De identification of personal information is critically important where data is being used for research. It has also been the subject of great scrutiny by regulators. The Victorian Information Commissioner produced a paper on the limits of de identification after it found that Public Transport Victoria breached myki users privacy by releasing data which exposed myki users’ travel history which the PTV claimed to have de identified. Academics from Melbourne University proved it wrong as they were able to identify the travel history of themselves and others. Apart from being a breach of the Privacy and Data Protection Act Victoria it was embarrassing given the negative publicity. The Federal Office of the Information Commissioner released general advice about de identification. On 19 September 2024 Crikey published Australia’s biggest medical imaging lab is training AI on its scan data. Patients have no idea.  The nub of the article is that I-MED “handed over” scans of thousands of patients to a start up company, Harrison.ai, which will use that data to train artificial intelligence.  It posed the question of how the data could e legally used and disclosed to Harrison.ai.  It made a number of valid points about the generally cavalier manner health organisations treat personal information.  The Privacy Commissioner responded with an investigation.  The Privacy Commissioner has closed an investigation regarding the transfer of data and issued a report. 

The key elements of the report are:

• paragraph 4.2 which sets out the usual two steps of de identification being the removal of personal identifiers and removing or altering other information which may allow a person to be identified;
• paragraph 5.1 the process adopted by I- MED which involved
  • segregating the patient data from the underlying dataset,
  • scanning the records with text recognition software,
  • using two hashing techniques (for unique identifiers such as patient ID numbers, and names, addresses and phone numbers),
  • time-shifting dates (to a random date within a specified number of years),
  • aggregating certain fields into large cohorts to avoid identification of outliers, and
  • redacting any text that appears within or within 10% from the boundary of an image scan.
• paragraph 6.1 the appropriate de identification practices identified by NIST being:
  • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.
• paragraph 6.2 while some personal information was provided to Annalise.ai and therefore shared in error due to failures in the de identification process it was remedied.

it is interesting to note that there were data breaches but not notified to the Privacy Commissioner until after she commenced her preliminary investigation.  That is curious. The data was/is highly sensitive and while Annalise.ai said it notified I – MED and it was subsequently deleted or de identified no step was taken to advice the Commissioner prior to her investigation following the Crikey article.   She regarded the patient data as having been identified sufficiently.  

De identification will remain a vexed practice.  The process must be extensive and thorough so that modern algorithms did not pick a pattern or cross reference data against other outside data.  And then there is quantum computing which may challenge current de identification techniques as it will challenge current encryption techniques.  

The Crikey article provides:

Australia’s biggest medical imaging lab is training AI on its scan data. Patients have no idea

Australia’s biggest radiology chain I-MED let start-up Harrison.ai use its patient scans to train AI. There’s no public information showing patients consented.

 

If the radiology company sought consent from its patients to use their scans to train commercial AI models, there doesn’t appear to be any public evidence and patients do not appear to know about it. Even if it did, the companies’ handling of the data may not satisfy Australian privacy law. Experts say that it’s reasonable to expect Australians would be asked to consent to their sensitive health information being used to train AI for a for-profit company.

“One of the issues we have here is that doctors, particularly specialists, have traditionally thought this is their data. That it’s their property and they can do with it what they like,” said privacy expert Dr Bruce Baer Arnold. “What I think is more fit for purpose in the age of AI is that you are custodian of the data.” 

Neither Harrison.ai nor I-MED responded to several requests for comment by email, text message, phone, LinkedIn message or through intermediaries since Monday this week.

‘A breakthrough’

Harrison.ai was founded in 2018 by Dr Aengus Tran and his brother Dimitry Tran with their creation of an AI model trained to help with embryo selection for IVF. As the company released products for chest X-rays and prostate biopsies, it became a darling of the Australian start-up scene. In 2021, Harrison.ai raised $129 million and is now raising additional funding.

The spark of this runaway success came from its partnership with I-MED, which has 250 radiology clinics across Australia. In 2019, I-MED announced that it was forming a joint venture with Harrison.ai called Annalise.ai to “develop world-leading prediction engines for key imaging modalities”. (Annalise.ai would later be absorbed by Harrison.ai, but remains the name of its product line). 

Key to this deal was data. Dr Tran said the partnership would allow “Harrison.ai to leverage … one of the largest and most diverse medical imaging datasets globally”. I-MED chief medical officer Dr Ronald Shnier said it would be the “most significant anonymised dataset in a medical imaging AI project to date”. 

A 2021 research paper funded by Annalise.ai was published in the prestigious medical journal The Lancet. It heralded the arrival of Annalise.ai’s first tool for analysing chest X-rays, Annalise CXR. It found that radiologists using the technology were just as good or better at picking up 124 “findings” — meaning medical things that were observed like gallstones or shoulder replacements — than unassisted radiologists.

It was a revelation. A letter published by The Lancet welcomed it as a “breakthrough as a support system for radiologists”. It has since been approved for use in more than 40 countries and rolled out to providers in places like the UK, US, Malaysia and Hong Kong. Media swooned over the tool, saying trials showed it could save hundreds of lives a year. Earlier this month, Australia’s Industry and Science Minister Ed Husic cited Harrison.ai as an example of an AI that “doesn’t necessarily pose a risk” as he launched the country’s proposed AI guardrails.  

The data used to train Harrison.ai’s chest X-ray model is fundamental to its success. AI models can only be as good as the data they have been trained on and, across industries, there is a race by tech companies to acquire high-quality data. Harrison.ai has touted its access to this medical data as one of its competitive advantages over other companies. 

“Radiologists tell us they prefer our solution over competitors because it’s not flagging as many false positives. That’s due to the quality and diversity of the training data,” said Lakshmi Gudapakkam, the former CEO of Annalise.ai. 

In more recent public-facing literature about the technology, Harrison.ai is vague about the provenance of the data used to train the chest X-ray model. “782,000+ unique CXR studies … were sourced from broad datasets from three continents”. 

The Lancet study, however, is more straightforward. It lists that 821,681 images from 520,014 cases were provided to train the AI using a number of datasets. The study does not say how many images were from I-MED, only that the I-MED collection was from “hundreds of imaging clinics” between 2004-2019.

Informed consent

Health data is one of the most sensitive types of personal information. The rules around its collection, use and disclosure in Australia are complex and contested, but generally speaking patients must give express consent for its use or should have a reasonable expectation that it would be used for a purpose (like, say, disclosure in case of a life-threatening emergency).

In the case of I-MED, it’s unclear how the company sought consent to use its patients’ data for such a purpose. The company did not respond to repeated requests from Crikey. The company’s terms of service for patients says it handles personal information according to its privacy statement, which does not state data will be used to train AI or shared with another entity to do so. (It does say the company might share data with “research bodies as authorised by Australian law” but that does not seem to fit the classification of a company that is commercialising this data even if it has carried out research). 

Nicole Archer went to get a chest x-ray at I-MED in the mid-2010s and doesn’t recall agreeing to let her data be used to train AI. She told Crikey she was disappointed to find out it’s likely this has happened without her knowledge.

“I’ve come to expect big companies do not have my best interests at heart, but it’s discombobulating to find out they’re using your data (and something so personal) this way,” she said.

Nicole said she likely would have agreed to allow her data to be used in this way if informed, given the potential benefit and her family’s own experiences with cancer. Now that she’s aware, Nicole is less trusting of companies and is reconsidering using I-MED in the future.

She, along with several experts who Crikey spoke to, compared the situation to that of Henrietta Lacks, an African-American woman whose cells were harvested without consent after a medical procedure in 1951. Her cells were found to be able to replicate indefinitely in lab conditions, making them a useful tool for researchers, and have formed the foundation for much of modern medicine and its commercialisation. The use of the so-called “HeLa” cells, and the subsequent publishing of their DNA sequence in 2013, has become a significant controversy in the realms of patient rights and the use of medical data. 

Dr Arnold said using patient data to train AI without the patient’s knowledge was “ethically tacky” even if there were sound legal grounds. 

“I went and got a blood test today. I would be rather unhappy if I found, say, the pathology company was sharing what they claim is anonymised, de-identified, whatever, data about me with unidentified partners,” he said.

Arnold said anonymising data goes some way to protecting the privacy of those people whose scans have been shared as well as dissuading regulatory action, but it doesn’t give companies carte blanche to use and disclose data without consent. 

“The way that business usually gets [around] this is saying ‘we reserve the right to share with our partners’ without saying who … but from a life sciences research perspective, you would want best practice,” he said.

Anonymising a scan doesn’t mean an individual can’t be identified from it, either. The Lancet paper says that training data went through an “automated de-identification process”. 

Dr Vanessa Teague is an ANU cryptographer whose work includes proving that anonymised Medicare and Victorian public transport data can be used to identify individuals. She suggests that chest X-rays, along with details like age and sex, may be enough to narrow identification down to a small group of people.

“The bottom line would be clearly, this is identifiable data at least for some people and possibly for many people,” she said. 

Teague says the legality of disclosing this kind of data is ambiguous. “Is it illegal to hand it over? It may not be but it should be.” 

Unanswered questions

A lot of details remain unknown about Harrison.ai and I-MED’s arrangement. 

The article in The Lancet does not specify who anonymised the dataset, raising questions about how much information was handed over by I-MED and when it was anonymised.  

Harrison.ai’s Annalise.ai tool for head CT scans has been trained on more than 200,000 scans from a “private radiology group in Australia”, according to a 2023 paper. The paper does not specify which radiology group (although it does flag in its conflict of interest section that two of its authors are employed by I-MED). 

Harrison.ai sought and was granted ethics approval for its Lancet article from the Australian University of Notre Dame in 2020. The application and decision were not published, which is normal, and a Notre Dame ethics committee officer referred Crikey’s inquiries for access to the documents to the media team, which never responded.

It’s unclear whether I-MED has any similar arrangements with other tech companies, or other companies, to disclose patient data. Harrison.ai has a joint venture with ASX-listed Sonic Healthcare called Franklin.ai which has developed a tool to analyse prostate biopsy specimens.

Harrison.ai and I-MED did not respond to repeated requests through a variety of channels including: via Harrison.ai’s online contact form, two PR companies representing Harrison.ai, I-MED’s national hotline, and I-MED’s national communications manager’s email, work and mobile phone. 

An I-MED communications manager contacted via LinkedIn directed Crikey to the company’s national communications manager but, once I mentioned that I had repeatedly tried to contact them, they did not respond. 

A representative for Blackbird Ventures told Crikey they would flag our request with Harrison.ai staff and “hope[d] you hear from someone there ahead of your deadline”. 

These questions come at an awkward time for both Harrison.ai and I-MED. Harrison.ai is doing a press blitz for the release of its new AI model and to promote its Series C raise that it reportedly hopes will raise “$100 million-plus”. Meanwhile I-MED’s private equity owners are looking to sell the company for as much as $3 billion, a mammoth price buoyed in part by its “10 million-plus images” and its stake in this AI business. 

Patient data is clearly incredibly valuable, both for research and for a business’ commercial edge. But that doesn’t mean companies should take it without asking their patients, Arnold said.  

“If it will save lives or reduce costs. Love that, give me that choice and I’ll sign it. I’d rather that than this paternalism — I did the scan, it’s my data, I can do whatever I like. Oh, and by the way, I’m going to make a large amount of money.”

The media release provides:

The Office of the Australian Information Commissioner has closed our preliminary inquiries with diagnostic imaging network I-MED Radiology Network Limited (I-MED), Harrison.ai and Annalise.ai.

Our inquiries followed media reports in September 2024 relating to I-MED’s disclosure of medical imaging scans to Annalise.ai, a former joint venture between I-MED and Harrison.ai, a healthcare artificial intelligence company.

Between 2020 and 2022, I-MED provided Annalise.ai with patient data for the purpose of developing and training an artificial intelligence model to enhance diagnostic imaging support services.

The OAIC made inquiries with I-MED, Annalise.ai, and Harrison.ai for the purpose of determining if the Privacy Commissioner should open an investigation under the Act. This included considering whether the allegations suggested a contravention of the Australian Privacy Principles (APPs).

The inquiries focussed on the form and content of the patient data that I-MED provided to Annalise.ai, the process of the data flow, and the steps taken to de-identify the data. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

Prior to sharing the patient data with Annalise.ai, I-MED processed the data using a number of techniques. It also imposed contractual obligations on Annalise.ai, and developed a Data De-identification Policy and Approach to guide the sharing of patient data.

Based on the information obtained through the preliminary inquiries, the Commissioner was satisfied that the patient data shared with Annalise.ai had been de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act. The Commissioner therefore ceased the inquiries, and will not be pursuing regulatory action at this time.

While a number of uses of AI are low-risk, developing an AI model is a high privacy risk activity when it relies on large quantities of personal information. This is a source of significant community concern.

The OAIC’s Report into preliminary inquiries of I-MED provides more information on the OAIC’s inquiries and their conclusion. The report is published in the public interest, to inform the community of their outcome, and provides a beneficial example of good privacy practices and how the use of de-identified data may still allow an entity covered by the Privacy Act 1988 (APP entity) to effectively carry out its functions and activities, including with the adoption of new and innovative data-driven technologies.

For more information on the use of AI, see the OAIC’s Guidance on developing and training generative AI models and  Guidance on privacy and the use of commercially available AI products

The report, absent footnotes, provides:

Privacy Commissioner’s foreword

As artificial intelligence technologies advance and the practical and financial barriers to their adoption and diffusion reduce, many entities are grappling with legal and ethical questions. Although there is a live policy and regulatory debate about how the development and use of AI should be regulated, it is also clear that existing laws apply to AI technologies, and that regulated entities must ensure that their use of AI adheres to their legal obligations.

As the country’s privacy regulator, the Office of the Australian Information Commissioner (OAIC) has been unequivocal that the Privacy Act 1988 (Cth) (Privacy Act) applies to the collection, use and disclosure of personal information to train AI models, just as it applies to all uses of AI that involve personal information. While a number of uses of AI are low-risk, developing an AI model is a high privacy risk activity when it relies on large quantities of personal information. As for many uses of AI, this is a source of significant community concern. Generative AI models have unique and powerful capabilities, and certain use cases can pose significant privacy risks for individuals as well as broader ethical risks and harms.

For these reasons, the OAIC (like the Australian community) expects developers to take a cautious approach to these activities and give due regard to privacy in a way that is commensurate with the considerable risks for affected individuals. Developers should take steps to ensure compliance with the Privacy Act, and first and foremost take a ‘privacy by design’ approach when developing or fine-tuning AI models or systems, which may include conducting a privacy impact assessment and taking steps to remove or de-identify personal information from any training dataset.

In October 2024, the OAIC published guidance on privacy when developing and training generative AI models. I have also consistently indicated that AI and other emerging technologies would be a regulatory priority going forward, reflecting the fact that this is an area of significant interest and concern for the community. It was within this context that I decided to make preliminary inquiries into the potential disclosure of patient data, including medical imaging scans, to train a diagnostic artificial intelligence model.

As detailed below, our preliminary inquiries were sufficient to satisfy me that the patient data shared in this instance had been de-identified sufficiently such that it was no longer personal information for the purposes of the Privacy Act. Accordingly, I will not be pursuing regulatory action on this occasion.

This case study shows how good governance and planning for privacy at the start of a new initiative can support an organisation to adopt new and innovative data-driven technologies in a way that protects the rights of individuals.

Developing industries, service delivery adaptations and rapidly developing technologies can be supported by consistent and clear regulatory interventions that promote practices and outcomes that are lawful, reflective of community values and support the implementation of new technologies. This decision provides an example of regulatory intervention and guidance to industry and the community that facilitates those outcomes.

Carly Kind
31 July 2025

1. Summary and background

1.1. I-MED Radiology Network Limited (I-MED) is Australia’s largest diagnostic imaging network, offering medical imaging and radiology services including x-ray, PET, CT, MRI, Nuclear Medicine, Ultrasound, Mammography and interventional procedures. I-MED operates 250 clinics and performs over 6 million patient procedures each year across Australia.

1.2. On 19 September 2024, the OAIC became aware of media publications alleging I-MED had disclosed patient data, including medical imaging scans, to train a diagnostic artificial intelligence model.^[1]

1.3. The reports related to the disclosure of medical imaging scans to Annalise.ai, a former joint venture between I-MED and Harrison.ai, a healthcare artificial intelligence company. The joint venture was described by I-MED in a media release announcing the establishment of the joint venture as:

pav[ing] the way for AI technology to improve the delivery of imaging services to patients and health practitioners. This exciting partnership will see radiologists and AI engineers develop world-leading prediction engines for key imaging modalities (such as X-ray, mammography and CT) to assist radiologists to efficiently and accurately diagnose diseases and injuries.

Annalise.ai’s deep neural networks will be trained with millions of labelled anonymised imaging data.

1.4. Between 20 September 2024 and 7 April 2025, the OAIC made inquiries with I-MED, Annalise.ai, and Harrison.ai under s 42(2) of the Privacy Act for the purpose of determining if the Privacy Commissioner (Commissioner) should open an investigation under s 40(2) of the Act. This included considering whether the allegations suggested a contravention of the Australian Privacy Principles (APPs), especially APPs 1, 5 and 6.

1.5. Ultimately, the Commissioner was satisfied that the patient data shared with Annalise.ai was de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act. The Commissioner therefore ceased the inquiries, but decided to publish this report in the public interest to inform the community of the outcome of the inquiries and as a case study of good privacy practice. It is still open to the Commissioner to commence an investigation of I-MED with respect to these or other practices, and this case study should not be taken as an endorsement of I-MED’s acts or practices or an assurance of their broader compliance with the APPs.

2. Relevant provisions of the Privacy Act

2.1. Section 6FA of the Privacy Act defines ‘health information’ as including relevantly:

a.    information or an opinion about:

i.     the health, including an illness, disability or injury, (at any time) of an individual; or

ii.     …

iii.  a health service provided, or to be provided, to an individual;

iv.  that is also personal information;

b.     other personal information collected to provide, or in providing, a health service to    an individual;
….

2.2. Health information about an individual is a special class of personal information designated by section 6 of the Privacy Act as ‘sensitive information’. Sensitive information is generally afforded a higher level of privacy protection under the Australian Privacy Principles (APPs) than other personal information (for example, see APPs 3, 6 and 7). This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual.

2.3. For information to be classified as either health information or sensitive information, it must also constitute personal information.

2.4. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. Whether something is personal information depends on whether an individual can be identified or is reasonably identifiable in the relevant circumstances – for instance in the context in which the information is held, used or disclosed.

2.5. Personal information that has been de-identified will no longer be personal information. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable, and therefore no longer meets the definition of personal information.

3. Preliminary inquiries

3.1. The media publications of 19 September 2024, referred to the disclosure of private medical scans to a third party for the purpose of training an artificial intelligence model.

3.2. This alleged practice primarily raised concerns about I-MED’s compliance with APP 6, which requires APP entities only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose if an exception applies or where consent has been obtained. For sensitive information, the secondary purpose must be directly related to the primary purpose for which it was collected.

3.3. On 20 September 2024, the OAIC commenced preliminary inquiries with I-MED, Harrison.ai and Annalise.ai.

3.4. The inquiries focussed on the form and content of the patient data that I-MED provided to Annalise.ai, the process of the data flow and the steps taken to de-identify the data.

3.5. Our enquiries established that:

a.   Between 2020 and 2022, I-MED provided Annalise.ai with patient data for the purpose of developing and training an artificial intelligence model to enhance diagnostic imaging support services.

b.  The patient data included clinical scans and reports from a range of modalities, including X-rays, CT scans and ultrasounds. Patients whose data was provided to Annalise.ai were not notified of this use or disclosure and did not provide their consent.

c.   I-MED contended that notification and consent were not required, as the patient data had been de-identified to the extent that it was no longer personal information, and by implication, the sharing with Annalise.ai was no longer subject to the requirements of the APPs.

4. De-identification of personal information

4.1. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable. De-identified information is not ‘personal information’.

4.2. De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps:

• • removing personal identifiers, such as an individual’s name, address, date of birth or other identifying information, and
  • removing or altering other information that may allow an individual to be identified, for example, because of a rare characteristic of the individual, or a combination of unique or remarkable characteristics that enable identification.^[2]

4.3. De-identification may not altogether remove the risk that an individual can be re-identified. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. The risk of re-identification must be actively assessed and managed to mitigate this risk. Relevant factors to consider when determining whether information has been effectively de-identified could include the cost, difficulty, practicality and likelihood of re-identification.

4.4. Whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.

5. I-MED’s de-identification practices

5.1. Our enquiries established that prior to sharing the patient data with Annalise.ai, I-MED processed the data by:

a.   segregating the patient data from the underlying dataset,

b.   scanning the records with text recognition software,

c.   using two hashing techniques (for unique identifiers such as patient ID numbers, and names,   addresses and phone numbers),

d.  time-shifting dates (to a random date within a specified number of years),

e.  aggregating certain fields into large cohorts to avoid identification of outliers, and

f.  redacting any text that appears within or within 10% from the boundary of an image scan.

5.2. Our enquiries also established that I-MED also imposed contractual obligations on Annalise.ai:

a.    prohibiting them from doing any act, or engaging in any practice, that would result in the patient data becoming ‘reasonably identifiable’,

b.   prohibiting them from disclosing or publishing the patient data for any purpose (to prevent wider dissemination of the dataset and accordingly reduce the risk that the patient data may become re-identifiable in the hands of other third parties or the public domain),

c.   requiring them to store the patient data in a secure environment, and

d.   requiring them to notify I-MED if it inadvertently received any patient personal information.

5.3. I-MED also developed a Data De-identification Policy and Approach to guide the sharing of patient data.

5.4. During the course of the preliminary inquiries, I-MED and Annalise.ai provided samples of image scans and other patient data used. A review of these samples by OAIC staff revealed no identifiable personal information.

6. Adequacy of de-identification practices

6.1. Our enquiries established that I-MED’s de-identification practices reflect many of the practices endorsed by the National Institute of Standards and Technology, including:

• • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.

6.2.Our enquiries established that between April 2020 and January 2022, I-MED shared less than 30 million patient studies (a study refers to a complete imaging session for a single patient and may include multiple image types, that together represent a single diagnostic episode), and a similar volume of  associated diagnostic reports with Annalise.ai. During this time, Annalise.ai proactively identified and reported to I-MED a very small number of instances where personal information had been shared with it in error due to failures in the de?identification process. In both cases, the material was subsequently deleted or de-identified.

6.3. The OAIC’s Privacy Guidance for Organisations and Government Agencies sets out that:

Information will be de-identified where the risk of an individual being re-identified in the data is very low in the relevant release context…Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information will not generally be regarded as personal information.^[3]

7. Closure of preliminary inquiries

7.1. Based on the information obtained through the preliminary inquiries, the Commissioner was satisfied that the patient data shared with Annalise.ai had been de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act. Although the steps taken by I-MED could not entirely remove the risk of re-identification, the Commissioner was satisfied that it reduced that risk to a sufficiently low level and was supported by sound data governance practices. As noted at [6.2] above, there were a very small number of occasions where personal information was unintentionally disclosed, but the Commissioner was satisfied that these were relatively minor incidents that were identified and addressed appropriately by I-MED and Annalise.ai.

7.2. The Commissioner therefore decided to close the preliminary inquiries with no further action.

8. Publication of report

8.1. The Privacy Act envisages circumstances in which it is in the public interest to disclose information acquired in the course of exercising powers such as making preliminary inquiries or undertaking an investigation. Section 33B of the Privacy Act enables the Commissioner to disclose information acquired in the course of exercising powers or performing functions or duties under the Privacy Act, if the Commissioner is satisfied that it is in the public interest to do so.

8.2. Having regard to the matters listed in s 33B(2), the Commissioner decided that publishing this report would be in the public interest. The Commissioner considered that the alignment of practices to develop and train AI models with obligations under the Privacy Act is both an issue of significant public interest and concern. The Commissioner also considered that publishing details of these preliminary inquiries would provide a beneficial example of good privacy practices and how the use of de-identified data may still allow an APP entity to effectively carry out its functions and activities, including with the adoption of new and innovative data-driven technologies.

 

 

 

 

 

Crikey reported that