University of Melbourne · FACULTY OF AI ETHICS

COMP90087 · The Ethics of Artificial Intelligence

- one subject, every graph, every model, every mark
AI Ethics14 Chapters7-page Bible
Our own words - no uploaded lecturer files
Updated for this semester
Chapter 10 of 13 · COMP90087

Data Governance

Week 10 covers privacy, consent and data rights, and the GDPR principles — with the exam’s signature move being to spot which listed item is NOT a GDPR principle (e.g. “epistemic justice”). The Bunnings/OAIC facial-recognition case grounds the consent, surveillance and evolving-legal-standard debate, and the Myki re-identification case shows that de-identification can fail. Link governance mechanisms back to the accountability and equity ideas from earlier weeks.

In this chapter

What this chapter covers

  • 01Data governance (organisational view, Ladley 2012): managing the bodies, policies, principles and quality that ensure access to accurate, risk-free data
  • 02“The cloud is someone else’s computer” — governance scales down to your own photos, prompts and CVs; it is about individual rights too
  • 03The GDPR seven principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, accountability
  • 04Exam move: identify which listed item is NOT a GDPR principle (e.g. “epistemic justice” is not one)
  • 05The Bunnings facial-recognition case: 2024 OAIC ruling (biometric collection without proper consent) and the later tribunal reversal
  • 06Consent, proportionality and the sensitivity of biometric data
  • 07Myki re-identification (Culnane, Rubinstein, Teague) — de-identification can fail on “anonymised” datasets
  • 08“What if Facebook goes down?” (Öhman & Aggarwal) — stewardship of data and digital remains
Worked example · free

Spot the non-GDPR principle and justify a facial-recognition verdict

Q [3 marks]. An exam item lists candidate “GDPR principles” — purpose limitation, data minimisation, epistemic justice, accountability, storage limitation — and asks which is NOT one. It then asks you to apply a GDPR-style principle to a retailer scanning customers’ faces without asking. Answer both. (3 marks.)
  • +1Identify the non-principle. Epistemic justice is NOT one of the GDPR principles — the genuine ones here are purpose limitation, data minimisation, accountability and storage limitation (the full seven also include lawfulness/fairness/transparency, accuracy, and integrity & confidentiality).
  • +1Apply a principle to the case. Collecting shoppers’ biometric data without notice or consent breaches lawfulness, fairness and transparency, and likely data minimisation (scanning everyone is more than is necessary) — name the principle and tie it to the specific fact.
  • +1Ground it in the case law and its limits. This mirrors the Bunnings matter, where the OAIC ruled in 2024 that collecting biometric data without proper consent interfered with privacy, before a later tribunal review revisited it — illustrating consent, proportionality and evolving legal standards. Note the standard is contested, so avoid overstating a settled rule.
Epistemic justice is not a GDPR principle (purpose limitation, data minimisation, accountability and storage limitation are). Applied to a retailer scanning faces without asking, the conduct breaches lawfulness/fairness/transparency and data minimisation — echoing the Bunnings case, where the OAIC found biometric collection without proper consent interfered with privacy, though the legal position later shifted on review.
Sia tip — For the “which is NOT a GDPR principle” MCQ, learn the seven so the impostor stands out — the planted distractor is usually a real ethics term from another week (like epistemic justice) rather than something obviously fake. When you cite Bunnings, describe consent and the evolving standard rather than asserting a fixed legal outcome.
Glossary

Key terms

Data governance
The organisational program (Ladley 2012) that manages the bodies, policies, principles and quality ensuring access to accurate, risk-free data — but the subject stresses it also concerns individual rights over your own data.
GDPR seven principles
Lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, and accountability. The exam tests recognising these and spotting an impostor (e.g. “epistemic justice” is not one).
Purpose limitation
The GDPR principle that data collected for one specified purpose should not be repurposed incompatibly. In AI, reusing data to train a model beyond its original purpose is a classic breach.
Data minimisation
The GDPR principle that you should collect only the data necessary for the stated purpose — breached, for example, by scanning every customer’s face when far less data would do.
Bunnings facial-recognition case
The OAIC ruled in 2024 that the retailer’s facial recognition collected biometric data on hundreds of thousands of customers without proper consent, interfering with privacy; a later tribunal review revisited the position — a case study in consent and evolving standards.
Re-identification (Myki case)
Culnane, Rubinstein & Teague showed a “de-identified” Melbourne transport dataset could re-identify individuals — evidence that anonymisation is fragile and de-identification can fail.
FAQ

Data Governance FAQ

What’s the exam trick with the GDPR principles?

The item lists several plausible-sounding options and asks which is NOT a GDPR principle. The seven real ones are lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, and accountability — so a term like “epistemic justice” (real ethics, wrong list) is the impostor. Learn the seven and the distractor jumps out.

Why does the subject say ‘the cloud is just someone else’s computer’?

To make the point that data governance is not only a big-organisation concern: your emails, photos, CVs and LLM prompts sit on someone else’s infrastructure, so questions of access, accuracy, storage, consent and rights apply to individuals too. It reframes governance from a corporate compliance topic into a personal-rights one.

How should I use the Bunnings case in an answer?

Use it to illustrate consent, the sensitivity of biometric data, proportionality, and how legal standards evolve: the OAIC found in 2024 that collecting facial data without proper consent interfered with privacy, and a later tribunal review revisited that outcome. Describe the consent problem and the shifting standard rather than asserting a single fixed rule — the point is that the law is moving.

Can AI help me revise data governance for COMP90087?

Yes. Sia can quiz you on the seven GDPR principles (and the common impostor), rehearse applying a principle to a facial-recognition scenario, and check that you describe the Bunnings case accurately — explaining each step. It mirrors how the University of Melbourne assesses this and does not complete graded work; the subject’s integrity and GenAI rules apply.

Study strategy

Exam move

Memorise the seven GDPR principles as a set so the “which is NOT one” MCQ becomes trivial — the planted distractor is usually a real ethics term from another week. Practise applying one or two principles (lawfulness/transparency, data minimisation, purpose limitation) to a surveillance or data-reuse scenario, and keep the Bunnings and Myki cases ready as citable illustrations of consent and fragile de-identification. Connect governance back to accountability (W7) and equity (W9) so you can write a joined-up essay. Because the exam is a closed-book hurdle, drill the principle list into recall now.

Working through Data Governance in COMP90087? Sia is AskSia’s AI AI Ethics tutor — ask any COMP90087 Data Governance question and get a clear, step-by-step explanation grounded in how COMP90087 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.

A+Everything unlocked
Unlocks this Bible + all 14 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your COMP90087 tutor, unlimited, worked the way the exam marks it
The full 7-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full COMP90087 Bible + 14 University of Melbourne subjects解锁完整 COMP90087 Bible + University of Melbourne 14 门科目
$25/mo