National Guidelines for Automated Vehicle Trials — submission to the National Transport Commission’s

29 January 2017

Overview

I welcome the opportunity to provide this submission to the National Transport Commission (NTC) in relation to the National Guidelines for Automated Vehicle Trials Discussion Paper (the discussion paper).

The National Guidelines for Automated Vehicle Trials (the National Guidelines) seek to promote Australia as a test bed for automated vehicle trials, while ensuring public safety and a consistent approach across state and territory road transport agencies.

My submission addresses the matters outlined in Part 6 (Data and Information), particularly the potential requirements for entities participating in automated vehicle trials to collect and disclose data, namely crash data and ongoing data updates. In certain circumstances, this data may be personal information, which will have privacy implications. My comments below outline some key privacy considerations for the NTC to consider in developing the National Guidelines.

The Office of the Australian Information Commissioner and the Privacy Act

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency. The OAIC was established by the Australian Parliament to bring together three functions:

  • privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Privacy Act) and other Acts)
  • freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982)
  • information management functions (as set out in the Information Commissioner Act 2010)

The Privacy Act applies to Australian Government agencies, private sector organisations with an annual turnover of more than $3 million and some small businesses.[1]

The Privacy Act generally does not apply to State and Territory government agencies. Instead, where they exist, state and territory privacy laws have requirements that are similar to those under the Privacy Act (the exceptions are Western Australia and South Australia). These generally apply to state and territory government agencies as well as local councils, state and territory government owned corporations and universities.[2]

Personal information and the Privacy Act

Definition of personal information

‘Personal information’ is defined as any ’information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.[3]

The discussion paper outlines the potential for entities conducting automated vehicle trials to collect and disclose ‘crash data’ and ‘ongoing data updates’. Where the data is about an identified individual or an individual who is reasonable identifiable, then it will constitute personal information under the Privacy Act and attract the obligations under the Australian Privacy Principles (APPs). Where it is unclear whether information is personal information, an APP entity should err on the side of caution and treat the information as personal information. [4]

Also, there is the potential for automated vehicles to generate personal information that could be characterised as ‘sensitive information’ for the purposes of the Privacy Act. For example, were crash data to reveal injuries about a reasonably identifiable individual, it would constitute sensitive personal information. ‘Sensitive information’ is information or an opinion about an individual that includes racial or ethnic origin, religious beliefs or affiliations, sexual orientation and health information.[5]

Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information (for example, see APPs 3, 6 and 7). This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual. Mishandling of sensitive information may also cause humiliation or embarrassment or undermine an individual’s dignity.[6] The National Guidelines could include information about entities’ obligations when collecting sensitive information, including the requirement to obtain the consent of the individual (unless an exception outlined at APP 3 applies).[7]

Application of privacy laws across jurisdictions

Australia has existing privacy protections in place both at the Commonwealth level and in most states and territories. These laws will likely apply to organisations involved in automated vehicle trials, in circumstances where data collected or generated by these trials involves personal information. There is potential for entities participating in automated vehicle trials to be subject to varying levels of privacy regulation. Some organisations, particularly start-up companies, may come within the ‘small business’ exemption for the purposes of the Privacy Act[8]. Privacy coverage will also differ where a state or territory government agency conducts the trial.

I support the position taken in the discussion paper that the National Guidelines will explicitly state that all trials will be required to comply with existing privacy laws and principles. However, I am of the view that the National Guidelines should also require businesses participating in automated vehicle trials that are not covered by privacy laws to comply with the APPs.

Section 6EA of the Privacy Act allows small businesses, who would otherwise not be covered by the Privacy Act, to choose to be treated as an organisation for the purposes of the Privacy Act and therefore be subject to the APPs.

This would demonstrate a public commitment to good privacy practices and promote uniformity for all participants in automated vehicle trials.

I recommend the NTC include criteria in the National Guidelines to require businesses who fall under the small business operator exemption to opt-in to coverage by the APPs under section 6EA of the Privacy Act.[9] I note that the National Guidelines will not be legislative in nature and such an approach would assist to ensure that all participants are complying with privacy law.

The National Guidelines could also outline some of the key APPs and privacy obligations relevant to automated vehicle trials. For example, APP 3 regarding the collection of personal information and APP 5 regarding the notification of the collection of personal information, both of which are relevant to the data that entities may be required to collect under the National Guidelines.

Options for encouraging good privacy governance

APP 1 obliges APP entities to manage personal information in an open and transparent way. APP 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. This means that APP entities must be proactive in establishing, implementing and maintaining effective privacy processes.

My Office has developed the Privacy Management Framework, which provides steps that the OAIC expects APP entities to take to meet its obligations under APP 1.2. I encourage all APP entities to develop a robust privacy management framework, which assists to embed a culture of privacy.[10] The National Guidelines could encourage entities participating in automated vehicle trials to ensure they have robust governance arrangements as outlined under APP 1.2 and link to the OAIC’s privacy management framework.

As part of good privacy governance, the NTC could also consider including criteria in the National Guidelines to require participating entities to report any privacy incidents or breaches arising from the trials to effected individuals, regulators and the NTC.

Other governance measures that the National Guidelines could incorporate to ensure compliance with the APPs includes requiring participating entities to appoint a designated privacy officer and providing regular privacy training to staff.

De-identification and destruction of data

Entities involved in automated vehicle trials that are covered by the Privacy Act have obligations to secure personal information.

APP 11 requires an APP entity to take reasonable steps to ensure the security of personal information it holds and to actively consider whether it is permitted to retain personal information. Under APP 11.2, an entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.

Personal information is ‘de-identified’ if the information is no longer about an identifiable individual or an individual who is reasonably identifiable. De-identified information is therefore no longer considered ‘personal information’ for the purposes of the Privacy Act. De-identifying information can mitigate common privacy concerns and I encourage the NTC to consider including requirements in the National Guidelines around de-identification of the data that will be collected from automated vehicle trials.[11]

I support the NTC’s preferred option to include essential criteria in the National Guidelines regarding system security as this is an important measure to protect personal information that may be collected, stored and disclosed from automated vehicle trials. System security measures will assist entities participating in automated vehicle trials meet the requirements under APP 11.

Public engagement

Transparency and community expectations

The Australian community is increasingly aware of privacy issues, especially in light of new technological advances. The Australian community expects transparency in relation to the handling of personal information, and these expectations are heightened when information is compulsorily collected.

It is therefore important that entities involved in automated vehicle trials who are required to collect and disclose personal information are transparent about their practices. Good privacy practice, together with effective communication and community engagement strategies, can help to ensure that the handling of personal information is consistent with the community’s expectations. In turn, having a social licence for any new uses of data will help ensure the success of projects that rely on the use of personal information.

I therefore support the NTC’s preferred option that the National Guidelines include optional criteria for community consultation and public engagement. The NTC may wish to consider including guidance material to assist entities determine when community consultation and public engagement may be necessary. A Privacy Impact Assessment (PIA), discussed below, is an effective method of facilitating public engagement and building a social licence.

Privacy Impact Assessments

As part of the safety management system approach, and to facilitate public engagement, I recommend the NTC outline the benefits of a PIA in the National Guidelines.

A PIA is a written assessment, to assist in identifying the privacy impacts of a proposal and provides an opportunity to set out any recommendations for managing, minimising or eliminating those impacts. A PIA is an effective way to satisfy the requirements under APP 1.2, which requires entities to take reasonable steps to implement practices, procedures and systems that will ensure an entity’s compliance with the APPs.

The NTC could consider promoting the benefits of a PIA in the National Guidelines’ system security criteria, or as part of the general design of the National Guidelines more broadly, and encourage entities participating in automated vehicle trials to conduct a PIA where it will benefit the project. The NTC may wish to consult the OAIC’s Guide to undertaking privacy impact assessments for more information on PIAs, which can be found on the OAIC’s website.[12]

Conclusion

As outlined above, while entities participating in automated vehicle trials may be subject to varying privacy obligations, there are numerous benefits in incorporating privacy considerations into the National Guidelines, particularly around good privacy governance, public engagement, data security and to ensure entities are aware of their obligations under privacy law when participating in automated vehicle trials.

I would welcome any further engagement on the matters discussed in this submission. My Office would also be pleased to assist the NTC by commenting on any criteria in the National Guidelines that relate to personal information and privacy.

Footnotes

[1] The term ‘organisation’ is defined in s 6C of the Privacy Act and the term ‘small business operator’ are defined in s 6D of the Privacy Act 1988. See s 6E of the Privacy Act 1988 for instances where a small business operator is treated as an organisation.

[2]Privacy and Personal Information Protection Act 1998(NSW); Information Privacy Act 2009 (Qld); Premier and Cabinet Circular No 12 (SA); Personal Information Protection Act 2004 (Tas); Privacy and Data Protection Act 2014 (Vic); Information Privacy Act 2014 (ACT); Information Act (NT). For more information about State and Territory privacy laws, please see Other privacy jurisdictions on the OAIC’s website.

[3] See s 6(1) of the Privacy Act 1988 for the definition of ‘personal information’

[4] For more information, see the APP Guidelines on the OAIC website: https://oaic.gov.au/search/getSearchResults?Search=APP+Guidlines

[5] See s 6(1) of the Privacy Act 1988 for the definition of ‘sensitive information’

[6] For more information, see: https://oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-b-key-concepts#sensitive-information

[7] For more information, see Chapter 3 of the APP Guidelines, available on the OAIC website: https://oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-3-app-3-collection-of-solicited-personal-information#collecting-sensitive-information

[8] See s 6C(1) and 6D for details of the small business exemption and definition of a small business

[9] The opt-in process is outlined at: https://oaic.gov.au/privacy-law/privacy-registers/opt-in-register

[10] See https://www.oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework

[11] For more information, see Privacy business resource 4: de-identification of data and information, available on the OAIC’s website: https://oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-4-de-identification-of-data-and-information#what-is-de-identification

[12] See https://oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au