What is not ‘personal information’?

6.64 As well as considering what information falls within the definition of ‘personal information’ for the purposes of the Privacy Act, it is also important to consider what information would fall outside the definition on the basis that it is not ‘about an individual whose identity is apparent or can reasonably be ascertained’.^[70] The OPC Review identified a number of problems in this area. Stakeholders, particularly those involved in research, stated that it was difficult to determine when information was ‘de-identified’ for the purposes of the Privacy Act.^[71] In response, the OPC Review stated that:

As part of a wider inquiry into the Privacy Act, the issue of what is or is not de-identification could be considered. This is an important threshold issue which determines whether or not information is protected. Developments in technology have made it increasingly difficult to determine whether information is de-identified or not. In the meantime, the Office could provide guidance on this, which would help HRECs [Human Research Ethics Committees] and researchers in their decision making.^[72]

6.65 There is a strong public interest in the collection, use and disclosure of personal information that has been ‘de-identified’ for activities such as research. That is not to suggest that individuals have no interest in such information about them, but that the individual’s interest in the information may at some point give way to the broader public interest in being able to use the information freely.

6.66 The EU Directive makes clear that the privacy principles do not apply to information that has been ‘rendered anonymous’ so that individuals are no longer identifiable. The Directive suggests that codes of conduct may be necessary to provide guidance on ways in which information can be ‘rendered anonymous’ and retained in a form in which identification is no longer possible.^[73]

6.67 The National Health and Medical Research Council (NHMRC), the Australian Research Council and the Australian Vice Chancellors Committee also considered this issue in the context of producing the revised National Statement on Ethical Conduct in Human Research (the National Statement).^[74] The National Statement makes a distinction between individually identifiable data, re-identifiable data and non-identifiable data as follows:

Data may be collected, stored or disclosed in three mutually exclusive forms:

• individually identifiable data, where the identity of a specific individual can reasonably be ascertained. Examples of identifiers include the individual’s name, image, date of birth or address;

• re-identifiable data, from which identifiers have been removed and replaced by a code, but it remains possible to re-identify a specific individual by, for example, using the code or linking different data sets;

• non-identifiable data, which have never been labelled with individual identifiers or from which identifiers have been permanently removed, and by means of which no specific individual can be identified. A subset of non-identifiable data are those that can be linked with other data so it can be known that they are about the same data subject, although the person’s identity remains unknown.

This National Statement avoids the term ‘de-identified data’, as its meaning is unclear. While it is sometimes used to refer to a record that cannot be linked to an individual (‘non-identifiable’), it is also used to refer to a record in which identifying information has been removed but the means still exist to re-identify the individual. When the term ‘de identified data’ is used, researchers and those reviewing research need to establish precisely which of these possible meanings is intended.^[75]

Issues Paper questions

6.68 In Issues Paper 31, Review of Privacy (IP 31), the ALRC asked whether the Privacy Act, like the National Statement, should include definitions of terms such as ‘re-identifiable’ and ‘non-identifiable’ and whether a distinction should be drawn between identifiable personal information and re-identifiable personal information.^[76]

6.69 In response, the Western Australian Department of Health suggested that, in the context of the Privacy Act, there are only two relevant categories of personal information:

• reasonably identifiable personal information; and
• non-identifiable information.^[77]

6.70 The Department’s view was that ‘reasonably identifiable personal information’ includes information linked with an individual’s name, image, date of birth or address; information that contains a unique personal identifier when the holder of the information also has the master list linking the identifiers to individuals; information that the holder can merge or link to other information they already hold, enabling them to identify individuals; and aggregated information where individuals can be identified because of the small number of individuals in particular fields of information.

6.71 The Department stated that ‘non-identifiable information’ includes information that has never been labelled with individual identifiers or from which they have been permanently removed; and information that contains a unique personal identifier where the holder cannot link the information to a specific individual because they do not hold the master list linking the identifiers to individuals.^[78]

6.72 The Department also made the point that identifiability is contextual: information that is identifiable to the original holder of the information may be non-identifiable to a recipient of the information. For example, information that contains a unique personal identifier is not identifiable to a recipient who does not hold the master list. This is the basis of the data linkage protocol adopted by the DLU in Western Australia, discussed further in Chapter 66. Other stakeholders agreed that the use of independent intermediaries means that the information in the hands of data recipients should not be classified as ‘re-identifiable’ but, for the purposes of the Privacy Act, should be considered ‘non-identifiable’.^[79]

6.73 The Australian Government Department of Health and Ageing (DOHA) noted the need for guidance on the meaning of terms such as ‘identified’, ‘re-identifiable’, ‘non-identifiable’ and ‘de-identified’ but did not believe the terms needed to be defined in the Privacy Act.^[80] Other stakeholders felt that definitions would be helpful, with some noting the importance of maintaining consistency with the National Statement.^[81]

6.74 Some stakeholders expressed the view that no distinction should be drawn between ‘identifiable’ and ‘re-identifiable’ personal information in the context of the Privacy Act.^[82] The Australian Privacy Foundation stated that:

Health researchers have constructed elaborate mechanisms to allow data linkage, which provide a degree of protection but do not amount to de-identification. Information either is or is not actually or potentially identifiable. The ALRC should be wary about legitimizing the idea that there can be an intermediate category.^[83]

Discussion Paper proposal

6.75 In DP 72, the ALRC agreed with the position put by the Western Australian Department of Health, and expressed the view that it is unnecessary to include definitions of the terms ‘re-identifiable’ and ‘non-identifiable’ in the Privacy Act. The relevant categories of information, for the purposes of the Act, are information that is about an ‘identified’ individual and information about a ‘reasonably identifiable’ individual. All other information falls outside the definition of personal information and is not covered by the Act. The ALRC proposed that the Privacy Commissioner issue guidance on the meaning of ‘not reasonably identifiable’.^[84]

Submissions and consultations

6.76 In response to DP 72, the Australian Privacy Foundation expressed the view that, even if ‘significant effort is required’ to identify individuals from information or a dataset, the data is ‘reasonably identifiable’. The Foundation noted that many agencies and organisations have the resources to make such ‘significant efforts’. In addition, advances in technology mean that re-identifying individuals is becoming easier. The Foundation suggested that the guidance to be issued by the Privacy Commissioner should recommend that information be rendered non-identifiable wherever possible, and ensure that the practical and technological implications of changes in this area are assessed fully.^[85]

6.77 Medicare Australia noted that it categorised personal information as ‘statistical’, ‘identified’, and ‘identifiable’, and that the agency has developed internal guidelines to assist with decisions regarding release of information as follows:

• statistical information—there is no reasonable likelihood that the person who receives the information could identify any individuals, through analysis of the information either by itself or in association with other information available to the user;
• identified information—includes any unique or specific identifiers, such as names, addresses, or case numbers that can be linked to other identifiers by the user; and
• identifiable information—does not include identifiers but analysis of the information either by itself or when linked to other information available to the user might lead to the identification of individuals.^[86]

6.78 The Australian Government Department of Human Services explained that, in deciding whether to disclose de-identified personal information to researchers, Medicare Australia carefully considered what was released in order to ensure that individuals could not be identified or re-identified. This consideration included examining what other information researchers were collecting and considering whether that information could be linked with information released by Medicare Australia in a way that would enable researchers to identify individuals.^[87] A number of other stakeholders also suggested that it was necessary to consider each disclosure on a case-by-case basis to avoid releasing information that might identify an individual, for example, because of the small number of individuals in the data set.^[88]

6.79 The Australian Bureau of Statistics (ABS) and other agencies employ a range of techniques to minimise the risk of disclosing information that might be used to identify individuals. These include data suppression, data rounding and category collapsing. Detailed categories such as country of birth or industry or occupation can be collapsed to a less detailed level to avoid the risk of identification. Such techniques, however, can have a negative impact on the usefulness of data as some detailed data may need to be suppressed or modified.^[89] The National Statistical Service Handbook provides guidance on these matters for Australian and state and territory government agencies.^[90]

6.80 The CSIRO referred in its submission to the extremely detailed guidance provided in s 164 of the Health Insurance Portability and Accountability Act 1996 (US) (HIPA Act), which provides a number of tests to determine when information is not ‘individually identifiable health information’. The first test allows ‘a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable’ to determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify an individual who is a subject of the information.^[91]

6.81 An alternative test in the legislation expressly sets out a long list of identifiers that must be removed to render the information not individually identifiable. The list includes: names; all geographic subdivisions smaller than a State; all elements of dates related to an individual apart from year; telephone and fax numbers; electronic mail addresses; social security numbers; medical record numbers; web Universal Resource Locators; IP address numbers; and so on. In addition, the relevant entity must not have actual knowledge that the information could be used alone or in combination with other information to identify an individual.^[92]

6.82 In response to the ALRC’s proposal that the Privacy Commissioner should issue guidance on the meaning of ‘not reasonably identifiable’, the Victorian Health Services Commissioner stated that such guidance will be necessary because the issue is contextual and must be decided on a case-by-case basis.^[93] A number of other stakeholders, including the OPC, agreed.^[94]

ALRC’s view

6.83 In the ALRC’s view, it is unnecessary to include definitions of ‘re-identifiable data’ and ‘non-identifiable data’ in the Privacy Act. For the purposes of the Act it is necessary to decide whether information is about ‘an identified or reasonably identifiable individual’. This decision will always be contextual and will have to be considered on a case-by-case basis. This includes making a distinction between information that may be ‘re-identifiable’ or reasonably identifiable in a particular context—for example, where an agency or organisation holds information identified by a unique identifier and also holds the master list—but is not reasonably identifiable for the purposes of the Act in another context—for example, where an agency or organisation holds information identified by a unique identifier but does not hold and does not have access to the master list.

6.84 The ALRC notes that this last category of information falls into the National Statement’s ‘non-identifiable’ category. For the purposes of the Privacy Act, however, it is sufficient to regard the information as ‘not reasonably identifiable’. If the risk of identification from particular information in a particular context is very small, a decision will have to be taken as to whether, on objective grounds, the information is ‘reasonably identifiable’.

6.85 Guidance provided by the Privacy Commissioner would be of great value to those making decisions on a case-by-case basis on these matters. Such guidance might refer to or include guidance of the sort provided in the National Statistical Service Handbook^[95] or the provisions of the HIPA Act discussed above. Developing and publishing guidance, rather than making legislative rules, allows a more flexible and nuanced response to particular situations.

6.86 In Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96),^[96] the ALRC and the Australian Health Ethics Committee (AHEC) of the NHMRC considered the use of independent intermediaries to hold codes linking genetic samples or information with identifiers. The ALRC and AHEC concluded that use of an independent intermediary (such as a ‘gene trustee’) is an effective method of protecting the privacy of samples and information held in human genetic research databases. The system maintains the privacy of samples and information, while allowing donors to be contacted if necessary. It ensures that anyone who obtains access to samples and information is unable to re-identify them without the authorisation of the gene trustee.^[97]

6.87 This kind of arrangement might also provide appropriate protection in relation to other personal information, but this will depend on the arrangements established between data custodians, intermediaries and data recipients. If appropriate arrangements are put in place, such that data recipients are not able to identify individuals, the information held by the data recipient is likely to be not reasonably identifiable in that context and no longer ‘personal information’ for the purposes of the Privacy Act.