COMP90087 · The Ethics of Artificial Intelligence
Data Governance
Week 10 covers privacy, consent and data rights, and the GDPR principles — with the exam’s signature move being to spot which listed item is NOT a GDPR principle (e.g. “epistemic justice”). The Bunnings/OAIC facial-recognition case grounds the consent, surveillance and evolving-legal-standard debate, and the Myki re-identification case shows that de-identification can fail. Link governance mechanisms back to the accountability and equity ideas from earlier weeks.
What this chapter covers
- 01Data governance (organisational view, Ladley 2012): managing the bodies, policies, principles and quality that ensure access to accurate, risk-free data
- 02“The cloud is someone else’s computer” — governance scales down to your own photos, prompts and CVs; it is about individual rights too
- 03The GDPR seven principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, accountability
- 04Exam move: identify which listed item is NOT a GDPR principle (e.g. “epistemic justice” is not one)
- 05The Bunnings facial-recognition case: 2024 OAIC ruling (biometric collection without proper consent) and the later tribunal reversal
- 06Consent, proportionality and the sensitivity of biometric data
- 07Myki re-identification (Culnane, Rubinstein, Teague) — de-identification can fail on “anonymised” datasets
- 08“What if Facebook goes down?” (Öhman & Aggarwal) — stewardship of data and digital remains
Spot the non-GDPR principle and justify a facial-recognition verdict
- +1Identify the non-principle. Epistemic justice is NOT one of the GDPR principles — the genuine ones here are purpose limitation, data minimisation, accountability and storage limitation (the full seven also include lawfulness/fairness/transparency, accuracy, and integrity & confidentiality).
- +1Apply a principle to the case. Collecting shoppers’ biometric data without notice or consent breaches lawfulness, fairness and transparency, and likely data minimisation (scanning everyone is more than is necessary) — name the principle and tie it to the specific fact.
- +1Ground it in the case law and its limits. This mirrors the Bunnings matter, where the OAIC ruled in 2024 that collecting biometric data without proper consent interfered with privacy, before a later tribunal review revisited it — illustrating consent, proportionality and evolving legal standards. Note the standard is contested, so avoid overstating a settled rule.
Key terms
- Data governance
- The organisational program (Ladley 2012) that manages the bodies, policies, principles and quality ensuring access to accurate, risk-free data — but the subject stresses it also concerns individual rights over your own data.
- GDPR seven principles
- Lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, and accountability. The exam tests recognising these and spotting an impostor (e.g. “epistemic justice” is not one).
- Purpose limitation
- The GDPR principle that data collected for one specified purpose should not be repurposed incompatibly. In AI, reusing data to train a model beyond its original purpose is a classic breach.
- Data minimisation
- The GDPR principle that you should collect only the data necessary for the stated purpose — breached, for example, by scanning every customer’s face when far less data would do.
- Bunnings facial-recognition case
- The OAIC ruled in 2024 that the retailer’s facial recognition collected biometric data on hundreds of thousands of customers without proper consent, interfering with privacy; a later tribunal review revisited the position — a case study in consent and evolving standards.
- Re-identification (Myki case)
- Culnane, Rubinstein & Teague showed a “de-identified” Melbourne transport dataset could re-identify individuals — evidence that anonymisation is fragile and de-identification can fail.
Data Governance FAQ
What’s the exam trick with the GDPR principles?
The item lists several plausible-sounding options and asks which is NOT a GDPR principle. The seven real ones are lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, and accountability — so a term like “epistemic justice” (real ethics, wrong list) is the impostor. Learn the seven and the distractor jumps out.
Why does the subject say ‘the cloud is just someone else’s computer’?
To make the point that data governance is not only a big-organisation concern: your emails, photos, CVs and LLM prompts sit on someone else’s infrastructure, so questions of access, accuracy, storage, consent and rights apply to individuals too. It reframes governance from a corporate compliance topic into a personal-rights one.
How should I use the Bunnings case in an answer?
Use it to illustrate consent, the sensitivity of biometric data, proportionality, and how legal standards evolve: the OAIC found in 2024 that collecting facial data without proper consent interfered with privacy, and a later tribunal review revisited that outcome. Describe the consent problem and the shifting standard rather than asserting a single fixed rule — the point is that the law is moving.
Can AI help me revise data governance for COMP90087?
Yes. Sia can quiz you on the seven GDPR principles (and the common impostor), rehearse applying a principle to a facial-recognition scenario, and check that you describe the Bunnings case accurately — explaining each step. It mirrors how the University of Melbourne assesses this and does not complete graded work; the subject’s integrity and GenAI rules apply.
Exam move
Memorise the seven GDPR principles as a set so the “which is NOT one” MCQ becomes trivial — the planted distractor is usually a real ethics term from another week. Practise applying one or two principles (lawfulness/transparency, data minimisation, purpose limitation) to a surveillance or data-reuse scenario, and keep the Bunnings and Myki cases ready as citable illustrations of consent and fragile de-identification. Connect governance back to accountability (W7) and equity (W9) so you can write a joined-up essay. Because the exam is a closed-book hurdle, drill the principle list into recall now.
Working through Data Governance in COMP90087? Sia is AskSia’s AI AI Ethics tutor — ask any COMP90087 Data Governance question and get a clear, step-by-step explanation grounded in how COMP90087 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.