Skip to main content

If you have been impacted by the Qantas cyber incident, please view our statement.

Privacy
  • On this page

Published:  

Privacy Commissioner’s foreword

As artificial intelligence technologies advance and the practical and financial barriers to their adoption and diffusion reduce, many entities are grappling with legal and ethical questions. Although there is a live policy and regulatory debate about how the development and use of AI should be regulated, it is also clear that existing laws apply to AI technologies, and that regulated entities must ensure that their use of AI adheres to their legal obligations.

As the country’s privacy regulator, the Office of the Australian Information Commissioner (OAIC) has been unequivocal that the Privacy Act 1988 (Cth) (Privacy Act) applies to the collection, use and disclosure of personal information to train AI models, just as it applies to all uses of AI that involve personal information. While a number of uses of AI are low-risk, developing an AI model is a high privacy risk activity when it relies on large quantities of personal information. As for many uses of AI, this is a source of significant community concern. Generative AI models have unique and powerful capabilities, and certain use cases can pose significant privacy risks for individuals as well as broader ethical risks and harms.

For these reasons, the OAIC (like the Australian community) expects developers to take a cautious approach to these activities and give due regard to privacy in a way that is commensurate with the considerable risks for affected individuals. Developers should take steps to ensure compliance with the Privacy Act, and first and foremost take a ‘privacy by design’ approach when developing or fine-tuning AI models or systems, which may include conducting a privacy impact assessment and taking steps to remove or de-identify personal information from any training dataset.

In October 2024, the OAIC published guidance on privacy when developing and training generative AI models. I have also consistently indicated that AI and other emerging technologies would be a regulatory priority going forward, reflecting the fact that this is an area of significant interest and concern for the community. It was within this context that I decided to make preliminary inquiries into the potential disclosure of patient data, including medical imaging scans, to train a diagnostic artificial intelligence model.

As detailed below, our preliminary inquiries were sufficient to satisfy me that the patient data shared in this instance had been de-identified sufficiently such that it was no longer personal information for the purposes of the Privacy Act. Accordingly, I will not be pursuing regulatory action on this occasion.

This case study shows how good governance and planning for privacy at the start of a new initiative can support an organisation to adopt new and innovative data-driven technologies in a way that protects the rights of individuals.

Developing industries, service delivery adaptations and rapidly developing technologies can be supported by consistent and clear regulatory interventions that promote practices and outcomes that are lawful, reflective of community values and support the implementation of new technologies. This decision provides an example of regulatory intervention and guidance to industry and the community that facilitates those outcomes.

Carly Kind
31 July 2025

1. Summary and background

1.1. I-MED Radiology Network Limited (I-MED) is Australia’s largest diagnostic imaging network, offering medical imaging and radiology services including x-ray, PET, CT, MRI, Nuclear Medicine, Ultrasound, Mammography and interventional procedures. I-MED operates 250 clinics and performs over 6 million patient procedures each year across Australia.

1.2. On 19 September 2024, the OAIC became aware of media publications alleging I-MED had disclosed patient data, including medical imaging scans, to train a diagnostic artificial intelligence model.[1]

1.3. The reports related to the disclosure of medical imaging scans to Annalise.ai, a former joint venture between I-MED and Harrison.ai, a healthcare artificial intelligence company. The joint venture was described by I-MED in a media release announcing the establishment of the joint venture as:

pav[ing] the way for AI technology to improve the delivery of imaging services to patients and health practitioners. This exciting partnership will see radiologists and AI engineers develop world-leading prediction engines for key imaging modalities (such as X-ray, mammography and CT) to assist radiologists to efficiently and accurately diagnose diseases and injuries.

Annalise.ai’s deep neural networks will be trained with millions of labelled anonymised imaging data.

1.4. Between 20 September 2024 and 7 April 2025, the OAIC made inquiries with I-MED, Annalise.ai, and Harrison.ai under s 42(2) of the Privacy Act for the purpose of determining if the Privacy Commissioner (Commissioner) should open an investigation under s 40(2) of the Act. This included considering whether the allegations suggested a contravention of the Australian Privacy Principles (APPs), especially APPs 1, 5 and 6.

1.5. Ultimately, the Commissioner was satisfied that the patient data shared with Annalise.ai was de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act. The Commissioner therefore ceased the inquiries, but decided to publish this report in the public interest to inform the community of the outcome of the inquiries and as a case study of good privacy practice. It is still open to the Commissioner to commence an investigation of I-MED with respect to these or other practices, and this case study should not be taken as an endorsement of I-MED’s acts or practices or an assurance of their broader compliance with the APPs.

2. Relevant provisions of the Privacy Act

2.1. Section 6FA of the Privacy Act defines ‘health information’ as including relevantly:

  1. information or an opinion about:
    1. the health, including an illness, disability or injury, (at any time) of an individual; or
    2. a health service provided, or to be provided, to an individual;
    3. that is also personal information;
  2. other personal information collected to provide, or in providing, a health service to an individual;
    ….

2.2. Health information about an individual is a special class of personal information designated by section 6 of the Privacy Act as ‘sensitive information’. Sensitive information is generally afforded a higher level of privacy protection under the Australian Privacy Principles (APPs) than other personal information (for example, see APPs 3, 6 and 7). This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual.

2.3. For information to be classified as either health information or sensitive information, it must also constitute personal information.

2.4. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. Whether something is personal information depends on whether an individual can be identified or is reasonably identifiable in the relevant circumstances – for instance in the context in which the information is held, used or disclosed.

2.5. Personal information that has been de-identified will no longer be personal information. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable, and therefore no longer meets the definition of personal information.

3. Preliminary inquiries

3.1. The media publications of 19 September 2024, referred to the disclosure of private medical scans to a third party for the purpose of training an artificial intelligence model.

3.2. This alleged practice primarily raised concerns about I-MED’s compliance with APP 6, which requires APP entities only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose if an exception applies or where consent has been obtained. For sensitive information, the secondary purpose must be directly related to the primary purpose for which it was collected.

3.3. On 20 September 2024, the OAIC commenced preliminary inquiries with I-MED, Harrison.ai and Annalise.ai.

3.4. The inquiries focussed on the form and content of the patient data that I-MED provided to Annalise.ai, the process of the data flow and the steps taken to de-identify the data.

3.5. Our enquiries established that:

  1. Between 2020 and 2022, I-MED provided Annalise.ai with patient data for the purpose of developing and training an artificial intelligence model to enhance diagnostic imaging support services.
  2. The patient data included clinical scans and reports from a range of modalities, including X-rays, CT scans and ultrasounds. Patients whose data was provided to Annalise.ai were not notified of this use or disclosure and did not provide their consent.
  3. I-MED contended that notification and consent were not required, as the patient data had been de-identified to the extent that it was no longer personal information, and by implication, the sharing with Annalise.ai was no longer subject to the requirements of the APPs.

4. De-identification of personal information

4.1. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable. De-identified information is not ‘personal information’.

4.2. De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps:

  • removing personal identifiers, such as an individual’s name, address, date of birth or other identifying information, and
  • removing or altering other information that may allow an individual to be identified, for example, because of a rare characteristic of the individual, or a combination of unique or remarkable characteristics that enable identification.[2]

4.3. De-identification may not altogether remove the risk that an individual can be re-identified. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. The risk of re-identification must be actively assessed and managed to mitigate this risk. Relevant factors to consider when determining whether information has been effectively de-identified could include the cost, difficulty, practicality and likelihood of re-identification.

4.4. Whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.

5. I-MED’s de-identification practices

5.1. Our enquiries established that prior to sharing the patient data with Annalise.ai, I-MED processed the data by:

  1. segregating the patient data from the underlying dataset,
  2. scanning the records with text recognition software,
  3. using two hashing techniques (for unique identifiers such as patient ID numbers, and names, addresses and phone numbers),
  4. time-shifting dates (to a random date within a specified number of years),
  5. aggregating certain fields into large cohorts to avoid identification of outliers, and
  6. redacting any text that appears within or within 10% from the boundary of an image scan.

5.2. Our enquiries also established that I-MED also imposed contractual obligations on Annalise.ai:

  1. prohibiting them from doing any act, or engaging in any practice, that would result in the patient data becoming 'reasonably identifiable',
  2. prohibiting them from disclosing or publishing the patient data for any purpose (to prevent wider dissemination of the dataset and accordingly reduce the risk that the patient data may become re-identifiable in the hands of other third parties or the public domain),
  3. requiring them to store the patient data in a secure environment, and
  4. requiring them to notify I-MED if it inadvertently received any patient personal information.

5.3. I-MED also developed a Data De-identification Policy and Approach to guide the sharing of patient data.

5.4. During the course of the preliminary inquiries, I-MED and Annalise.ai provided samples of image scans and other patient data used. A review of these samples by OAIC staff revealed no identifiable personal information.

6. Adequacy of de-identification practices

6.1. Our enquiries established that I-MED’s de-identification practices reflect many of the practices endorsed by the National Institute of Standards and Technology, including:

  • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.

6.2.Our enquiries established that between April 2020 and January 2022, I-MED shared less than 30 million patient studies (a study refers to a complete imaging session for a single patient and may include multiple image types, that together represent a single diagnostic episode), and a similar volume of  associated diagnostic reports with Annalise.ai. During this time, Annalise.ai proactively identified and reported to I-MED a very small number of instances where personal information had been shared with it in error due to failures in the de‑identification process. In both cases, the material was subsequently deleted or de-identified.

6.3. The OAIC’s Privacy Guidance for Organisations and Government Agencies sets out that:

Information will be de-identified where the risk of an individual being re-identified in the data is very low in the relevant release context…Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information will not generally be regarded as personal information.[3]

7. Closure of preliminary inquiries

7.1. Based on the information obtained through the preliminary inquiries, the Commissioner was satisfied that the patient data shared with Annalise.ai had been de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act. Although the steps taken by I-MED could not entirely remove the risk of re-identification, the Commissioner was satisfied that it reduced that risk to a sufficiently low level and was supported by sound data governance practices. As noted at [6.2] above, there were a very small number of occasions where personal information was unintentionally disclosed, but the Commissioner was satisfied that these were relatively minor incidents that were identified and addressed appropriately by I-MED and Annalise.ai.

7.2. The Commissioner therefore decided to close the preliminary inquiries with no further action.

8. Publication of report

8.1. The Privacy Act envisages circumstances in which it is in the public interest to disclose information acquired in the course of exercising powers such as making preliminary inquiries or undertaking an investigation. Section 33B of the Privacy Act enables the Commissioner to disclose information acquired in the course of exercising powers or performing functions or duties under the Privacy Act, if the Commissioner is satisfied that it is in the public interest to do so.

8.2. Having regard to the matters listed in s 33B(2), the Commissioner decided that publishing this report would be in the public interest. The Commissioner considered that the alignment of practices to develop and train AI models with obligations under the Privacy Act is both an issue of significant public interest and concern. The Commissioner also considered that publishing details of these preliminary inquiries would provide a beneficial example of good privacy practices and how the use of de-identified data may still allow an APP entity to effectively carry out its functions and activities, including with the adoption of new and innovative data-driven technologies.