Many artificial intelligence (AI) technologies rely on enormous amounts of data – which may include personal information – in order to train and test algorithms. When Victorian public sector (VPS) organisations collect personal information to train an AI model, feed personal information into an AI system, or use AI to infer information about individuals, the Information Privacy Principles (IPPs) of the Privacy and Data Protection Act 2014 (PDP Act) apply.

The purpose of this guidance is to assist VPS organisations to consider their privacy obligations when using or considering the use of personal information in AI systems or applications. It will cover the collection, use, handling and governance of personal information within this context. Organisations should also conduct a privacy impact assessment (PIA) when designing or implementing AI systems, to help identify potential privacy risks associated with the collection and use of personal information in the AI system. PIAs are discussed later in this guidance.

What is AI? Artificial intelligence, or ‘AI’, is a way for computers to perform tasks that require abstraction and which would ordinarily be performed by humans. AI is used as an umbrella term to describe a collection of different techniques and technologies, including machine learning, speech recognition, natural language processing, robotics, and predictive analytics. AI is present in many of the day-to-day interactions in our personal lives – for example, when we give voice commands on our mobile phones, or the movie recommendations on streaming services.

The use of AI applications and systems is also growing in the public sector, enabled by the generation, availability and variety of sources of data accessible to government. Organisations are increasingly turning to AI to help carry out their functions, automate decision making processes, inform policy, and deliver services to the public. Common applications of AI include identifying objects, making predictions, translating language and processing very large amounts of information. For example, an increasingly common use of AI in the public sector is the use of chat bots to provide customer service and advice to individuals on a website.

While the use of an AI system to process personal information can deliver significant benefits, VPS organisations should consider whether the deployment of such a system is necessary to address an identified problem, and whether it is the best solution to that problem – AI systems should not necessarily be deployed simply because they are available.

Click to download

Pacific Island countries have unique demographic attributes characterized by low and scarce populations and high migration rates. Due to this, the economic heft of the Pacific Islands is also limited, with a cumulative regional GDP of USD 32 billion (GDP per capita of USD 3,600) as of 2020, as compared to neighboring Australia with ~USD 1.3 trillion (GDP per capita of USD 51,812).

The Pacific Islands are also one of the least densely populated regions in the world, with ~34 people per square kilometre. Apart from the demographic constraints, the Pacific Island countries have limited natural resources and a large proportion of the Pacific Islander population living overseas in Australia and New Zealand, thus leaving the region highly dependent on inward remittances.

Despite efforts taken by individual Pacific Island countries to develop payments infrastructure, several challenges have constrained progress. Firstly, the demographic challenge of small and scarce populations, characterized by low economic resources and poor financial and technology literacy rates, has limited the uptake of newer technologies.

Secondly, the ecological fragility of the countries’ locations makes infrastructure projects such as undersea data cables challenging. Thirdly, the current payment infrastructures are not interoperable, making cross-border transactions highly cumbersome. Finally, a lack of uniform regulations to govern digital payments, rigid existing regulatory requirements, and the lack of ancillary regulations covering areas such as data privacy and cybersecurity further exacerbates the challenge and has left one-third of the region’s population lacking access to formal financial services.

Click to download

What should our anonymisation process seek to achieve?

An effective anonymisation process seeks to reduce the likelihood of someone being identified or identifiable to a sufficiently remote level. This level depends on a number of factors specific to the context.

It may seem fairly easy to say whether a piece of information relates to an identified individual, as this may be clear from the information itself. For example, bank statements clearly identify individual account holders and contain information that relates to them. anonymisation processes should take into account the concept of identifiability in its broadest sense. They should not simply focus on removing obvious information that clearly relates to someone.

Click to download

FISMA stands for the Federal Information Security Management Act, which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data.

FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST). FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.

Click to download

The long-expected and widely-concerned Personal Information Protection Law of the People’s Republic of China (“PIPL”) was adopted on 20 August 2021, at the 30th Session of the Standing Committee of the 13th National People’s Congress.

As a basic law for personal information protection in China, the PIPL clarifies the rules for processing personal information, the obligations of personal information handlers (and processors), and the rights of personal information subjects. Notably, the PIPL provides serious punishment for violations of this law, which includes a fine of up to CNY 50 million (about USD 7,690,000) or 5% of annual turnover of the previous year.
The PIPL will come into effect as of 1 November 2021. During the grace period, organizations operating in China and those established outside China but having to be subject to the extraterritorial effect of the PIPL, are suggested to carry out data compliance work in accordance with the PIPL to get prepared for the upcoming law.

This Guide aims to highlight the main principles and provisions under the PIPL. It is intended to be used by organizations as an aid to find gaps in compliance and take possible steps required in practice

Each section of this Guide describes an important rule or requirement under the PIPL. We also provide “Actions” suggested to be considered and/or adopted for ensuring compliance. Please note that the relevant supporting rules and regulations of the PIPL are expected to be promulgated and implemented accordingly, which is advisable to be paid close attention to. Also, other relevant laws and regulations, as well as department rules shall be taken into consideration when assessing compliance.

Click to download