Consistent with a May decision of the Privacy Commissioner determining that metadata can be 'personal information' under the Privacy Act 1988 (Cth) (theTelstra Case), the Office of the Australian Information Commissioner (OAIC) has released a privacy business resource intended to assist telecommunication companies and ISPs (Telcos) to comply with their obligations in respect of the storage and management of metadata.
The Telecommunications (Interception and Access) Amendment (Data Retention) Act2015 passed the Senate in March 2015. We discussed this in our previous blog post. The legislation mandates that, in general, Telcos must store their customers' metadata for a period of two years from the date of its creation. The OAIC's privacy business resource affirms the Commissioner's view in the Telstra Case, stating that 'retained data [under the legislative scheme] is classified as personal information for the purposes of the Privacy Act and, therefore, must be handled in accordance with the APPs'.
Telstra had previously expressed its dismay at the Commissioner's decision, and appears to be continuing its appeal process against that decision, which they argued could have significant cost implications for Telcos which were not considered when the metadata retention scheme was enacted.