TRANSCRIPT
The traditional way in which organisations have approached personal information is just to ask whether an individual is reasonably identifiable from information. If an individual is reasonably identifiable from that information then the traditional approach is to say that's personal information for the purposes of the Privacy Act and then all of the obligations in the Privacy Act apply. What's changed recently is that the Administrative Appeals Tribunal has handed down a decision in Telstra and the Privacy Commissioner in which the AAT has added a new layer for organisations to consider and that is that organisations need to think about whether information is about an individual. If it is about an individual then it will be personal information, but if it's not about an individual (even if someone's reasonably identifiable from it) then it won't be personal information and the Privacy Act obligations won't apply.
So that was a case about telecommunications metadata and it was an application for access under the Privacy Act to an individual, a journalist's personal information, and what the Tribunal held was that that telecommunications metadata was not about the journalist. And by analogy the Tribunal said it's a bit like a car service history. So, for example, if I get my car serviced it'll have my name on it on the service records but that's not information about me, it's information about my car.
What this means going forward is that you now no longer just need to think about whether an individual can be identified from information, but you also need to go that next step and ask "is it about an individual?". If it's not about an individual then the Privacy Act won't apply. Now this decision of the Tribunal is subject to appeal and the Full Federal Court is expected to hear that in August this year.