Balancing Data Use and Disclosure with Privacy: Issues Organisations Must Consider

Accessing data for potentially unauthorised purposes has been hitting headlines recently as various state police agencies have attempted to access contract tracing data without a warrant to help solve crimes. This practice raises significant issues for individuals, businesses, and regulators as the world grapples with balancing the benefits that can be gained from using this data for different purposes against protecting the rights of individuals to have some clarity and certainty around what their data might be used for. In this blog post, we’ll provide an overview of the perks and pitfalls of data use and disclosure, as well as the business considerations for Australian businesses:

What is data use and disclosure?

Data use and disclosure can be as benign as your company sending data to a third-party provider which backs up your systems each night, or as problematic as Cambridge Analytica using the data collected via its personality test to influence elections.

In Australia, the use and disclosure of personal information is covered by Australian Privacy Principle 6 (APP 6) This APP outlines that entities covered by the APPs may only use or disclose personal information in situations where the information was collected for that purpose, or in limited other situations where an exception applies. The exceptions include where:

• The data subject consented to a secondary use or disclosure or would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose.
  • Consent may be express or implied but, in any event, the consent must be informed, given voluntarily, current and specific, and given by an individual with the capacity to understand and communicate their consent.
• An Australian court or tribunal requires or authorises the disclosure.
• The secondary use or disclosure is a permitted general practice or permitted health situation exists.
• The APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for enforcement related activities conducted by an enforcement body.
• The APP entity is an agency which discloses biometric information or biometric templates to an enforcement body.

You can read more about the APP 6 and these exceptions here: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-6-app-6-use-or-disclosure-of-personal-information/

Examining the Issue: Balancing Data Use and Disclosure with Privacy in The Real World

The example of the police accessing the data to solve crimes highlights the competing privacy concerns quite well. On one hand, the data can help police identify potential witnesses or alleged criminals. In giving the police access to this data, individuals acting outside of the law might be identified. On the other hand, it is also likely to cause more people to avoid using the contact tracing apps – either out of fear of being caught or concern about their privacy.

The Office of the Australian Information Commissioner is attuned to these issues. In its recently published non-binding guidelines, outlined “orders that expressly prohibit access to contact tracing data for law enforcement purposes protect personal information and increase community trust and confidence in using QR codes.”

Balancing Business Operations with Respecting Personal Privacy

Balancing data use and disclosure, particularly for secondary purposes, with privacy is a complex issue, because there are significant benefits that come from data sharing. With more access to data, medical researchers are in a better position to identify key predictors, early symptoms, potential cures, and possible treatments. Similarly, retailers can better meet and predict consumer demand, resulting in less waste and better logistics.

But consumers and regulators are becoming more concerned about what data is being collected about them and how that data is being used. Data sharing is of particular concern for regulators and consumers, since it increases risk that the data will be exposed, misused or mishandled.

Issues Businesses Must Consider When Using Data

While the issues associated with data use and disclosure are complex, businesses should be aware that sharing data (that includes personal information) doesn’t need to be a zero-sum game.

Businesses can take steps to make sure they only use or disclose data in a way that achieves the organisation’s purposes while also protecting personal information in accordance with the APPs. They can, for instance, operate using the privacy by design principles. These 7 principles guide the implementation and mapping of common privacy principles and fair information practices, into all initiatives involving the use of personal data.

You can read more about Privacy by Design here.

Navigate Today’s Privacy Challenges with Privacy 108

Privacy 108 is founded by one of Australia’s leading privacy law professionals, Dr Jodie Siganto. Her team understands sophisticated technology, IT systems and concepts, complex relationships with service providers and the importance of developing the right organisational culture. We provide practical guidance and advice, so organisations achieve their goals while meeting their compliance obligations and consumer expectations.

Our services include:

• Privacy compliance reviews;
• Privacy impact assessments;
• Development and implementation of privacy management programs;
• Development and implementation of Privacy compliance programs including GDPR readiness;
• Data breach response and notification;
• Advice on the use of the cloud and other third-party service providers;
•  Privacy policy reviews and updating;
• Design and implementation of privacy management systems;
• Support for implementation of privacy management software, including OneTrust;
• Developing an organisational security culture; and
• Training and awareness programs.

Wherever you are on your privacy maturity path, we can provide advice, support and implementation assistance.