privacy compliance

What is the Meaning of Personal Information

HomePrivate: BlogIP litigation and disputesBreach of confidenceWhat is the Meaning of Personal Information

by

reviewed by

Malcolm Burrows

In the recent case of The Privacy Commissioner v Telstra Corporation Limited [2017] FCAFA 4, the question was raised as to whether the words “personal information” had any bearing on what information an individual could request from an organisation under the Privacy Act 1988 (Cth) (Act).

The question came about in Telstra Corporation Limited v Privacy Commissioner [2015] AATA 991 after it was heard that Mr Grubb had requested from Telstra all personal information in relation to his telephone service.  Telstra provided to Mr Grubb various pieces of information, however refused to give him metadata in relation to his service.  On 1 May 2015 the Privacy Commissioner held that the metadata was “personal information” required to be given to Mr Grubb under the National Privacy Principle (NPP) 6.1.  Telstra took to the court to have the matter determined.

In the trial decision the court held that:

  • the Act applies to the collection of personal information by an organisation collected for inclusion in a record or a generally available publication;
  • NPP 6 required personal information to be disclosed to the person to whom the information relates and that has requested the information except where, compliance by the organisation would:
    • place an unreasonable administration burden on the organisation; or
    • cause the organisation unreasonable expense; and
  • personal information was defined in section 6(1) of the Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Section 187LA of the Telecommunications (Inception and Access) Act 1979 (Cth) later extended the meaning of personal information in relation to telecommunication services.  It states that the Act will apply to information that relates to:

  • the individual; or
  • a communication to which the individual is a party.

It does not require a service provider to keep information that is:

  • the contents or substance of the communication;
  • an address to which the communication was sent on the internet; or
  • any information that passes over the top of the service that they provide.

Counsel for Telstra submitted (and the Court agreed) that:

  • Mr Grubb’s identity was not apparent from, and could not be reasonably be ascertained from, mobile network data in relation to his mobile telephone service;
  • the mobile network data was not “personal information”;
  • providing Mr Grubb with the information requested would have an unreasonable impact upon the privacy of other individuals; and
  • Mr Grubb’s identity was not apparent and could not be easily ascertained when regard was had solely to the mobile network data, as it contained no reference to the customer’s name or telephone number. The only way the identity of an individual could be ascertained from the mobile network data would be to consider and pair it with other information that is not publically available.

The Meaning of the Privacy Principle

Dowsett J reasoned in the appeal, that the “underlying intention of National Privacy Principle 6 is to ensure that a person has access to information held by a relevant entity, which information may become known to third parties”.

It was held that it would be necessary to consider each piece of personal information requested, either individually or in conjunction with other items, to determine if the information is about the individual.  Just as a determination is required to be made as to whether the identity of a person can be reasonably ascertained.

The case did not define when metadata would be about an individual, however held that the words “about an individual” as incorporated in the National Privacy Principle 6 and the Act were substantial in determining what information a company is required to give to an individual who requests their personal data.

Links and further references

Legislation

Telecommunications (Inception and Access) Act 1979 (Cth)
Privacy Act 1988 (Cth)

Australian Privacy Principles

Cases

Telstra Corporation Limited v Privacy Commissioner [2015] AATA 991
The Privacy Commissioner v Telstra Corporation Limited
[2017] FCAFA 4

Further information about privacy compliance

If you are a business and need advice on Privacy Law or your requirements to disclosure information under the National Privacy Principles, contact us for a confidential and obligation free and discussion:


Related insights about privacy compliance

  • Bill to allow victims of AI deepfakes to sue for emotional damages

    Bill to allow victims of AI deepfakes to sue for emotional damages

    On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act). 

    Read more …

  • Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    On 3 December 2025, Malcolm Burrows appeared live on Katherine Feeney’s ABC Radio program, “Legal Eagles” as the Technology and Intellectual Property Lawyer to discuss the proposed amendments to the Online Safety Act 2021 (Cth) through the introduction of the Online Safety and other legislation Amendment (My Face Rights) Bill (Cth) 2025 (My Face Rights…

    Read more …

  • OAIC publishes new guidance for under-16s social media ban

    OAIC publishes new guidance for under-16s social media ban

    On 10 October 2025, the Office of the Australian Information Commissioner (OAIC), led by Privacy Commissioner, Ms Carly Kind, released a twenty-nine (29) page Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021 (New Guidance).  This New Guidance details the privacy obligations for Age-Restricted Social Media Platforms (Restricted Platforms)…

    Read more …

  • Aust Clinical Labs fined $5.8mil for failing to report data breach

    Aust Clinical Labs fined $5.8mil for failing to report data breach

    On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This…

    Read more …

  • Federal Government releases report into age verification trials

    Federal Government releases report into age verification trials

    On 31 August 2025, the Australian Government published the Final Report (Report) on the Age Assurance Technology Trial (Trial).  Conducted by the independent Age Check Certification Scheme (ACCS), the Trial offers insights into the technical feasibility, privacy implications, and operational deployment capabilities of various age assurance technologies.  While the Report explicitly states it is neutral…

    Read more …

  • What is the US Take It Down Act?

    What is the US Take It Down Act?

    The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (Take It Down Act ) is a United States (US) federal law enacted on 19 May 2025. The Take It Down Act amends 47 U.S. Code § 223 (Code) of the Communications Act 1934 (US) (Communications Act) by establishing new…

    Read more …

  • Federal parliament enacts cyber security legislation

    Federal parliament enacts cyber security legislation

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • Privacy Act amended to increase penalties to a max of $50 million

    Privacy Act amended to increase penalties to a max of $50 million

    The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent.  The Bill was passed with virtually no amendment.

    Read more …

  • What should APP Entities include in data destruction policies?

    What should APP Entities include in data destruction policies?

    This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.

    Read more …

Send this to a friend