Data Privacy 📝

If you are a member of a modern society, your personal data has been collected. Sometimes it is collected by governments, but mostly it is collected by corporations. It is that extensive that an entire industry has developed collate and on-sell personal data (data brokers) and sparking a counter industry aimed at removing personal data from these data brokers (personal data removal services).

But many of our day-to-day services run on this data, so why is it a concern? Check the video below for an explanation.

Video Summary

This video explains the critical importance of data privacy and ethics in today’s digital world, where personal information is widely collected and used.

Key issues and concerns highlighted include:

Data Collection and Consent:
- Issue: Organizations often collect user data without users fully understanding what’s being collected or how it will be used.
- Concern – Informed Consent: Users frequently agree to terms without full comprehension, leading to potential unauthorized use of their information.
- Concern – Transparency: Lack of transparency from companies about their data practices can make users feel their privacy is compromised.
Data Storage and Security:
- Issue: Large data repositories are attractive targets for cybercriminals.
- Concern – Data Breaches: Inadequate security measures can expose personal information, leading to risks like identity theft.
Data Sharing and Third-Party Access:
- Issue: Sharing data with third-party vendors increases the risk of unauthorized access.
- Concern – Lack of User Control: Once data is shared, users have little control over its subsequent use, potentially leading to unwanted targeting.
Data Profiling and Surveillance:
- Issue: Organizations use data profiling to make inferences about behaviour, which can impact decisions like credit scores or job prospects.
- Concern – Privacy Intrusion: This practice can feel invasive as individual behaviours are tracked to build detailed profiles.

The video then emphasizes Ethical Considerations in Data Use, stressing the need for responsible data handling and prioritizing individual rights. A key ethical practice is:

Transparency and Honesty: Organizations should clearly communicate how data is collected, used, and shared.
- Importance – Building Trust: Transparent data practices are crucial for building trust with users, reassuring them that their information is handled responsibly.

So you can see that Data privacy is fundamental because it safeguards individuals from harms associated with the exposure or misuse of their personal information. Personal data can reveal sensitive details about a person’s identity, habits, health, finances, and more. Unauthorized access or disclosure can lead to identity theft, financial loss, reputational damage, and emotional distress.

In this section we will explore what we need to take into consideration when handling data in Australia.

GeneralPrivacy Activities

How does the collection and sale of personal data by corporations and data brokers raise ethical concerns about transparency and consent?
What risks can arise from poor data storage and security, and how might these impact individuals?
In what ways can responsible data handling practices, such as transparency and honesty, build trust between organisations and users?

Data as a Commodity¶

Information as a commodity refers to the idea that information—like physical goods—can be bought, sold, and traded for economic value. In the digital age, information and data have become valuable resources, much like oil or gold, because they can be used to drive business decisions, predict consumer behaviour, and tailor products and services.

Characteristics of Information as a Commodity

Intangibility: Unlike physical goods, information is intangible; it can be shared, copied, and used by many people simultaneously without being depleted.
Tradability: Information can be packaged, sold, or licensed in various forms, such as databases, reports, software, or digital media.
Value Creation: The value of information comes from its ability to inform decisions, control processes, and create competitive advantages in markets.
Market Dynamics: Information exhibits economic properties such as supply, demand, cost, price, and markets. It can be traded as a private good (sold for profit) or provided as a public good (freely shared).
Low Marginal Cost: Once created, information can be reproduced and distributed at almost zero cost, unlike traditional goods where each additional unit has a production cost.

Examples

Market research reports, customer databases, software, e-books, and streaming media are all examples of information commodities.
Data brokers aggregate and sell personal data, turning individual digital footprints into tradable assets.

This value of data can lead to exploitation which raises ethical and legal concern around it’s collection.

Data as a Commodity Activities

How is information similar to and different from traditional physical commodities like oil or gold?
What characteristics make data valuable as an economic resource in the digital age?
What ethical and legal concerns can arise from treating personal data as a tradable commodity?

Handling Personal Data 📝¶

The collecting of personal data raises a range of ethical concerns.

Privacy Violations¶

Collecting data without proper authorization or consent can infringe on individuals’ privacy, exposing sensitive personal information and breaching confidentiality.

Even anonymized data can sometimes be re-identified, leading to unintended privacy breaches.

Ethical data collection requires clear, informed consent from individuals, ensuring they understand what data is being collected, how it will be used, and with whom it may be shared.

Many consent processes are inadequate, with users often agreeing to terms they do not fully understand.

Data Security¶

Organizations have an ethical obligation to protect collected data from unauthorized access, breaches, or leaks, which could result in identity theft, financial harm, or reputational damage.

High-profile breaches highlight the risks and the importance of robust security measures.

Bias and Discrimination¶

Data collection and analysis can perpetuate or amplify biases, especially if datasets are unrepresentative or algorithms are not carefully managed, leading to unfair or discriminatory outcomes.

Technologies like facial recognition have faced criticism for racial bias and inaccuracies.

Transparency and Accountability¶

Ethical data collection demands transparency about what data is collected, why, and how it will be used, enabling individuals to make informed choices.

Lack of transparency erodes trust and can lead to misuse or abuse of data.

Manipulative and Exploitative Practices¶

Data can be used unethically for manipulative marketing, psychological profiling, or social manipulation, undermining individual autonomy and democratic processes.

Data Ownership and Control¶

There are ongoing ethical debates about who owns personal data and who has the right to control its use, especially as data becomes a valuable asset.

Data Minimization and Purpose Limitation¶

Ethically, organizations should collect only the data necessary for a specific purpose and not retain it longer than needed, balancing commercial interests with individual rights.

Fairness in Use and Retention¶

The use of data for purposes beyond the original intent without explicit consent is unethical, even if the organization believes it is beneficial.

Legal and Regulatory Compliance¶

Navigating and adhering to diverse and evolving data protection laws is both an ethical and legal requirement, ensuring respect for individuals’ rights across jurisdictions.

Here are some examples data privacy laws in force around the world:

European Union: General Data Protection Regulation (GDPR)
- Scope: Applies to all organizations processing personal data of EU residents, regardless of where the organization is based.
- Key Features: Requires explicit consent, data minimization, the right to access and delete data, data portability, and strict breach notification requirements. Imposes heavy penalties for non-compliance.
- Influence: Considered the global benchmark, inspiring similar laws in other countries.
United States: State and Sectoral Laws
- In the US, data privacy is governed by a mix of federal sectoral laws and a growing number of comprehensive state laws, each granting consumers rights over their personal information and imposing various obligations on businesses
- Federal Sectoral Laws: apply to particular industries or types of data, rather than providing a single, comprehensive framework for all personal information. Here are some examples:
  - HIPAA (Health Insurance Portability and Accountability Act): Protects health information privacy.
  - GLBA (Gramm-Leach-Bliley Act): Regulates financial institutions’ handling of personal financial information.
  - COPPA (Children’s Online Privacy Protection Act): Governs online collection of data from children under 13.
  - FERPA (Family Educational Rights and Privacy Act): Protects the privacy of student education records.
  - FCRA (Fair Credit Reporting Act): Regulates the collection and use of consumer credit information.
- State Comprehensive Privacy Laws: As of 2025, at least 16 US states have passed comprehensive privacy laws, each with unique requirements and enforcement mechanisms. For example:
  - California Consumer Privacy Act (CCPA): Grants California residents rights to know, delete, and opt out of the sale of their personal data. Other states like Virginia, Colorado, and Texas have enacted similar laws.
  - Virginia Consumer Data Protection Act (CDPA): Emphasizes user consent, transparency, and allows consumers to opt out of data collection and targeted advertising.
  - Colorado Privacy Act: Focuses on data minimization, purpose limitation, and consumer rights to access, correct, delete, and opt out of data sales and targeted ads.
China: Personal Information Protection Law (PIPL)
- Comprehensive Coverage: Applies to any entity handling personal data of people in China, even if the entity is based overseas.
- Key Features: Consent, data minimization, cross-border data transfer restrictions, and severe penalties for non-compliance.
Australia: Privacy Act 1988 and Australian Privacy Principles (APPs)
- Scope: Governs how personal information is handled by government agencies and many private sector organizations.
- Key Features: Open and transparent management, data quality and security, access and correction rights, and restrictions on cross-border disclosure.

Due to the international nature of the internet, the influence of these laws can spread far beyond their legal jurisdiction. For example:

The GDPR is the reason web sites ask you to accept cookies
COPPA is the reasons the Terms and Conditions of social media accounts exclude children under 13 years old.

Handling Personal Data Activities

How can re-identification of anonymized data occur, and what does this reveal about data security challenges?
What role do high-profile data breaches play in shaping public awareness and organizational accountability?
How might algorithms unintentionally reinforce stereotypes or systemic inequalities when handling personal data?
Why is accountability just as important as transparency in ethical data collection?
How can psychological profiling using personal data threaten democratic processes?
What ethical dilemmas arise when organizations use data for purposes beyond the original reason it was collected?
How does the concept of data as a valuable asset complicate debates over ownership and control?
What risks emerge when organizations retain personal data longer than necessary?
How do global differences in data protection laws create challenges for multinational organizations?
In what ways do privacy laws like COPPA or FERPA directly shape the design of digital services for young people and students?

Open Data¶

Open data refers to data that is freely available for anyone to access, use, modify, and share, typically without restrictions or the need for special permissions. It is often published by governments, public institutions, or private organizations and is made available in accessible, machine-readable formats.

Key Features of Open Data:

Freely accessible to all, regardless of user or purpose.
Usable, reusable, and redistributable without significant restrictions.
Often structured for easy analysis and integration with other datasets.

Importance of Open Data¶

Promotes Transparency and Accountability
- Open data allows citizens to scrutinize the actions and performance of governments and organizations, increasing transparency and enabling public oversight.
- For example, open data platforms can reveal school performance or government spending, empowering communities to advocate for improvements.
Drives Innovation and Economic Growth
- By making valuable datasets available, open data stimulates the creation of new products, services, and business models, fostering entrepreneurship and job creation.
- The economic impact is significant; for instance, the release of weather and GPS data in the US led to new industries and billions in added value.
Enhances Public Services and Efficiency
- Sharing data across government agencies and with the public leads to better decision-making, more efficient services, and reduced duplication of effort.
- Open data helps identify areas of unnecessary spending and improves overall service delivery.
Supports Scientific Research and Collaboration
- Open data accelerates scientific discovery by enabling researchers to validate findings, build upon each other’s work, and collaborate across disciplines and borders.
Empowers Individuals and Communities
- Accessible data gives people the information needed to make informed choices, participate in civic life, and advocate for themselves and their communities.
Encourages Social Welfare and Participation
- Open data initiatives can improve social outcomes by informing public debate, supporting evidence-based policy, and enabling social innovation.

Australian Open Data Sources

Here are major open data sources in Australia, covering national, state, and sector-specific datasets:

De-identification¶

Open data can easily conflict with privacy. A solution to this problem is the de-identitication of data.

De-identification is the process of removing or altering personal information from a dataset so that individuals cannot be readily identified. The goal is to protect privacy while still allowing the data to be used for analysis, research, or public release.

Key Steps in De-identification

Removing Direct Identifiers: This includes deleting or masking information such as names, addresses, phone numbers, email addresses, Medicare numbers, and other unique identifiers.
Modifying or Generalizing Indirect Identifiers: Indirect identifiers (also called quasi-identifiers) are data points like date of birth, postcode, or gender that, when combined, could identify someone. These may be generalized (e.g., using age ranges instead of exact birth dates) or partially removed.
Data Masking and Perturbation: Techniques such as data swapping, adding random noise, or aggregating data can further reduce the risk of re-identification.

Why is De-identification Important?

Privacy Protection: It helps organizations comply with privacy laws (like the Australian Privacy Principles or GDPR) by reducing the risk that individuals can be identified from released data.
Enabling Data Sharing: De-identified data can often be shared more freely for research, policy-making, and innovation, unlocking value while minimizing privacy risks.

Limitations and Risks

Re-identification Risk: De-identification is not foolproof. Advances in data analytics and the availability of other datasets mean that, in some cases, individuals can still be re-identified, especially if the data is rich or unique.
Continuous Process: De-identification should be regularly reviewed and updated as new risks, technologies, and datasets emerge.

Open Data Activities

What is open data, and how is it typically made available?
What are the key features that make data truly “open”?
How does open data promote transparency and accountability in governments and organizations?
In what ways can open data drive innovation and contribute to economic growth?
How does open data improve public services and government efficiency?
Why is open data important for scientific research and collaboration?
How can open data empower individuals and communities to make informed decisions?
What role does open data play in encouraging social welfare and civic participation?
What are some major open data sources available in Australia at national, state, and local government levels?
What is de-identification, and why is it important when publishing open data?
What are the key steps involved in de-identifying data before it is released?
How does de-identification help organizations comply with privacy laws such as the APPs or GDPR?
What are the limitations and risks associated with de-identification of open data?
Why must de-identification be treated as a continuous process rather than a one-time action?

Australian Privacy Principles 📝¶

The Australian Privacy Principles (APPs) are a set of 13 key rules under the Privacy Act 1988 that govern how Australian organizations and government agencies handle personal information. These principles are designed to ensure privacy, transparency, and accountability in the collection, use, storage, and disclosure of personal data.

The 13 Australian Privacy Principles:¶

Open and Transparent Management of Personal Information – Organizations must manage personal information in an open and transparent way, including having a clearly expressed and up-to-date privacy policy.
Anonymity and Pseudonymity — Individuals must have the option to deal with organizations anonymously or using a pseudonym, unless it is impracticable or contrary to law.
Collection of Solicited Personal Information – Organizations should only collect personal information that is necessary for their functions and do so by lawful and fair means
Dealing with Unsolicited Personal Information – If unsolicited personal information is received, organizations must determine if it could have been collected under APP 3 and, if not, destroy or de-identify it.
Notification of the Collection of Personal Information – Individuals must be informed when their personal information is collected, including the purpose and any third parties it may be shared with.
Use or Disclosure of Personal Information – Personal information can only be used or disclosed for the purpose it was collected, unless an exception applies.
Direct Marketing – Personal information must not be used for direct marketing unless specific conditions are met, including providing a simple way to opt out.
Cross-border Disclosure of Personal Information – Organizations must take reasonable steps to ensure that overseas recipients do not breach the APPs when personal information is disclosed internationally.
Adoption, Use, or Disclosure of Government Identifiers – Organizations must not adopt, use, or disclose government-related identifiers (like Medicare or passport numbers) except as permitted by law.
Quality of Personal Information – Reasonable steps must be taken to ensure personal information collected is accurate, up-to-date, and complete.
Security of Personal Information – Organizations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure.
Access to Personal Information – Individuals have the right to access their personal information held by an organization, subject to some exceptions.
Correction of Personal Information – Organizations must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant, and not misleading.

APP Activities

Why do the Australian Privacy Principles exist, and what overall purpose do they serve?
How do the APPs balance individual rights with the needs of organizations and government agencies?
What might happen to public trust if organizations consistently fail to follow the APPs?
How do the APPs connect with global privacy frameworks, such as the GDPR?
What kinds of measures should organizations implement to protect personal information, and which APP does this relate to?
In what situations might an individual reasonably choose to deal with an organization anonymously or under a pseudonym, and which APP covers this?
What steps must organizations take before sending personal information overseas, and which APP sets this requirement?
Under what conditions can an organization use or disclose personal information for purposes other than the original collection, and which APP applies?
What steps must organizations take to ensure the personal information they collect is accurate and complete, and which APP governs this?
What limits are placed on organizations when collecting personal information, and which APP is relevant?
What obligations do organizations have if they use personal information for direct marketing, and which APP sets these rules?
Why is it important for organizations to maintain a clear and up-to-date privacy policy, and which APP requires this?
What rights do individuals have to access their personal information, what are the exceptions, and which APP applies?
What information must an organization provide to an individual when collecting their personal information, and which APP outlines this?
How should an organization handle personal information it receives that it did not ask for, and which APP addresses this?
Why are organizations restricted in their use of government-related identifiers such as Medicare numbers, and which APP applies?
How should organizations handle requests to correct inaccurate or misleading personal information, and which APP governs this?