The Office of Victorian Privacy Commissioner recently published a set of guidelines for the Victorian public sector dealing with data matching (Guidelines).1 They outline potential privacy issues that may arise in the context of data matching, and the considerations that should be taken into account.
Whilst the Guidelines are directed at Victorian public agencies, data matching may also be undertaken by private entities such as financial institutions (eg fraud detection, anti-money laundering), advertisers (eg targeted advertisements) and online merchants (eg targeted offers based on buying patterns). The Guidelines also serve as a useful reference for organisations wishing to undertake such exercises.
Privacy issues and recommended practice
Data matching refers to semi-automated comparisons of two or more systems of records, with the view of determining whether personal information from different records matches the same individual. The results of data matching can be used for a variety of purposes, including data verification and combining records to produce a more extensive set of personal information relating to an individual.
Due to its significant interaction with personal information, data matching can involve numerous privacy related risks. The following highlights some of the significant privacy issues outlined in the Guidelines and suggested practical ways to address them.
Purpose of data matching and results
Whilst data matching has its benefits, the Guidelines recognise that it may also harm individuals, particularly if the results of data matching are used by public agencies to make decisions that are adverse to the individual.
To minimise such risks, organisations should consider and document the purpose of data matching and the proposed use of the results as part of their planning process. In particular, an organisation should consider whether it is necessary to undertake data matching, or if it is more appropriate to de-identify the results.
Expectations of the individual
In accordance with IPP 2.1, an organisation should generally consider the expectations of the individuals before using or disclosing personal information for the purposes of data matching. This may include reviewing the organisation's privacy policy, representations made by the organisation relating to the treatment of personal information and privacy collection statements given by the organisation pursuant to IPP 1.3.
In our experience, many privacy policies and collection statements are generic and do not contemplate data matching. If an organisation intends to undertake data matching regularly, then we suggest that it should amend its privacy policy and collection statements to reflect that practice, as required by IPPs 1.3 and 2.1. In some circumstances, it may also be appropriate to have a separate policy explaining the organisation's data matching practices.
Some organisations (particularly online business) may have represented that they will keep all personal information confidential and will not use the information for any other purpose. Such representations may be inconsistent with data matching and thus will need to be withdrawn and corrected. The Victorian Privacy Commissioner also considers that the collection of personal information may be considered unfair for the purposes of IPP 1.2 if the organisation's privacy notice has misrepresented the intended dealings with the collected information.
Use of unique identifiers
Regular data matching may encourage the adoption and sharing of unique identifiers between organisations, which is inconsistent with the intent and objectives of IPP 7. Whilst the Guidelines do not prohibit the use of unique identifiers in data matching per se, an organisation must ensure that it complies with IPP 7. In practice, given the narrow exceptions of IPPs 7.2 and 7.3, we suggest that data matching involving the use or disclosure of unique identifiers should be supported by the prior consent of the individuals.
Quality of the data
Since data matching is an automated exercise, organisations should verify the accuracy of the source information before data matching to avoid creating inaccuracies. Similarly, depending on the intended use of the results, it may also be appropriate to verify and confirm the results before adopting them as the records of the organisation. This may involve verifying the results directly with the individual.
What do I need to do
Whilst the Guidelines are not legally binding, they indicate the Victorian Privacy Commissioner's interpretation of the IPPs in the context of data matching. Accordingly, it is good practice to follow them. From a practical perspective, we recommend that all organisations wishing to undertake data matching should:
- review their privacy policy and collection statements (and amend where necessary) to ensure that they are consistent with the data matching practices;
- consider and plan for privacy risks before undertaking any data matching exercise, including consideration as to whether it is possible to achieve a similar outcome without data matching;
- clearly document the rights and responsibilities of each contributor to the data matching, including ongoing responsibilities in relation to the use, disclosure and disposal of the results; and
- where practical, notify the individuals or seek their consent to the data matching.
We also note that Commonwealth agencies are subject to a different set of voluntary guidelines published by the federal Privacy Commissioner. Similarly, data matching involving tax file numbers that compare data from the Australian Taxation Office and assistance agencies are subject to specific legislation and mandatory guidelines. These guidelines should be taken into account when planning data matching involving Commonwealth agencies or information.
Footnote
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
