On January 23, the Full Federal Court handed down its decision in the Ben Grubb privacy case, ruling that Telstra is not required to supply certain metadata, relating to an individual’s use of mobile services, on request.
Grubb, a former Fairfax journalist, was involved in legal stoush with Telstra to gain access to metadata associated with his mobile phone service. He filed a complaint with the Privacy Commissioner in August 2013 on the grounds that Telstra refused to provide him with access to some personal information.
The decision identifies a potential hole in the Privacy Act that might enable some entities to argue that regulation doesn’t apply to some systems, processes and information capable of revealing potentially sensitive information about one or many natural persons.
The decision says that the words ‘about an individual’ in the definition of personal information in the Privacy Act (before recent amendments) can be used to prevent individuals from accessing some information held by third parties that may be related to them if it is not ‘about’ them.
Although the Act has been amended, the requirement that personal information must be about an individual remains and the decision remains relevant.
This decision is surprising and would appear to have some serious implications. The court acknowledges that information can have multiple subject matters but seems to say that information is only ‘personal information’ under the Act if it directly describes an individual.
Information that is about something else may not be regulated as personal information even if it gives away something about an individual, their circumstances or property.
There are many systems that contain or betray personal information that do not store information about an individual. The court gave the example of Telstra providing Ben Grubb with the information it has about the colour of his mobile phone and his network type (3G) and says “we do not consider that that information, by itself or together with other information was about him.”
This conclusion is problematic. It must be correct that the colour of a phone is information about the phone and network type is information about a network. But the colour of the phone that you or I might carry and or information about the network we are using, conventionally, is information about you or me.
Lawyers working in this area have generally taken the conventional approach rather than the approach adopted by the court.
Information may be primarily about something else (e.g. a phone or a network) but may nevertheless be informative regarding a particular person. Such information has been regarded as protected personal information whatever the data might be ‘about’ on its face.
The conventional approach is consistent with the objectives of the Privacy Act in protecting the privacy of individuals and avoided technical arguments that required characterising the information only by the subject to which it relates. The fact that information about an individual was collected for one purpose or related only to one subject didn’t seem to matter.
The conventional approach also meant that the very many systems that keep information about something other than an individual but which may also reveal personal information are subject to the security obligation in Australian Privacy Principle 11. The approach taken by the court seems to mean that such systems are not required to be kept secure by the Privacy Act.
The decision does not have major implications for personal information held by telecommunications companies. When introducing metadata retention laws in 2015, the government deemed all information in the set that must be retained as covered by the Privacy Act.
However, the decision would appear to have important implications for data analytics to the extent that complex data sets and the information produced from analytics is more likely to be unregulated until and unless related to specific individuals is separated or extracted from the data.
Although the judgement only makes a finding on the legal question of whether ‘about’ in the definition of personal information has any substantive operation, the implications of the approach taken by the court in this important decision appear to be significant.
Patrick Fair is a partner at law firm, Partner, Baker McKenzie.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.