The Full Bench of the Federal Court has recently provided some guidance on the meaning of the term ‘personal information’, which is a key concept under the Privacy Act 1988 (Cth). In a unanimous decision,1 the Full Bench upheld an Administrative Appeals Tribunal (AAT) decision that found against the Privacy Commissioner, supporting Telstra’s position to withhold certain mobile network data from a customer. The Federal Court decision focuses on how to determine whether information is ‘about’ an individual.
In June 2013, Ben Grubb, a Fairfax journalist, made a request under the Privacy Act for access to “all the metadata information” held by Telstra “about (his) mobile phone service”.
This request was made under the former National Privacy Principles (which have since been replaced by the Australian Privacy Principles, effective from March 2014) that required organisations that are subject to the Privacy Act to provide individuals who request access to personal information about them that is held by the organisation with a copy of that personal information. The definition of ‘personal information’ in the pre-2014 version of the Privacy Act that was the subject of this decision is somewhat different to the equivalent definition in the current version of the Privacy Act, but both definitions include as a key requirement that the information or opinion must be “about an individual” in order to be considered personal information.
In response to his request, Telstra provided Mr Grubb with a range of data (including outgoing calls, SMS and MMS and other billing data relating to his mobile phone service). However, Telstra declined to provide other types of data to Mr Grubb (including in relation to incoming calls, SMS and MMS and other network data retained by Telstra in relation to communications passing through its mobile network) on the basis that such information was not personal information or would unreasonably interfere in the privacy of other individuals. Mr Grubb lodged a complaint with the Privacy Commissioner in relation to Telstra’s failure to provide some of this information to him. The Privacy Commissioner ultimately ordered Telstra to release this information to Mr Grubb. Telstra objected and lodged an appeal with the Administrative Appeals Tribunal (AAT).
The AAT found in favour of Telstra,2 stating that network data used by Telstra to connect Mr Grubb’s mobile phone service was not about Mr Grubb, even if it was generated by his mobile phone. Instead, the AAT considered that the information was about the network used to convey the data and as such, it did not meet the threshold required to be personal information. The Privacy Commissioner appealed the AAT’s decision to the Federal Court, arguing amongst other things, that any data held by an organisation that can be used to identify an individual is necessarily about that person and therefore should be considered personal information.
What did the Federal Court decide?
The Full Bench of the Federal Court upheld the AAT’s approach to defining ‘personal information’. The Court rejected the Privacy Commissioner’s argument, finding that the requirement that the information be ‘about a person’ could not be ignored. A key finding of the Court was that there is a “need for the individual to be a subject matter of the information or opinion” in order for that data to be considered to be personal information. The Court also noted that information can have multiple subject matters and that information that is not about an individual by itself can become information about an individual when that information is combined with other information.
Unfortunately, the decision does not provide any more substantive guidance on what types of data would typically be considered personal information. Beyond providing some brief examples that the colour of an individual’s phone or their network type is not information about an individual, the Federal Court did not consider whether mobile network-related information, including IP addresses, URLs of websites visited or tower locations of incoming calls, would be considered to be personal information.
What you need to know
Being able to determine whether information is personal information is a critical threshold issue for privacy compliance, as the Privacy Act only applies to personal information that is held by an organisation. Information that does not fit within the meaning of personal information is not subject to the requirements of the Privacy Act in relation to the collection, storage, use and disclosure of personal information.
While this decision relates to a previous version of the Privacy Act, we consider that it would be equally applicable to the definition of personal information as found in the current Privacy Act. In essence, this decision means that the meaning of personal information is slightly narrower than might previously have been considered. The statement by the Federal Court that the individual is only required to be a subject matter (and implicitly, not the sole subject matter) of the information or opinion means that organisations should be cautious in relying on this decision as narrowing the scope of their privacy obligations. In practice, while this decision may be of some academic interest, we do not consider that it has resulted in a substantive shift in the privacy law landscape.