In Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 the Full Court of the Federal Court of Australia rejected an appeal by the Privacy Commissioner against a decision of the Administrative Appeals Tribunal that certain mobile network metadata related to an individual’s phone activity was not ‘personal information’ under the Privacy Act 1988 (Cth) to which customers must be given access. Background.
UPDATE 21 February 2017: the Privacy Commissioner has announced that he has decided not to pursue further appeal in this matter.
Essentially the AAT decided that ‘personal information’ must be information ‘about an individual’. Information will not meet the threshold of being ‘about an individual’ merely because an organisation creates the information in order to provide a service to an individual.
The Federal Court Full Court confirmed that “about” was an important restriction on the information that a person could access.In this case it meant the customer was entitled only to access to personal information about him, concerning his telephone service.
In other words, personal information is information or opinion which is about the relevant applicant and from which his identity is apparent or could reasonably be ascertained.
The majority judgment observed that:
“The concept of “personal information” to which an organisation must provide an individual with access is very broad. It encompasses untrue information which is not recorded in any material form. It is, however, constrained by the requirements that: (i) it must be held by the organisation; (ii) it must be “about” the individual who requested access; and (iii) it must be about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion….
if an individual’s request included information in Telstra’s control which was stored across any of 13 databases held by Telstra then in determining whether the individual’s “identity is apparent”, or can reasonably be ascertained, from the information requested, it would be necessary to consider all of the information in totality.
The Privacy Commissioner submitted that if there is information from which an individual’s identity could reasonably be ascertained, and that information is held by the organisation, then it will always be the case that the information is about the individual. In other words, the words “about an individual” would “do no work” and have no substantive operation . We do not accept this submission. Even if the words “about an individual” could be ignored in the definition so that the definition of “personal information” was concerned only with “information or an opinion … from which a person’s identity is apparent …”, the words are repeated separately in the remainder of National Privacy Principle 6.1. The repetition of the words means that they cannot be ignored.
… in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.
In some instances the evaluative conclusion will not be difficult. For example, although information was provided to Mr Grubb about the colour of his mobile phone and his network type (3G), we do not consider that that information, by itself or together with other information, was about him. In other instances, the conclusion might be more difficult. Further, whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words “about an individual” will exclude some of that information from National Privacy Principle 6.1.”