- Privacy rules around secondary use of data are not black and white.
- Customer expectations, ‘reasonableness’ and ethics form part of the mix.
- A Data Use Protocol can streamline the legal and ethical assessment and approval process for data use proposals.
The theme for this year’s Privacy Awareness Week (3-9 May 2021) is ‘make privacy a priority’. But how can organisations prioritise privacy in practice when faced with competing objectives such as leadership teams expecting to derive greater value from data in order to better inform business decision-making or government policy-making?
If your clients are seeking to extract value from data in new ways, what advice can you offer them to manage the legal and ethical considerations, and how can decisions about secondary data use be made at scale?
Using personal information for a new purpose
A privacy risk is created when personal information collected for one purpose is used for a different purpose.
For this reason, privacy laws draw a distinction between the primary purpose for which personal information is collected in the first place, and all other purposes (known as secondary purposes). Using personal information for secondary purposes is only allowed in some circumstances under privacy laws.
The immediate, primary reason an organisation might have collected personal information about individual customers might have been to treat a sick patient or to educate a student, to transport a passenger or to sell clothes online.
However data can have multiple, valuable use cases. For example, a smart light which turns off as people leave the room has a primary purpose of delivering energy efficiency to the home owner. However, as the data is compiled over time, it can evidence patterns of behaviour for the people living in that home, including when they are not at home. The use of that ‘pattern’ data would then be a secondary use. It might be useful at a ‘macro’ level, such as to enable an energy provider to better match energy supply to demand within a suburb or town. It might also be useful at the ‘micro’ level, for an energy retailer to offer differential pricing to different households. (Whether or not you consider this appropriate might depend on whether you think you would be offered higher or lower pricing than your neighbours!) Pattern data can also be useful intel for people with malicious intentions; so one data type can have multiple use cases, not all of them beneficial to the data subject.
The legal tests
Taking the Privacy Act 1988 (Cth) as an example, Australian Privacy Principle (‘APP’) 6 regulates the use and disclosure of personal information. (Note that State and Territory privacy laws regulate public sector agencies in their own jurisdictions, including state government departments, local councils and public universities.)