Key points

This decision highlights three aspects of Australian privacy law with ongoing relevance:

  1. information may be personal information regulated by the Privacy Act 1988 (Act) even when the identity of the data subject cannot be ascertained from the information itself;
  2. the complexity of the work required to collect and link personal information to the identity of a data subject does not limit  the rights of a data subject to access and correct any personal information that may be held; and
  3. the risk that a data set, in this case of inbound calls, could contain information that would adversely impact the privacy of others was sufficient to prevent access to such information by the data subject.

Context of complaint

On 15 June 2013, journalist Ben Grubb contacted Telstra claiming a right of access under the Privacy Act to ‘all the metadata information Telstra has stored’ about him in relation to his mobile phone service. Telstra refused to provide the information, and Grubb lodged a complaint with the OAIC claiming that Telstra had breached his rights under the Act.

As the matter relates to events that occurred prior to the Privacy Act reforms which commenced on 12 March 2014, the National Privacy Principles (NPPs) rather than the Australian Privacy Principles (APPs) apply.

The key questions for the Commissioner were:

  1. whether the complainant's metadata held by Telstra constitutes "personal information"; and if so,
  2. whether it was improperly withheld in breach of NPP 6.1.[1]

Prior to the decision, much of the requested metadata had since been provided to the complainant - with the exception of "network data" (IP addresses, URL information, and cell tower location information) and incoming call records - specifically, inbound call numbers.[2]

Network data: personal information that must be provided on request

Under the pre-reform Act, "personal information" is information that is "about" the complainant, from which the complainant’s identity is apparent, or can reasonably be ascertained.[3] On its face, the data was unlikely to be information from which the complainant's identity "is apparent."

However, the Commissioner held that Telstra did and could associate the information with the complainant's identity and, was therefore, personal information. The Commissioner considered both the complexity of the inquiries needed to ascertain the information; and the degree of certainty with which connections between that information and the individual’s identity could be made.[4]

Telstra could ascertain a customer's identity from the data "with a good degree of certainty" by cross-referencing with other data held in their systems, and was already doing so to resolve complaints about connectivity and performance. Telstra also regularly extracts such metadata to provide to law enforcement agencies and national security bodies, receiving and acting upon at least 85,000 such requests in the 2013 financial year.

Relative to Telstra's resources and operational capacities, the process of ascertaining an individual’s identity from the network data was reasonable in the circumstances. Telstra is a large organisation with over 120 staff versed in such data retrieval, who already do so on law enforcement request or to solve connectivity and performance issues. The fact that Telstra had responded to such a large volume of requests in a 12 month period was highly relevant.

Telstra had not demonstrated that the process was "beyond what is reasonable", particularly as it could charge for such access. The network data was therefore personal information under the Act, and Telstra was obliged to provide access.

Incoming call records: unreasonable impact on privacy of others

The inbound call numbers were also personal information "about" the complainant.  as his identity could be identified with certainty in the context of subscriber and call charges records. Law enforcement agencies regularly requested these records.

However, the inbound call numbers were also the personal information of the callers. An exception to the obligation to provide personal information applies where providing access would have an unreasonable impact upon the privacy of other individuals[5], considering:

  1. whether the individuals would expect that their information would be disclosed to a third party, including whether an assurance of confidentiality was provided; and
  2. the extent of the impact on the individuals’ privacy.[6]

Calls being made to a number create an association between the recipient and the caller, and may of itself say something about the parties to the call. Where the creation of such an association is unintentional (i.e. wrong number dialled), any future disclosure of that association is an arbitrary interference with the caller's privacy. Where callers who have not taken active steps to conceal their number (e.g. the use of a silent number or CND or line blocking) have intentionally contacted the recipient, this is less clear.

However, it was not possible for Telstra to identify whether customers contacted the complainant intentionally or unintentionally - whether they disguised their number or not. Accordingly, there was no way for Telstra to edit the information to provide only the numbers of those individuals who do not have a silent line and who intentionally contacted the complainant. Consequently, Telstra could refuse access to all of the inbound call number.

Comment

The Commissioner's finding that the metadata is personal information is not surprising. However, it is interesting that this finding is based on the old definition of personal information.  The definition that was introduced early last year is still wider in scope and would more readily support the Commissioner's treatment of metadata in this context. 

The finding that metadata is personal information has been to a large extent superseded by section 187LA of the Telecommunications (Interception and Access) Act 1979 which became law on 13 April of this year. That provision deems personal information, all metadata required to be retained for law enforcement purposes. The scope of the information to be retained is extensive and covers most if not all of the information sought by Ben Grubb.