In a recent case involving Telstra, the Full Federal Court has confirmed that personal information must be information about an individual before it will be protected and regulated by the Privacy Act and the Australian Privacy Principles.
This decision prompts the following questions for all Australian businesses:
- Are you a business who holds personal information about your customers or clients?
- Do you know whether the information you are holding is defined as personal?
- Do your sharing, retention and storage policies comply with the Privacy Act?
The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) regulate the collection, use and disclosure of personal information.
To constitute personal information, the information must have a sufficient connection to, and be about, an individual.
Information that is not about an individual will not be regulated by the Privacy Act.
What is personal information?
Under the Privacy Act, personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable.
Whether information or an opinion is about an identified individual is clear enough: a person’s name, photograph, address, telephone number and birth certificate are all examples of information that identifies a particular individual.
The concept of whether an individual is reasonably identifiable from certain information is less clear. It will depend on the circumstances, including: who has the information, what their resources are and what other information they already hold about the individual.
The collection, use and disclosure of personal information by certain entities is governed by the Privacy Act.
Background to the Telstra decision
A journalist, Mr Grubb, requested access to all the metadata regarding his mobile phone held by Telstra, citing the former National Privacy Principle (NPP) 6.1 in making this request.
NPP 6.1 says:
‘if an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual…’
(Note: the NPPs were replaced by the APPs in 2014. An almost identical provision is contained in the current APP 12.1.)
The metadata sought by Mr Grubb included anonymous mobile network data including the IP address, the URLs (web addresses) visited by that IP address, cell tower location information (geolocation), whether a particular call was unanswered and the number of characters in a text message sent or received by a particular device.
Telstra refused access to the metadata for a number of reasons, one being that as the metadata was not personal information, they was not obliged to provide the information under NPP 6.1.
Mr Grubb complained to the Office of Australian Information Commissioner (OAIC), who investigated the complaint and found that Telstra was in breach of its obligations under the Privacy Act by refusing access to the metadata.
Telstra sought a review of that decision by the Administrative Appeals Tribunal (AAT).
- relied on expert evidence which established that identifying an individual from this metadata was theoretically possible, but practically impossible given the immense volume of data that would need to be reviewed to identify the relevant transaction
- found that the metadata in question was information about the service Telstra provides to Mr Grubb (ie, the way in which Telstra delivers a call or a message) but not information about Mr Grubb
- stated that ‘the starting point must be whether the information or opinion is about an individual. If it is not, that is the end of the matter and it does not matter whether that information or opinion could be married with other information to identify a particular individual’
Decision of the Full Federal Court
The OAIC appealed the decision to the Federal Court. The OAIC argued that the words in NPP 6.1 about an individual are redundant, in particular:
‘if there is information from which an individual’s identity could reasonably be ascertained, and that information is held by the organisation, then it will always be the case that the information is about the individual.’
The Full Federal Court did not accept this argument. It held that the use of the words about an individual in the definition of personal information:
‘direct attention to the need for the individual to be a subject matter of the information or opinion.’
This finding was enough to dismiss the appeal. Unfortunately for us, the Court did not consider the question of whether metadata constitutes personal information and whether it is regulated by the Privacy Act.
What personal information does your organisation hold?
This decision is a timely reminder for all organisations to consider:
- the personal information that it collects, uses and holds
- its policies and practices surrounding sharing, retention and storage of data and personal information
- whether these policies and practices comply with the Privacy Act
|Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.
Liability limited by a scheme approved under Professional Standards Legislation.
©2017 Rigby Cooke Lawyers