Victoria: OVIC issues report on AI privacy obligations
The Office of the Victorian Information Commissioner ('OVIC') issued, on 17 April 2021, a guide on the collection, use, and handling of personal information when Victorian Public Sector ('VPI') organisations use AI. In particular, the guide highlights that the increased use of AI to process personal information by VPS organisations, and the associated risks including the risk of discrimination, bias, and inequality, in decision making. In addition, the guide notes for the collection of personal information to be lawful, fair, and not unreasonably intrusive both directly and indirectly, maintaining the Privacy and Data Protection Act 2014 (No. 60 of 2014) ('the Act') still applies when using AI to collect information.
Furthermore, the guide provides that while AI systems may use personal information in the initial stages of implementation such as training, it may not possess the legal authority to use personal information once the AI has been deployed. Accordingly, the guide notes that VPS organisations should update any collection and privacy notices to reflect AI's new use of personal information. In addition, the guide seeks to minimise the risks of AI handling of personal information, providing that information collected, used, and disclosed must be accurate, complete and up to date, while the security of such large amounts of data must also be reasonable in the circumstances. Finally, the guide indicates that a Privacy Impact Assessment should be continually used as the risks and purpose of an AI system used by VPS organisations changes.
You can read the guide here.