The traditional way in which organisations have approached personal information is just to ask whether an individual is reasonably identifiable from information. If an individual is reasonably identifiable from that information, then the traditional approach is to say, that's personal information for the purposes of the Privacy Act and then all of the obligations in the Privacy Act apply.
What's changed recently is that the Administrative Appeals Tribunal has handed down a decision in Telstra and the Privacy Commissioner in which the AAT's added a new layer for organisations to consider: organisations need to think about whether information is about an individual.
If it is about an individual then it will be personal information, but if it's not about an individual, even if someone's reasonably identifiable from it, then it won't be personal information and the Privacy Act obligations won't apply.
This was a case about telecommunications metadata and it was an application for access under the Privacy Act to an individual, a journalist's, personal information. What the Tribunal held was that that telecommunications metadata was not about the journalist. By analogy, the Tribunal said it's a bit like a car service history ‒ for example, if I get the car service it'll have my name on it, on the service records, but that's not information about me, it's information about my car.
What this means going forward is that you now no longer just need to think about whether an individual can be identified from information, but you also need to go that next step and ask is it about an individual. If it's not about an individual then the Privacy Act won't apply. Now this decision of the Tribunal is subject to appeal and the Full Federal Court is expected to hear that in August this year.