What counts as "personal information" under the Privacy Act 1988 (Cth)? Many have been watching the Full Federal Court for some guidance in a case involving a telco's metadata.
Unfortunately, its decision in Privacy Commissioner v Telstra Corporation Limited  FCAFC 4 ultimately concerned what the Court described as a “very narrow question of statutory construction” and not “when metadata would be 'about an individual'” - and its decision throws up more questions than answers.
Mr Grubb asks Telstra for his metadata - and is knocked back
In 2013, Ben Grubb, a journalist, asked Telstra for all the metadata that it held about him.
Telstra initially gave Mr Grubb some information, but refused to give him access to its mobile network data, which included metadata such as IP addresses and geolocation data. Mr Grubb then complained to the Privacy Commissioner.
This issue was whether the metadata was "personal information" which Mr Grubb had a right to access under National Privacy Principle 6.1 (NPP 6.1). As the Court would ultimately observe, the concept of “personal information” to which an individual can access under NPP 6.1 is constrained by three requirements:
- the information must be held by the organisation;
- it must be “about” the individual who requested access; and
- it must be about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
The Privacy Commissioner determined that the mobile network data information in question was “personal information” as Mr Grubb’s identity could be reasonably ascertained from the information by using other information held by Telstra.
The Administrative Appeals Tribunal (AAT) disagreed. It said before considering the question of an individual’s identity, there was a “threshold question” of whether the information is “about” an individual. In this case, the AAT considered that the information was “about” the service Telstra provided to Mr Grubb, but not “about” him, and was therefore not personal information.
The Court’s decision on "personal information"
The Privacy Commissioner argued that if an individual’s identity could be reasonably ascertained from the information, it was necessarily “about” an individual.
The Court upheld the AAT's decision. It found that the words “about an individual” cannot be ignored, and direct attention to the need for the individual to be a subject matter of the information, although information could have multiple subject matters. This question requires an “evaluative conclusion” in each case.
It provided some very limited opinion on how to reach such an “evaluative conclusion” (at  to ) but stopped short of ruling on whether the AAT’s “evaluative conclusion” in this case was correct because it wasn’t asked to do so.
Implications for agencies' and organisations' information-handling processes
The decision is unlikely to have any impact on certain metadata holdings of telecommunications companies bound by the mandatory data retention provisions in the Telecommunications (Interception and Access) Act 1979 (TIA Act). This is because section 187LA of the TIA Act deems information that must be retained as being personal information “about an individual” if the information relates to the individual or a communication to which the individual is a party.
For other agencies, businesses or organisations that are covered by the Privacy Act, the decision will have more of an impact.
Since the 2014 amendments to the Privacy Act, the definition of “personal information” has changed to “…information or an opinion about an identified individual, or an individual who is reasonably identifiable…”. NPP 6.1 has been replaced by Australian Privacy Principle 12.1, which although worded differently, is materially the same as NPP 6.1, so the Court’s reasoning is likely to apply to the current provisions.
How this decision will work in practice, however, is less certain. The Court’s decision does little more than confirm the relevant statutory language. It does not offer any real guidance on how to make an “evaluative conclusion” as to whether information is “about an individual”. It could well be that metadata is, in some circumstances, "personal information".
For some APP entities, determining whether information is “about an individual” may present an opportunity to narrow the scope of “personal information” they hold (and therefore limit their regulatory burden).
As we said after the AAT decision, organisations should bear in mind that information may not be personal information:
- merely because it identifies or could identify an individual; or
- because it was brought into existence because of the actions of a particular individual.
However, given the lack of guidance on what it means for information to be “about an individual”, it would be generally prudent for them to continue to give a broader interpretation to personal information.