Metadata is not personal information ‒ and information is not necessarily about an individual simply because a person's identity can be ascertained from it.
"Mobile network data" retained by Telstra was not "personal information" for the purposes of the Privacy Act, according to a decision by Deputy President Forgie in Telstra Corporation Limited and Privacy Commissioner  AATA 991 which overturns a previous determination by the Privacy Commissioner in Ben Grubb and Telstra Corporation Limited  AICmr 35.
The decision emphasises that information will need to be about an individual before it can be classified as "personal information".
Background to the Grubb metadata decision
The decision relates to a June 2013 request by Fairfax journalist Ben Grubb for "all the metadata information Telstra has stored" about his mobile phone service.
Telstra refused to provide Mr Grubb with "mobile network data" connected to his mobile phone service on the basis that the information was not personal information for the purposes of the Privacy Act.
The Privacy Commissioner, at first instance, found that the information was personal information as it was possible and reasonable to ascertain Mr Grubb's identity from the mobile network data.
"Mobile network data"
In its submissions to the Administrative Appeals Tribunal, Telstra described its mobile network data as a collection of recorded transactions that occur between mobile devices and Telstra's mobile network in order to:
- manage the mobility of mobile devices as they move through Telstra's network; and
- establish, maintain or disconnect connections between mobile devices and the destinations that the devices are seeking to communicate with.
Telstra stressed that the mobile network data was retained for network assurance purposes and not for billing customers.
The key question for the Tribunal to decide was whether the mobile network data retained by Telstra was "personal information" for the purposes of the Privacy Act.
"Personal information" is defined in section 6 of the Privacy Act to mean:
"information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not."
This definition also applies to the Freedom of Information Act.
Information "about an individual"
In her decision, Deputy President Forgie noted that the starting point for deciding whether information is personal information is to ask whether the information is about an individual.
In this respect, Deputy President Forgie emphasised that just because information may reveal the identity of an individual, it did not necessarily follow that the information wasabout that individual. Although this point is clear, the Deputy President did not articulate a general test that could be used to determine whether information was about an individual, noting only that:
"Whether information or opinion is about an individual requires an analysis of the subject matter of that information or opinion…"
However, the Deputy President did note that the connection between the person concerned and the information itself would be a relevant factor; the focus of the information and the reason for it being generated were both relevant factors for determining whether the information was about a particular individual.
Was the mobile network data information about an individual?
Mr Grubb contended that the information was necessarily about him because it would not exist if he hadn't made calls or generated SMS text messages.
Despite this argument, the Deputy President noted that the purpose of generating the mobile network data was to support the transmission of his calls and messages. Accordingly, the Deputy President reasoned that the information was not about the content of the call or the message, but about the way in which Telstra delivers the call or message, and was therefore not information about Mr Grubb.
What this means for organisations' information-handling processes
Organisations always should (and usually do) start by characterising information as the first step towards determining whether the information is "personal information". Although the Tribunal emphasised that the information must be about a person, it did not clearly articulate a general test that organisations can apply in order to correctly characterise information. As a result, we'll have to wait for further developments before we can definitively say that your process must change at that first step.
Nonetheless, it does suggest that fewer types of information could fall within the scope of "personal information", and offers some guidance for how information should be characterised. Organisations should bear in mind that information may not be personal information:
- merely because it identifies or could identify an individual; or
- because it was brought into existence because of the actions of a particular individual.
For information to be about an individual, there are at least two relevant factors that should also be considered:
- how the information was used; and
- the reasons for generating the information.