Transcript
Background
Are you in the habit of drafting or using information sharing memoranda of understanding or agreements to regulate the sharing of personal information between two agencies? If you are, you will know that an issue that can arise is whether a recipient agency is permitted to use or disclose the shared personal information for another purpose if use or disclosure for that other purpose is permitted by law. Sometimes MOUs and agreements will expressly allow that, and sometimes they will be unhelpfully silent on the point and without expressly prohibiting any forms of secondary use or disclosure.
If your agency or organisation shares personal information in accordance with information sharing MOUs or agreements, perhaps in the past it has been OK with allowing secondary use or disclosure when permitted by law or imposing few qualifications on permissible secondary use or disclosure. That may not be surprising as some forms of secondary use and disclosure permitted by the IPPs are perfectly understandable, such as using or disclosing personal information to prevent or lessen a serious threat to someone’s life or health, or to prevent the commission of a criminal offence.
Why we now need to consider the advent of AI
To my mind, though, and especially when an information sharing MOU or agreement involves personal information entrusted to a government agency or personal information that is sensitive, we now need to consider whether the advent of AI tools and services requires a different approach to permitting secondary use if permitted by law.
Now, why is this important? It’s important because of what the Privacy Act’s information privacy principles 10 and 11 allow. The IPPs allow an agency to use and disclose personal information for a different purpose if the agency believes on reasonable grounds that the information is to be used in a form in which the individual concerned is not identified (and note here use of the word ‘identified’ rather than ‘identifiable’), or is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
Where an information sharing MOU or agreement does not constrain secondary uses of shared personal information, and there is no legislative constraint on secondary use in specific legislation, these IPP exceptions might be relied on by a recipient agency or organisation to input seemingly anonymised personal information into an AI tool for some other purpose. If section 11 of the Privacy Act applies in relation to the use of the AI tool, the Act deems there to be no disclosure to the AI tool provider and so no IPP11 issue will even arise. If section 11 does apply, IPP11 will apply but the agency or organisation may seek to rely on the IPP11 exception relating to the information being used in a form in which the individuals are not identified.
Now, there are obviously significant privacy risks here, and those risks are probably most profound where the inputted information may be used for further training of the AI model. At the same time, though, there could be situations where a recipient agency or organisation believes it would not be breaching IPPs 10 or 11 to use shared personal information in this way. And indeed, I can see situations where arguments to that effect could well be made.
The point I want to come back to, though, is that there are information sharing MOUs and agreements out there in the wild that do not prohibit this kind of secondary use and disclosure, either because their framers have been content to allow secondary use and disclosure when the Privacy Act or another law allows it, or because questions of secondary use and disclosure were not considered.
Information sharing MOU templates need to be reconsidered in the light of AI
This might sound a bit hyperbolic but, to my mind, all information sharing MOU templates in circulation that would or could allow secondary use and disclosure if permitted by law, now need to be reconsidered in the light of AI.
I am not suggesting that all kinds of secondary use and disclosure permitted by the IPPs need to be prohibited, but I am suggesting that there may be a need to insert a new AI-specific clause into these templates. This new clause would expressly prohibit a receiving agency or organisation from entering shared personal information, including in anonymised form, into an AI tool without the disclosing party’s prior written consent.
I should perhaps add that I’m not saying that every conceivable use of an AI tool by a receiving agency or organisaton should be absolutely prohibited. The point I’m driving at is that if a disclosing agency is sharing personal information it has collected from people with another agency, the disclosing agency should have an opportunity to say yes or no to secondary uses by the receiving agency that involve entry of the shared personal information, even if seemingly anonymised, into an AI tool.
Get in touch
If you’d like to have a chat about what such a clause should look like, feel free to get in touch.