This week is Privacy Awareness Week - an annual event promoted by a forum of privacy authorities in the Asia Pacific region (including our own Office of the Australian Information Commissioner (OAIC)). The aim of the week is to shine a spotlight on privacy issues.
Shining our own spotlight on privacy, in this update we look at last week’s landmark privacy ruling against Telstra following a 22-month fight by Fairfax journalist, Ben Grubb, to access his mobile phone metadata.
We also look at the new Privacy Management Framework launched this week by the Privacy Commissioner aimed at guiding organisations through the privacy jungle.
Landmark metadata case: Privacy Commissioner orders Telstra to hand over metadata to journalist
In a significant ruling handed down last week (Ben Grubb and Telstra Corporation Limited AICmr 35), the Privacy Commissioner found that Telstra had breached its privacy obligations by refusing to give customer and Fairfax journalist, Ben Grubb, access to his personal information held by Telstra.
In June 2013, Mr Grubb requested access to all metadata stored by Telstra about him in relation to his mobile phone service. The metadata he sought included cell tower logs (ie which would indicate his location at the time cell activity took place), inbound call and text details, duration of data sessions and telephone calls, and the URLs of websites visited.
Telstra responded to the request by informing Mr Grubb that he could access outbound call details and the length of his data usage sessions via online billing. Telstra refused (on the basis of privacy laws) to provide information regarding location, details of inbound callers and texts. Mr Grubb was told that he would need a subpoena for any of the other information he requested.
In August 2013, Mr Grubb lodged a complaint under the Privacy Act 1988 (Cth) (Privacy Act) with the OAIC claiming that Telstra’s refusal to give him access to his metadata breached privacy laws. The crux of Mr Grubb’s complaint was that Telstra was refusing to give him personal information that it held about him that Telstra would have provided to many government agencies (according to Grubb, ranging from the ATO and the police to the RSPCA).
Telstra defended the complaint - arguing that it was not obliged to hand over the metadata because it was not ‘personal information’ under the Privacy Act. By the time the ruling was handed down, Telstra had provided Mr Grubb with some (but not all) of the information he had requested. Two categories of metadata remained in dispute, broadly described as network data and incoming call records.
More than 20 months after the complaint was lodged, the Privacy Commissioner last week upheld the complaint and ordered Telstra to provide all of the metadata requested by Mr Grubb within 30 business days, with the exception of inbound call numbers.
No compensation was sought, and none was ordered.
In deciding that Telstra had breached its privacy obligations, the Commissioner held that:
- Telstra was obliged under the Privacy Act to provide an individual with access to personal information it held about them unless an exception applied.
- Contrary to Telstra’s arguments, the metadata sought by Mr Grubb was ‘personal information’ as defined in the Privacy Act. Telstra had argued that the metadata in dispute was not ‘personal information’ because Mr Grubb’s identity was not apparent from that data, and could not reasonably be ascertained from it.1
- In relation to network data (eg IP address, URL and cell tower information), the Privacy Commissioner found that while Mr Grubb’s identity may not have been apparent on the face of the metadata he was seeking, his identity could be reasonably ascertained by cross-matching the data with other data held by Telstra. Accordingly, the data was personal information and access should have been given.
- In reaching this conclusion, the Commissioner rejected Telstra’s argument that the retrieval process would be lengthy, complex and expensive, noting that Telstra is “a large organisation with many resources at its disposal” and that the process of metadata retrieval was not beyond what was reasonable relative to Telstra’s resources. In support of this finding, the Commissioner pointed to the fact that Telstra responded to around 85,000 requests per year from law enforcement agencies and other regulatory bodies for customer metadata of the type being sought by Mr Grubb.
- Complexity in responding to a request for personal information is not an exception to the requirement to grant access. Complexity is relevant only to estimates of time and cost for providing access.
- In relation to inbound caller information, Telstra relied on an exception to the requirement to provide access where to do so would have an unreasonable impact on the privacy of other individuals (NPP 6.1(c)) (third party privacy exception). The Privacy Commissioner held that, while inbound caller information did constitute ‘personal information’ about Mr Grubb, Telstra could rely on the third party privacy exception in refusing access to inbound call number information so as to protect the privacy of third party callers with a silent line or blocked number or who had dialled a wrong number.
- The Privacy Commissioner considered it appropriate for Telstra to provide the metadata to Mr Grubb free of charge in the circumstances, particularly given that the resolution of the matter was protracted as a result of Telstra sticking to its position that the metadata was not ‘personal information'.
Where to now?
Telstra is appealing the decision. The Communications Alliance, an industry body that represents Australian telecommunications companies, has expressed concern that the ruling extends the definition of ‘personal information’ too far and will drive up privacy compliance costs for telcos.
One matter left outstanding was whether Telstra would have been obliged to provide the content or substance of mobile communications. Since Mr Grubb’s original complaint only related to metadata (which does not extend to content), the Privacy Commissioner was not required to consider this issue.
The complaint was lodged prior to the Australian Privacy Principles (APPs) coming into force and so was decided under the former National Privacy Principles - but given the similar wording of the relevant principle relating to access under the APPs, the outcome is likely to have been the same under the APPs.
Privacy Awareness Week 2015: “privacy everyday”
A key theme of Privacy Awareness Week 2015 is “privacy everyday” – meaning that privacy should be an essential component of everyday life, from internet banking to online shopping and social media.
One of the aims of the week is to highlight the need for organisations to build privacy (the protection of an individual’s personal information) into business planning and processes.
Privacy Management Framework
The OAIC kicked off Privacy Awareness Week by launching a new Privacy Management Framework: enabling compliance and encouraging good practice.
The Privacy Management Framework is aimed at helping private and public sector organisations to meet their ongoing compliance obligations under privacy laws.
Under the Privacy Act, organisations must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. This translates into a continuing obligation to take proactive steps to establish and maintain internal practices, procedures and systems. For example, this includes:
- having procedures in place to identify and manage privacy risks at each stage of the information lifecycle;
- putting in place security systems to protect personal information from misuse, interference and loss and from unauthorised access, modification and disclosure; and
- regular training for staff on how the APPs apply to the particular entity.
Strategies for compliance
The new Privacy Management Framework sets out the steps that the OAIC expects businesses to take to meet their privacy obligations. Four key steps are identified:
- Embedding a culture of privacy that enables compliance
- committing to treat personal information as a valuable business asset to be respected, managed and protected;
- assigning senior members of staff with key roles and responsibilities for managing privacy compliance; and
- implementing reporting mechanisms to ensure senior management are routinely informed about privacy issues.
- Establishing robust and effective privacy practices, procedures and systems.
- keeping up-to-date information about the types of personal information your business holds (including information held offshore);
- ensuring your processes address handling personal information in accordance with privacy laws, and making sure staff understand how to handle personal information in their daily duties;
- promoting privacy awareness within the organisation by building it into induction and regular training.
- Evaluating privacy practices, procedures and systems to ensure continued effectiveness
- Enhancing the organisation’s response to privacy issues.
This requires a commitment to:
- regularly review and improve privacy processes and procedures;
- staying up-to-date with privacy law and changing legal obligations;
- analysing the privacy implications of new technologies.