privacy compliance

What is the Meaning of Personal Information

HomePrivate: BlogIP litigation and disputesBreach of confidenceWhat is the Meaning of Personal Information

by

reviewed by

Malcolm Burrows

In the recent case of The Privacy Commissioner v Telstra Corporation Limited [2017] FCAFA 4, the question was raised as to whether the words “personal information” had any bearing on what information an individual could request from an organisation under the Privacy Act 1988 (Cth) (Act).

The question came about in Telstra Corporation Limited v Privacy Commissioner [2015] AATA 991 after it was heard that Mr Grubb had requested from Telstra all personal information in relation to his telephone service.  Telstra provided to Mr Grubb various pieces of information, however refused to give him metadata in relation to his service.  On 1 May 2015 the Privacy Commissioner held that the metadata was “personal information” required to be given to Mr Grubb under the National Privacy Principle (NPP) 6.1.  Telstra took to the court to have the matter determined.

In the trial decision the court held that:

  • the Act applies to the collection of personal information by an organisation collected for inclusion in a record or a generally available publication;
  • NPP 6 required personal information to be disclosed to the person to whom the information relates and that has requested the information except where, compliance by the organisation would:
    • place an unreasonable administration burden on the organisation; or
    • cause the organisation unreasonable expense; and
  • personal information was defined in section 6(1) of the Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Section 187LA of the Telecommunications (Inception and Access) Act 1979 (Cth) later extended the meaning of personal information in relation to telecommunication services.  It states that the Act will apply to information that relates to:

  • the individual; or
  • a communication to which the individual is a party.

It does not require a service provider to keep information that is:

  • the contents or substance of the communication;
  • an address to which the communication was sent on the internet; or
  • any information that passes over the top of the service that they provide.

Counsel for Telstra submitted (and the Court agreed) that:

  • Mr Grubb’s identity was not apparent from, and could not be reasonably be ascertained from, mobile network data in relation to his mobile telephone service;
  • the mobile network data was not “personal information”;
  • providing Mr Grubb with the information requested would have an unreasonable impact upon the privacy of other individuals; and
  • Mr Grubb’s identity was not apparent and could not be easily ascertained when regard was had solely to the mobile network data, as it contained no reference to the customer’s name or telephone number. The only way the identity of an individual could be ascertained from the mobile network data would be to consider and pair it with other information that is not publically available.

The Meaning of the Privacy Principle

Dowsett J reasoned in the appeal, that the “underlying intention of National Privacy Principle 6 is to ensure that a person has access to information held by a relevant entity, which information may become known to third parties”.

It was held that it would be necessary to consider each piece of personal information requested, either individually or in conjunction with other items, to determine if the information is about the individual.  Just as a determination is required to be made as to whether the identity of a person can be reasonably ascertained.

The case did not define when metadata would be about an individual, however held that the words “about an individual” as incorporated in the National Privacy Principle 6 and the Act were substantial in determining what information a company is required to give to an individual who requests their personal data.

Links and further references

Legislation

Telecommunications (Inception and Access) Act 1979 (Cth)
Privacy Act 1988 (Cth)

Australian Privacy Principles

Cases

Telstra Corporation Limited v Privacy Commissioner [2015] AATA 991
The Privacy Commissioner v Telstra Corporation Limited
[2017] FCAFA 4

Further information about privacy compliance

If you are a business and need advice on Privacy Law or your requirements to disclosure information under the National Privacy Principles, contact us for a confidential and obligation free and discussion:


Related insights about privacy compliance

  • What is the Meaning of Personal Information

    What is the Meaning of Personal Information

    Court discussed meaning of “personal info” and when identity can be ascertained. Didn’t define when metadata is personal info, but determined Section 6(1) of the Privacy Act 1988 (Cth) was substantial in making determination.

    Read more …

  • Data Breach Bill 2016 – key data security considerations

    Data Breach Bill 2016 – key data security considerations

    The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has been passed, making notification of data breaches mandatory from 23 February 2018. Find out how this could affect you and what measures you can take to protect your data.

    Read more …

  • Data security – the increasing burden

    Data security – the increasing burden

    The consequences for an Australian business victim for a breach of cyber security are forecast to exponentially increase. In February 2015 the Parliamentary Joint Committee on Intelligence and Security (Committee) recommended the introduction of mandatory data breach notification scheme (Scheme) by the end of 2015.[1] Whilst the details of the incoming Scheme are currently scant,…

    Read more …

  • Revenge porn – legal options

    Revenge porn – legal options

    Revenge porn (Revenge Porn) refers to sexually explicit media that is distributed without the consent of the individual(s) involved.[1]  An act of Revenge Porn therefore involves the recording of video or still images of a person that is usually engaged in sexual acts (Revenge Content) and publishing or threatening to publish it.  A person’s participation…

    Read more …

  • Cupid Media risks privacy of the dateless

    Cupid Media risks privacy of the dateless

    The Privacy Act 1988 (Cth) (Privacy Act) requires entities to take reasonable steps to secure personal information.

    Read more …

  • Getting confidentiality agreements in place

    Getting confidentiality agreements in place

    Part 5 – Planning a business acquisition Confidentiality Agreements (Confidentiality Agreement or NDA’s) are essential in business Acquisitions, particularly if either the Target or Acquirer is subject to the ASX Listing Rules. Whilst generally an equitable obligation of confidence is applicable, a Confidentiality Agreement reduces the obligations of the parties to writing to ensure that…

    Read more …

  • Changes to the Privacy Act commence today!

    Changes to the Privacy Act commence today!

    Changes to the Privacy Act 1988 (Cth) included the introduction of thirteen Australian Privacy Principles (App’s). Learn more about potential civil penalty orders if you are a business with a turnover of over 3 million or more, a health care provider or a business that trades in personal information.

    Read more …

  • Are your privacy practices up to date with the amended Privacy Act 1988 (Cth)?

    Are your privacy practices up to date with the amended Privacy Act 1988 (Cth)?

    Organisations must act ensure compliance with the Privacy Act 1988 (Cth) reforms. Learn more about the thirteen new Australian Privacy Principles (APP’s) the penalties for non-compliance, and the steps you can take to protect your business.

    Read more …

  • Why is a Privacy Act Compliance Audit (PACA) necessary?

    Why is a Privacy Act Compliance Audit (PACA) necessary?

    Understand the implications of the Privacy Act 1988 (Cth) and national privacy principles with the upcoming legislative amendments. Find out what a Privacy Act Compliance Audit (PACA) involves, who should consider it, and the consequences of non-compliance.

    Read more …

Send this to a friend