuals whose Personal Information is collected from other than the individual of that fact and the circumstances of that collection, in addition to the other mandatory matters required to be notified. In our experience, the general understanding and application of the mandatory notice obligations under APP 5 (that is, what steps are reasonable in the circumstances to notify the individual or otherwise ensure that the individual is aware of the mandatory matters) are sorely lacking. The common default position, that any level of cost or inconvenience involved in notification and/or collection from a third party automatically makes it unreasonable to notify the mandatory matters, is simply not supported by APP 5. There will almost always be an additional cost and/or difficulty in notifying individuals whose Personal Information one has collected from a third party. However, this does not automatically or necessarily make it impracticable or that all and any steps to notify those individuals of the mandatory matters or otherwise ensure that the individual is aware of such matters are unreasonable. The Draft Guide notes: An entity is not excused from taking particular steps by reason only that it would be inconvenient, time consuming or impose some cost. If any of the information collected (directly or via a third party) is sensitive information (such as health information, criminal convictions, race, sexual orientation or biometric information) then the prior consent of the individual will be required. Unless otherwise required or authorised by law, entities must only (i) collect (whether directly or via a third party) sensitive information if the individual consents to the collection and (ii) use it for the purpose(s) consented to by that individual. This obligation to obtain consent is not subject to any reasonable steps, impracticable or unreasonable EY Law Privacy & Security Update Special Edition July

7 qualification and applies even where the sensitive information is collected via (i.e. acquired from) a third party. Are there limits on the personal information that can be collected? APP 3 requires that entities only collect Personal Information that is reasonably necessary for one or more of the entity s functions or activities, whether such information is collected directly or via third parties. As the Draft Guide notes (unfortunately without providing further guidance): For big data, this requires entities to consider what personal information is reasonably necessary and for what purpose. This may appear to challenge the big data concept of using all the data for unknown purposes. A private sector organisation s functions and activities are usually those described on its website, in its annual reports, advertising materials and product disclosures statements. That is, what the organisation is known for, the goods or services it sells or provides. Clearly, Personal Information cannot be collected for data analytics (either directly or via third parties) which is not reasonably required for an actual function or activity of the entity. However, if Personal Information is legitimately collected for an actual function or activity, can obtaining consent for the additional purpose of ongoing indefinite data analytics legitimise (i) using such information for general ongoing data analytics and (ii) keeping it indefinitely? Is data analytics a legitimate purpose for collection? The analysis above (and assuming that the Personal Information is reasonably required for a function or activity of the entity) leads us to question if one can avoid the deidentification obligation of APP 11.2 (as to which please see discussion below) simply by making data analytics an additional purpose for collection of the Personal Information. That is, is including ongoing data analytics as a generic purpose in the privacy policy or collection statement good enough to allow the Personal Information to be kept indefinitely? Where the ongoing data analytics is linked to one or more of the entity s ongoing core functions or activities for which the individual is engaged with the entity (i.e. the purpose for collecting the Personal Information in the first place) it is possible that keeping the Personal Information for such a purpose may be justified. Although, once used for related cored function analytics purpose (if the core function purpose is exhausted and not ongoing), the de-identification obligation would still arise unless, somehow, the analytics purpose could be an ongoing requirement. Where the analytics bears no relation to the original purpose for collecting the Personal Information in the first place (i.e. the transaction or interaction with the individual), it seems difficult to justify keeping the Personal Information indefinitely for such ongoing and unknown general data analytics. Also, any term of a privacy policy or terms and conditions with a consumer individual that purports to give a business this generic and indefinite data analytics right may be void under the ACL as an unfair term. In the latter case, if one wishes to keep the Personal Information indefinitely for general data analytics, consideration should be given to a consent model which, subject to transparency requirements and refreshing the consent from time to time, may provide the necessary justification for keeping the Personal Information indefinitely and also avoid it being an unfair term under the ACL. Unfortunately, the Assessments do not advance the guidance on this issue. EY Law Privacy & Security Update Special Edition July

8 The question remains whether consent, even if refreshed from time to time, can override the APP 11.2 obligation to de-identify Personal Information. While it probably will, where informed consent is obtained and refreshed from time to time, we believe it unlikely that a one off consent to general or unknown data analytics at the time of collecting the personal information will allow the Personal Information to be kept indefinitely and will likely be an unfair term under the ACL. The obligation to delete or de-identify under app 11.2 The Draft Guide reminds us that: When an entity no longer needs personal information for any purpose for which it may be used or disclosed under the APPs (and the information is not legally required to be retained by the entity) the entity should [sic] destroy or de-identify the personal information. An entity must take reasonable steps to destroy or deidentify the personal information. Where personal information is retained, entities should [sic] be able to justify the retention of the personal information. The obligation under APP 11.2 is that entities must take such steps as are reasonable in the circumstances to delete or de-identify such personal information (i.e. not should ). However, the bigger issue in the Big Data/data analytics context is how one reconciles this APP 11.2 obligation with the inherently contradictory desire of Big Data/data analytics programs to keep historical Personal Information (including deidentified data that is capable of being re-identified) indefinitely. Rather surprisingly, the obligation under APP 11.2 was not considered at all by the OAIC in the Assessments. Personal Information must be de-identified if an entity wishes to keep it beyond that time necessary for use for the notified purpose(s) for which it was collected and any legal requirement to keep it in an identified form. While far from clear we believe, in the circumstances of the unintentional re-identification noted above, that the deidentified information (even though such may be unintentionally re-identified at a later time) will meet this obligation. However, in the circumstances of the optional re-identification, the information should not be considered to be de-identified and holding such Personal Information after having used it for the notified purpose(s) of collection and once any legal requirements to keep it have expired will not comply with the APP 11.2 obligation to de-identify the Personal Information. The consequence of this analysis in respect of the optional re-identification analytics programs is that the apparently de-identified Personal Information will be subject to the APP 11.2 obligation to delete or actually de-identify it (i.e. so no one has the Option to re-identify the information) once it has been used for the notified purpose(s) for collection and any legal requirements to keep it in an identified form have expired. Practical tips! In the absence of specific regulation and given the limited practical guidance from the OAIC in the Draft Guide, businesses and agencies can adopt a number of best practice steps to minimise the risks of their Big Data/data analytics programs infringing the APPs. Specifically, businesses and agencies can: Audit existing databases to determine what Personal Information they collect and hold, the notified purpose(s) for collection and whether they are (or are likely) to track and aggregate such information for data analytics programs, marketing purposes or purposes other than those notified purposes for which the information was originally collected. Knowing what you have and how you use it is the first step to compliance. EY Law Privacy & Security Update Special Edition July

9 Examine the Big Data used and determine if information that is currently in a deidentified form is more likely than not to be re-identifiable by combination or through analysis and, if so, review original notified purposes and/or consents obtained at the time of collection of that information. Focus on transparency by providing continuous notification each time there is a change in practices around collection, use (e.g. new analytics programs) or disclosure of Personal Information. Such notification should clearly set out the main ways in which the new practices are likely to impact individuals. Greater transparency should decrease potential fall-out from unexpected use of Personal Information as part of any Big Data/data analytics programs. Ensure the privacy policy/collection statement is clear, concise and reader friendly. Mobile websites and apps should contain a short form privacy notice (ideally no longer than one or two screens) which is easy to locate and which must be viewed before the individual can submit any Personal Information or consent to its use for any specific data analytics purposes. Adopt continuous and flexible consent regimes where a business or agency wishes to keep Personal Information indefinitely and/or use Big Data for marketing activities. For example, require individuals to re-consent periodically to ensure their consent is current. Consider disentangling notice/consents relating to uses of Personal Information which are not essential to the purchase of the goods or services or the interaction with the agency from the remainder of the purposes/privacy policy so that individuals can choose to consent to essential and non-essential uses separately. In such cases, consider incentivising the consent for non-essential uses (e.g. a loyalty program for a renewed data analytics consent). Ensure internal and external handling of Personal Information practices are in line with the guidance documents issued by the OAIC (including the Guide to Information Security and the Draft Guide). We can help! Please do not hesitate to contact EY if we can be of any assistance with the issues raised in this month s Update or if we can assist you with any other privacy or information security issues, risk identification or management, compliance and/or implementation. Contact Alec Christie Sydney Partner EY Law Digital Law Tel: alec.christie@au.ey.com Paul Clarke Melbourne Director EY Law Digital Law Tel: paul.clarke@au.ey.com EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, law, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. For more information, please visit Ernst & Young, Australia. All Rights Reserved. SCORE NO: AU EY Law Privacy & Security Update Special Edition July This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, for any