In a determination released on 4 May 20151 the Privacy Commissioner has ordered Telstra to provide Ben Grubb, a Telstra customer and Fairfax reporter, with access to certain metadata it holds about Mr Grubb on the basis that Mr Grubb's identity could "reasonably be ascertained" by Telstra from that information. This determination has far-reaching implications for businesses and government bodies holding data related to an individual, even if that data does not directly identify the individual.
KEY POINTS FOR ORGANISATIONS
- The Privacy Commissioner has found that certain metadata, including IP addresses, URLs of websites visited and mobile phone location data held by Telstra constitutes "personal information" under the Privacy Act.
- Even though the metadata did not directly identify any individual, the Commissioner considered it personal information on the basis that the identity of an individual could "reasonably be ascertained" by Telstra, by Telstra cross-checking multiple databases and system information that it can access.
- Organisations subject to the Privacy Act should be aware that, where information held by the organisation does not directly identify an individual, that information may still be caught by the Australian Privacy Principles where the individual's identity can reasonably be ascertained by the business, even if considerable effort is required to actually identify the individual.
In July 2013 Ben Grubb, a reporter with Fairfax, requested access to all of the “metadata information” that Telstra holds relating to his mobile phone service, under a "right of access" provided under the National Privacy Principles (the NPPs, precursor to the current Australian Privacy Principles, the APPs2).
This right of access set out in NPP 6.1 (and its equivalent APP 12) obliges an organisation to give an individual access to all "personal information" that it holds about that individual, subject to some exceptions. Telstra initially refused to provide some of the information Mr Grubb requested.
The Privacy Commissioner's Determination
Mr Grubb lodged a complaint with the Privacy Commissioner in 2013. Conciliation of the matter failed to resolve all the issues. Following a hearing late last year, a determination was released on 4 May 2015. The determination focused on two particular sets of information:
- information relating to inbound callers who had contacted Mr Grubb's phone, particularly the numbers from which calls to Mr Grubb were made (incoming call records); and
- IP addresses, URLs and certain cell tower location information relating to Mr Grubb's use of Telstra services (network data).
Because the NPPs only applied to "personal information" (as do the APPs), Mr Grubb's request for access could only succeed if the incoming call records or the network data could be captured by the definition of "personal information", which included3:
"information or an opinion… about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion".
In summary, in relation to the network data:
- Telstra argued that the data was not personal information because the process required to cross-match various pieces of data across a number of databases and systems across the business was not “reasonable”; it would be difficult, time-consuming and costly, requiring specialist expertise and access to Telstra’s systems.
- The Commissioner did not agree, taking into account the fact that Telstra has the technical and operational capability to retrieve that data and the fact that it has provided similar information to law enforcement agencies many times in the past.
- Accordingly, the Commissioner found that that the network data could be considered “personal information” because an individual’s identity could “reasonably be ascertained” by Telstra from the information, despite the fact that information on its own contained no directly identifying information.
In relation to incoming call records, the Commissioner found that Telstra was not required to provide access because certain third party information of a personal nature (i.e. the phone number of the caller) would be included and in at least some instances (e.g. callers with silent numbers or callers who called the wrong number), those individuals would not have wanted this information disclosed to Mr Grubb. Providing access to the records would have an unreasonable impact on those individuals' privacy.
The Commissioner found that in not providing Mr Grubb with access to the network data, Telstra breached NPP 6.1 and engaged in conduct interfering with Mr Grubb's privacy.
Review of the Determination
Telstra has indicated its intention to have the decision reviewed, stating that the decision creates uncertainty and could extend to "every single piece of data in our networks". Under the Privacy Act 1988 (Cth), Telstra is entitled to ask the Administrative Appeals Tribunal to conduct an independent merits review of the Commissioner's determination. Telstra could also seek review of the determination by the Federal Circuit Court or the Federal Court of Australia, but the Privacy Commissioner has indicated that he expects Telstra will take the matter to the Administrative Appeals Tribunal.4
Implications for Australian Organisations
The Commissioner's finding affects many businesses and government entities that have access to, or collect, customer information, including telecommunications companies, Internet service providers and big-data providers holding large sets of customer data.
While the definition of “personal information” in relation to the APPs is slightly different to the definition that was considered in this case, the decision still shows that, in the Commissioner’s view, the scope of what may be considered “personal information” may be very broad – particularly in the context of a large, well-resourced organisation (like Telstra) that has the ability and resources to match data sets. This could have unintended consequences for businesses handling information which by itself appears "anonymised".
A former Deputy Privacy Commissioner for NSW, Anna Johnston, has reportedly said that "the cautious thing for organisations to do is assume that even 'anonymised' data meets the definition of 'personal information' and thus must be treated in accordance with the Australian Privacy Principles."5 We think this approach is particularly cautious bearing in mind that the Federal Privacy Commissioner has stressed that the Grubb determination is specific to the context of Telstra's resources and operational capacities,6 however it illustrates the increasing difficulties businesses face in determining what information may be considered "personal information".
There are also implications for organisations that are in the practice of deliberately de-identifying data about individuals and then treating it as no longer being "personal information". Given the steadily increasing opportunities that may exist to re-identify the data by cross-matching it with other data sets, following the logic of the Grubb determination, in some cases the de-identified data may still be considered personal information and will therefore be subject to the requirements of the Privacy Act.
This determination comes amidst a global shift regarding the control individuals have over their personal information and other changes in the law including the recent Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 and mandatory breach notification laws which the Privacy Commissioner has indicated will likely be introduced later in the year. At the same time, the frequency of data breaches is increasing, complaints to the Privacy Commissioner have doubled over the last 12 months and the Privacy Commissioner's enforcement powers were substantially strengthened last year.