In this edition of From the Bench, Gavin Smith and Michael Pattison, partners at law firm Allens, examine a recent ruling which reinforces the Privacy Act requirement for ‘personal information’ to be information ‘about an individual’. In this case, it was found that Telstra mobile network data from the phone activity of an individual did not meet this requirement.
The case
In June 2013, Fairfax journalist Ben Grubb requested that Telstra provide him with access rights to all ‘metadata’ stored by Telstra about his mobile phone usage on the basis that this data was his ‘personal information’ under the Privacy Act. Telstra provided Mr Grubb with access to some of the data which he requested but refused him access to Telstra mobile network data, including URL, IP address and cell tower location information.
In May 2015, the Commonwealth Privacy Commissioner issued his determination that such information did constitute personal information for the purposes of the Privacy Act and that Telstra had breached the Act by failing to provide Mr Grubb with access to this information. Telstra appealed this decision. On appeal to the AAT, the Privacy Commissioner’s determination was overruled on the basis that Telstra mobile network data from Mr Grubb’s phone activity was not information ‘about an individual’ as such, but rather, information about the way in which Telstra delivers its services. Because this data was not information ‘about an individual’, it could not be characterised as ‘personal information’ under the Privacy Act and did not need to be disclosed to customers like Mr Grubb upon request.
In coming to the conclusion that Telstra mobile network data generated by Mr Grubb’s phone activity was not ‘personal information’, the Deputy President appears to have been influenced by evidence from Telstra that its mobile network data was ‘kept separate and distinct’ from customer databases, rarely linked to these databases and not ordered or indexed by reference to particular customers, their names or telephone numbers. These factors provide some guidance for organisations implementing systems which quarantine databases that contain personal information from those that don’t.
Finally, the AAT considered whether the IP address allocated to Mr Grubb’s mobile device could be characterised as personal information. It was noted that while an IP address is necessarily allocated so that an internet communication can be delivered to a device, such an address is not exclusively allocated to a particular mobile device, nor does one mobile device have a single IP address over the course of its working life. In this case, the IP address was not about Mr Grubb, but about the way in which data was transmitted from his device over the internet and a connection made with another person’s mobile device. The connection to Mr Grubb as an individual was merely transient and therefore the IP address information from Mr Grubb’s phone activity was not characterised as ‘personal information’.
What it means
Organisations will welcome this decision because it reduces the scope of ‘personal information’ which they are required to make accessible to individuals under the Privacy Act 1988 (Cth). Crucially, this decision reinforces that ‘personal information’ must be information ‘about an individual’. Information will not meet this requirement merely because an organisation has the resources and means to link that information to an individual.
It remains to be seen whether the concept of ‘personal information’ as defined under the Privacy Act expands in light of the new data retention laws, which mandate the types of ‘metadata’ which telecommunications service providers must hold and treat as ‘personal information’ subject to the Privacy Act.
We also note in closing that this decision was made with respect to the definition of ‘personal information’ which applied under the Privacy Act prior to 12 March 2014. The changes to the definition of ‘personal information’ since are unlikely to have altered the requirement for personal information to be ‘about an individual’. There is, however, greater scope under the revised definition of ‘personal information’ (which came into force on 12 March 2014) for information to be characterised as ‘personal information’ where it can be linked with other information to identify an individual.
The recent ruling is: Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015). We acknowledge the assistance of Associate Priyanka Nair, Lawyer Tom Kavanagh, Summer Clerk Natalie Czapski and Specialist Paralegal Amandine Philippart de Foy in preparing this article.
_________________________________________________________________________________