This time it’s personal: defining “personal information”

The recent case of Privacy Commissioner v Telstra1 has provided guidance on what will be classed as “personal information” under the Privacy Act 1988 (Cth) (Act).

Background

This case concerned whether Telstra had breached the National Privacy Principles (NPPs) by only providing a customer (Customer) some of the information he sought in a request for access to all his information and metadata stored by Telstra regarding his mobile phone service, including call logs, duration of data sessions and URLs of website visited.2

Telstra advised the Customer that, under privacy laws, it was unable to provide him with metadata regarding locations and details of the numbers called and contacted via SMS. Telstra advised the Customer that he would need a subpoena to access this information.

The decision was dependant upon the construction of the “personal information” and how it should be interpreted.

The Court originally found that Telstra interfered with the Customer’s privacy by failing to provide him with all the information and metadata he had requested.

This was appealed by Telstra to the Australian Administrative Appeals Tribunal, which reversed the earlier decision. The Tribunal found that Telstra was not in breach, as the metadata was not about the individual and so was not “personal information” and therefore did not have to be disclosed.3

The Tribunal’s decision was then appealed by the Office of the Australian Information Commissioner (Commissioner) to the Federal Court. The basis for the Commissioner’s appeal was a concern that ongoing uncertainty as to the meaning of “personal information” would create an unreasonable situation for organisations trying to meet their obligations under the Act, and consequently clarification by a court was desirable.4

Federal Court decision

In early 2017, the Federal Court dismissed the Commissioner’s appeal.5  It found that Telstra had not erred in its disclosure, and the Customer was not entitled to access all metadata as it was not personal information.

The Court clarified the meaning of “personal information” and in particular looked at the words “about an individual” in the definition of “personal information” in the Act. The Court found the words “about an individual” required an individual to be the subject matter of the information in question, and stated that:

… the concept of “personal information” to which an organisation must provide an individual with access is very broad. It encompasses untrue information which is not recorded in any material form. It is, however, constrained by the requirements that:

(i) it must be held by the organisation;

(ii) it must be “about” the individual who requested access; and

(iii) it must be about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.6

The Court held that assessing what is “personal information” depends on the facts of the individual case, including an evaluation of whether, when considered as whole when combined with other information, the individual’s identity was apparent or could be reasonably obtained. The Court concluded that:

… in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.8

The Commissioner has acknowledged that the definition decided upon by the Court is “consistent with how “personal information” has been interpreted by my office” and that it consequently would not appeal.9  The Commissioner is also currently developing a more detailed resource on applying the definition of personal information, to complement the existing APP Guidelines and remove any lingering lack of clarity.

Lavan comment

At the time this dispute first arose, the NPPs had not yet been replaced with the Australian Privacy Principles (APPs). However, the relevant NPP in this case, NPP 6.1, concerning an individual’s right to access personal information an organisation holds about them, is substantially the same as its replacement, APP 12.1.

The decision and consideration of the scope of personal information therefore remains relevant under the APPs.

“Personal information” will not be widely interpreted as including all forms of information in any way related to an individual, such as all metadata. Rather, it refers to information or opinion about a relevant individual and from which their identity is apparent or may reasonably be ascertained.

However, even this definition, and the fact that the Commissioner has accepted it, does not remove all ambiguity. The specific circumstances of each case will be highly relevant in determining whether information is classed as “personal information”.

Whilst the decision confirms that an “evaluative conclusion” must be made as to whether the information is about an individual, it fails to provide any real guidance on how to actually conduct that evaluation.

Given this remaining ambiguity, organisations should be cautious when classifying information as personal information and dealing with it accordingly.

If you are concerned about a possible privacy breach, or require a review of your current privacy policy, please contact Lavan's Intellectual Property and Technology team.

 

 

 

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.
AUTHOR
Iain Freeman
Partner


FOOTNOTES

[1] Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017).

[2] Ben Grubb v Telstra Corporation Limited [2015] AICmr 35.

[3] Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017), [6].

[4] Privacy Commissioner, ‘Applicant’s submissions’, Submissions in Privacy Commissioner v Telstra Corporation Limited, VID 38 of 2016, 25 July 2016, 5.  

[5] Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017), [81].

[6] Ibid, [60].

[7] Ibid, [63].

[8] Ibid.

[9] Office of the Australian Information Commissioner (Cth) , ‘Privacy Commissioner v Telstra Corporation Limited Federal Court decision’, (20 February 2017) <https://www.oaic.gov.au/media-and-speeches/statements/privacy-commissioner-v-telstra-corporation-limited-federal-court-decision>.