INSIGHT

OAIC releases guidance on meaning of 'personal information'

By Michael Park
Cyber Data & Privacy Technology & Outsourcing Technology, Media & Telecommunications

In brief

Uncertainty as to what information constitutes 'personal information' under the Privacy Act will be clarified following the release of guidance from the Office of the Australian Information Commissioner. The guide provides insight into how a complaint may be determined and offers key questions for entities to consider. Partner Michael Park, Senior Associate Alice Williams, Lawyer Leah Wickman and Paralegal Natalie Czapski report.

How does it affect you?

  • If you collect, hold, use or disclose information that may be personal information and are currently subject to the Privacy Act 1988 (Cth), or may be subject in the future, the Office of the Australian Information Commissioner (OAIC)'s What is personal information guide will help you to understand your obligations.
  • Following the Federal Court decision in Privacy Commissioner v Telstra [2017] FCAFC 4, in which the court dismissed an appeal against a determination by the Administrative Appeals Tribunal that mobile network data from an individual's phone activity did not constitute personal information (see our Focus: Clarification on the meaning of 'personal information), there was potentially some uncertainty as to what information constitutes 'personal information' for the purposes of the Privacy Act. The guide helps to alleviate this uncertainty.
  • While not legally binding, the guide provides insight into how the Commissioner may determine if information is 'personal information' where there is a complaint about or investigation into an entity's compliance with the Privacy Act.
  • While the guide provides some useful examples on what may constitute personal information, it does emphasise that the types of information can vary widely and any determination should be made on a case-by-case basis.

Key questions

Entities should consider two key questions when assessing whether information is personal information for the purposes of the Privacy Act:

  • is the information about an individual?
  • is the relevant individual identified, or reasonably identifiable?
Is the information about an individual?

Information will be about an individual where there is a connection between the information and the individual. This is a question of fact, and will depend on the context and circumstances of the case. Information will be 'about' an individual where:

  • the person is a subject-matter of the information or opinion; or
  • the information reveals or conveys a fact or opinion about an individual, where it is not too tenuous or remote.
Is the relevant individual identified, or reasonably identifiable?

An individual is 'identified' when they are distinguishable from all other members of a group of persons which, under the Privacy Act, involves establishing a link between information and a particular person. This may not necessarily involve identifying the individual by name, provided the information can be linked back to the specific person.

Entities should consider all the relevant contextual factors, including:

  • the nature and amount of information;
  • who will have access to the information; and
  • other information that is available, and the practicability of using that information to identify an individual.

Unsurprisingly, the more information an entity holds or has access to about an individual, the more likely it is that the person will be reasonably identifiable from that information.

Whether a person is reasonably identifiable changes depending on who holds or has access to the information. Where information is publically released, it is difficult to anticipate who might access the information, what other types of information they might be able to reference that information with, and their motivations for identifying an individual.

Whether a person is reasonably identifiable also depends on whether the entity holding the information can identify the information by cross-referencing it with other available information, including information known to that entity and any publically available information.
The OAIC notes that where identification is technically possible, entities should consider the likelihood of this occurring, with reference to such factors as:

  • the time and cost of identifying the person;
  • the resources and operational capacity of the entity holding that information; and
  • whether an entity (or person) might be especially motivated to attempt to identify someone.

The feasibility of identifying an individual may change with developments in technology and security, or in changes to the public accessibility of certain records, meaning entities should regularly review their decisions as to whether their information allows identification.

Business information

Information that is only about a business is not generally considered to be 'personal information'. However,  an individual's personal information may be so interconnected with information about their business as to constitute personal information about that individual. This might be the case where, for example, the business is owned and managed by a sole trader.

De-identified information

For information to be considered 'de-identified', the information must have a very low risk of re-identification, having regard to all the circumstances identified above. Purportedly de-identified information may be personal information in one context, but not another. For example, if an entity complies with contractual obligations to ensure a particular data-set not be re-identified, then in the hands of that entity, it might not be personal information. However, there would probably be a much higher likelihood of re-identification if that information was publically released.

The guide notes it may be difficult to determine whether information has been successfully de-identified for the purposes of the Privacy Act, and recommends that entities seek specialist advice when de-identifying information.

OAIC is currently revising its de-identification guidance, with plans to issue this in the near future.

Conclusion

The OAIC guide provides a welcome clarification and indication of what OAIC is likely to consider 'personal information'. Even with the guide, it can be remarkably tricky to determine if something is 'personal information' – we are always here to help with that process.