16.08.2010
6.2 Central to the regime established by the Privacy Act is the definition of ‘personal information’. This is because the privacy principles only apply to personal information as defined by the Act. The current definition of personal information is the same as that found in the original 1988 Act, that is:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[1]
6.3 A crucial element in this definition is that personal information must be ‘about an individual whose identity is apparent, or can reasonably be ascertained’. In 2002, the then Privacy Commissioner, Malcolm Crompton, stated that:
An important distinction needs to be made between identity and identification. Identity is a complex, multifaceted notion. Each of us has a range of different identities defined through relations with others, position, status, actions, behaviours, characteristics, attitudes and the circumstances of the moment …
Identification is the action of being identified, of linking specific information with a particular person. An individual’s identity has a degree of fluidity and is likely to change over time. The extensive linking of different information about an individual may restrict or limit this fluidity …
Identification can potentially relate a wide range of elements of an individual’s identity. In practice, identifying an individual generally involves focusing on those things that distinguish that individual from others including, legal name, date of birth, location or address and symbolic identifiers such as a driver’s licence number.[2]
6.4 A number of submissions to the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (the Senate Committee privacy inquiry) suggested that the definition of personal information in the Act needed to be updated to deal with new technologies and new methods of collecting information.[3] Research done on behalf of the Consultative Committee of the Council of Europe Convention highlighted that new technology makes it possible to process data relating to individuals—and to develop profiles of those individuals—that are not linked to their legal identity such as their name and address.[4]
6.5 The Office of the Privacy Commissioner (OPC) has stated that:
The definition of personal information provides latitude for the Office to take into consideration contextual factors when determining if information should be subject to the Privacy Act. These contextual factors go to determining whether an individual’s identity is ‘readily ascertainable’.
The Office recognises the challenges posed by the development of new technologies and processes, particularly in the field of data-matching, that have the potential to create identified information from data sources containing previously anonymous data. However, the definition of personal information leaves open the flexibility to consider the degree to which an organisation is able to ‘reasonably ascertain’ someone’s identity, including by the use of such technologies.[5]
6.6 Both the OPC review of the private sector provisions of the Privacy Act (the OPC Review) and the Senate Committee privacy inquiry recommended that the ALRC, in its review of the Privacy Act, examine the definition of ‘personal information’ and any amendments to the definition that may be needed to reflect technological advances and international developments in privacy law.[6]
International instruments
6.7 The Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the OECD Guidelines)[7] and the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the Council of Europe Convention)[8] define ‘personal data’as ‘any information relating to an identified or identifiable individual’. The European Parliament Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (the EU Directive) defines ‘personal data’ as ‘any information relating to an identified or identifiable natural person’ and goes on to say that an identifiable person is
one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.[9]
6.8 The European Union Article 29 Data Protection Working Party has stated that:
At this point, it should be noted that, while identification through the name is the most common occurrence in practice, a name may itself not be necessary in all cases to identify an individual. This may happen when other ‘identifiers’ are used to single someone out. Indeed, computerised files registering personal data usually assign a unique identifier to the persons registered, in order to avoid confusion between two persons in the file. Also on the Web, web traffic surveillance tools make it easy to identify the behaviour of a machine and, behind the machine, that of its user. Thus, the individual’s personality is pieced together in order to attribute certain decisions to him or her … the individual’s contact point (a computer) no longer necessarily requires the disclosure of his or her identity in the narrow sense. In other words, the possibility of identifying an individual no longer necessarily means the ability to find out his or her name. The definition of personal data reflects this fact.[10]
6.9 The Asia-Pacific Economic Cooperation Privacy Framework (the APEC Privacy Framework) defines ‘personal information’ as ‘any information about an identified or identifiable individual’. The Framework goes on to state that this includes information that can be used to identify an individual, as well as information that would not meet this criteria alone, but when put together with other information would identify an individual.[11]
Other jurisdictions
6.10 A 2004 report on the meaning of ‘personal data’, prepared for the United Kingdom Information Commissioner, examined the definition and application of the term in the privacy legislation of 18 countries. The report found that there is ‘no one uncontested and coherent definition’ of ‘personal data’.[12]
6.11 Both the Canadian Personal Information Protection and Electronic Documents Act 2000[13] and the New Zealand Privacy Act 1993[14] simply define ‘personal information’ as ‘information about an identifiable individual’.
6.12 The Information Privacy Bill 2007 (WA) defines personal information, in part, as follows:
Personal information is information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead—
(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or
(b) who can be identified by reference to an identifier or an identifying particular such as a fingerprint, retina print or body sample.[15]
6.13 The Data Protection Act 1998 (UK) states that ‘personal data’ means:
data which relate to a living individual who can be identified
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.[16]
6.14 The United Kingdom Information Commissioner has issued detailed legal guidelines on the Data Protection Act, including in relation to the meaning of ‘personal data’:
An individual is ‘identified’ if you have distinguished that individual from other members of a group … Simply because you do not know the name of an individual does not mean you cannot identify that individual. Many of us do not know the names of all our neighbours, but we are still able to identify them … There will be circumstances where the data you hold enables you to identify an individual whose name you do not know and you may never intend to discover.[17]
6.15 The Information Commissioner provided the following example:
Where an individual is not previously known to the operators of a sophisticated multi-camera town centre CCTV system, but the operators are able to distinguish that individual on the basis of physical characteristics, that individual is identified. Therefore, where the operators are tracking a particular individual that they have singled out in some way (perhaps using such physical characteristics) they will be processing ‘personal data’.[18]
6.16 In earlier guidance, the Information Commissioner expressed the view that:
If the information about a particular web user is built up over a period of time, perhaps through the use of tracking technology, with the intention that it may later be linked to a name and address, that information is personal data. Information may be compiled about a particular web user, but there might not be any intention of linking it to a name and address or e-mail address. There might merely be an intention to target that particular user with advertising, or to offer discounts when they re-visit a particular web site, on the basis of the profile built up, without any ability to locate that user in the physical world. The Commissioner takes the view that such information is, nevertheless, personal data. In the context of the on-line world the information that identifies an individual is that which uniquely locates him in that world, by distinguishing him from others.[19]
6.17 In more recent guidance, however, the Information Commissioner makes clear that data is likely to be personal data where it is linked to an individual and is processed with the intention of determining or influencing the way in which the person is treated, rather than simply distinguishing that person from others.[20]
About an individual
6.18 The current definition in the Privacy Act states that information must be ‘about an individual’. The APEC Privacy Framework also requires that information be ‘about’ an individual. On the other hand, the OECD Guidelines, the Council of Europe Convention and the EU Directive require that information ‘relate to’ an individual.
6.19 The 2004 report prepared for the United Kingdom Information Commissioner notes that not all data that relate to an individual should fall within the definition of ‘personal information’. To hold that all information that could affect or be linked to an individual is ‘personal information’ ‘runs the risk of making all data personal data’. The report stated that the limiting factor is that the information must relate to an identifiable individual: the information must either identify the individual or be able to be linked to information that can identify the individual. The report defines this kind of information as being ‘about’ the individual.[21]
Ability to contact
6.20 Another issue that was raised over the course of the Inquiry was whether the definition of ‘personal information’ should include information that simply allows an individual to be contacted, such as a stand alone telephone number or Internet Protocol (IP) address. A number of stakeholders suggested that the definition should include information sufficient to allow communications with an individual whether or not it is sufficient to allow the individual to be identified.[22]
Discussion Paper proposals
6.21 In Discussion Paper 72, Review of Australian Privacy Law (DP 72),[23] the ALRC proposed bringing the definition of ‘personal information’ in the Privacy Act more in line with the definitions used in relevant international instruments. The ALRC noted the distinction drawn by the former Privacy Commissioner between ‘identity’ and ‘identification’, set out above, and expressed the view that the Privacy Act should apply to information about an individual who is ‘identified or reasonably identifiable’ rather than information about an individual whose ‘identity’ is apparent, or reasonably ascertainable. The ALRC suggested that ‘personal information’ should be defined as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.[24]
6.22 The ALRC also proposed that the Explanatory Memorandum to the amended Privacy Act make clear that an individual is ‘reasonably identifiable’ when the individual can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation has the capacity to access or is likely to access.[25] The ALRC proposed that the Privacy Commissioner should issue guidance on the meaning of ‘identified or reasonably identifiable’.[26]
6.23 The ALRC did not propose a change to the terminology requiring personal information to be ‘about’ an individual. Although a number of international instruments use the term ‘relates to’, the Privacy Act terminology is consistent with the APEC Privacy Framework and reflects the fact that the information must be about an identified or reasonably identifiable individual. Finally, the ALRC suggested that information that simply allows an individual to be contacted—such as a stand alone telephone number, street address or IP address—would not, and should not, fall within the proposed definition of ‘personal information’. The Privacy Act is not intended to implement an unqualified ‘right to be let alone’. This broader issue is discussed in Chapter 1 in relation to the meaning of ‘privacy’.
Submissions and consultations
General comments
6.24 A number of stakeholders expressed support for the existing definition of ‘personal information’ in the Privacy Act.[27] The Australian Bankers’ Association (ABA) noted that changing key definitions in the Act would come at some cost to industry and should only be done if a clear case for change was made out.[28] A number of other stakeholders agreed, suggesting that the current definition was appropriate and noting that any change would result in an unjustified compliance burden.[29] BPAY stated that:
BPAY believes that the current definition of ‘personal information’ in the Privacy Act is adequate. Without compelling reasons to change the definition, any change to the definition is likely to generate considerable uncertainty, and implementation and compliance costs. These costs may be quite disproportionate to any benefit that may be obtained with respect to the protection of an individual’s privacy.[30]
6.25 DLA Phillips Fox noted that the current definition is broad enough to capture information in any medium and sufficiently flexible to allow for future technological developments.[31] The OPC agreed with the need to maintain flexibility, noting that:
The definition of personal information is contingent on context for its application. In the view of the Office, this is one of the strengths of the definition, allowing it to respond to change and technological advance. In order to alleviate any confusion generated by the flexibility of the term, the Office intends to issue further guidance material.[32]
6.26 The OPC, however, along with a significant number of other stakeholders, expressed support for the changes to the definition of ‘personal information’ proposed in DP 72.[33] Australia Post commented positively on the fact that this would bring the definition more into line with relevant international instruments.[34] There was also support for the proposals to provide guidance on the meaning of ‘reasonably identifiable’ in the Explanatory Memorandum and in guidelines to be developed and published by the Privacy Commissioner.[35]
An identified or reasonably identifiable individual
6.27 Although there was widespread support for the proposed change to the definition of ‘personal information’, there were also some concerns expressed. The Australian Privacy Foundation suggested that the test should be whether information is ‘potentially identifiable’ rather than ‘reasonably identifiable’.[36] GE Money Australia was of the view that use of the term ‘reasonably’ would introduce greater uncertainty and that the meaning of ‘personal information’ should be left to guidance issued by the Privacy Commissioner.[37]
6.28 On the other hand, while Microsoft Asia Pacific did not support a change to the definition of personal information, it stated that, if the definition was amended along the lines suggested by the ALRC, it was important to retain the ‘reasonableness’ test:
This test necessitates a consideration of the cost, difficulty, practicality and likelihood of the organisation linking information with other personal information accessible to it, and not merely whether the organisation would be able to link the information after incurring substantial expenditure … In Microsoft’s experience as a large organisation that handles and processes significant volumes of personal information for its business purposes, it is apparent to us that just because an organisation holds, or is capable of accessing, various pieces of information about an individual, it does not follow that it will always combine this information to ascertain the identity of that individual. In many cases it is not practical or useful for this to be done, and so it simply does not occur.[38]
6.29 A number of other stakeholders did not support the ALRC’s proposed definition on the basis that, in the current technological environment, all information held by agencies and organisations is potentially ‘identifiable’.[39] Acxiom Australia noted that although it was almost always possible to use technology to link information with identified individuals, that did not mean that agencies or organisations would do so.[40] The Insurance Council of Australia expressed the view that assessing whether an organisation held personal information about individuals who were ‘reasonably identifiable’, would itself give rise to behaviour that was inconsistent with the objectives of the Privacy Act.[41]
6.30 A number of early submissions to the Inquiry had expressed concern that, with the advent of the internet and other technologies—such as location based services including mobile phones and the Global Positioning System (GPS)—it is possible to build profiles of individuals using identifiers such as mobile phone numbers.[42] In DP 72, the ALRC expressed the view that a mobile telephone number, email address or IP address could be, or could become, personal information once that information was linked to a particular individual due to the accretion of information around the number or address. The Australian Compliance Institute expressed support for the proposition that the definition of ‘personal information’ should capture information such as an email address where it is possible to use the information to target or affect the individual in some way.[43]
6.31 The Public Interest Advocacy Centre (PIAC) suggested that:
There is a need to move away from the concept of identification in defining personal information and to look instead at whether the information enables interactions with an individual on a personalized basis. This is a much more practical and measurable test than whether someone is ‘identifiable or reasonably identifiable’.[44]
6.32 The Australian Communications and Media Authority (ACMA) noted that its practice in anti-spam investigations is to treat all email addresses in spam email headers as ‘personal information’. However, in relation to IP addresses, ACMA submitted that, as IP addresses uniquely identify computers connected to the internet, they relate to machines and not to individuals using the machines. ACMA did note, however, that while an individual’s identity may not be readily apparent from an IP address alone, that identity ‘can be ascertained when the IP address is correlated at a given point in time with the IP address data and other data held by the individual’s internet service provider’. ACMA expressed concern that uncertainty about when IP addresses become ‘personal information’ for the purposes of the Privacy Act may impair its ability to share such information with overseas authorities in the course of investigative and enforcement actions.[45]
6.33 The Australian Government Attorney-General’s Department noted that:
Clear guidelines are required to establish the point at which telephone numbers, email addresses or IP addresses become personal information. In part these should cover the attributes required to link an individual to an IP address, email address or telephone number and the point at which the aggregation of IP address, email address and phone number may also identify the individual.[46]
6.34 In addition, there was concern expressed about the proposed clarification of the meaning of ‘reasonably identifiable’ to be included in the Explanatory Memorandum. Several stakeholders supported the approach proposed—that an individual is ‘reasonably identifiable’ if the individual can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation has the capacity to access or is likely to access—but were of the view that such qualifiers should be included in the legislation.[47]
6.35 The Cyberspace Law and Policy Centre expressed support for the proposed definition, agreeing that
what makes the data ‘personal information’ is that the individual is treated differently from other individuals because of information which is specific to them, even though their name may not be known to the party which is using the information.[48]
6.36 The Centre doubted, however, that the courts would interpret the proposed definition in this way. The Centre was of the view that guidance by the Privacy Commissioner would not be sufficient in these circumstances, and urged that the matter be addressed in the legislation itself, or in the Explanatory Memorandum.[49]
6.37 On the other hand, a number of stakeholders expressed concern about the content of the proposed Explanatory Memorandum clarification.[50] Telstra stated that it would be impossible for an organisation to take into account information that they are ‘likely to access’ in deciding whether information is ‘personal information’ for the purposes of the Privacy Act. In addition, Telstra stated that:
The problem with this approach is that it does not seem to require the information to be actually linked or intended to be linked by an organisation for it to fall within the definition. Thus, when an organisation collects information about an individual that does not in itself amount to personal information, it would then be required to investigate what other information about that individual is in the organisation’s possession in order to determine whether or not the information is to be treated as personal information, even if it does not, and does not intend to, link those items of information. This would be a mammoth task, particularly for large organisations, and would result in increased compliance costs without any clear additional public benefit.[51]
6.38 The Law Council of Australia queried whether it was necessary to include the clarification in the Explanatory Memorandum, and asked what criteria would be applied to judge whether an organisation is ‘likely to access’ information.[52] Medicare Australia also had concerns about identifying what an agency or organisation is ‘likely’ to do.[53] One stakeholder noted that assessments of ‘likelihood’ are difficult to make as they are highly contextual and require a detailed consideration of the relevant circumstances.[54]
6.39 Another stakeholder noted that, in large and disparate organisations, even where information is held by the same organisation, it may not be combined in such a way as to identify individuals.[55] BPAY stated that it was
unreasonable, that an organisation should be required to be aware of the various technologies and information which is available, to combine all information that it has capacity to access and apply it to all personal information collected.[56]
About an individual
6.40 Veda Advantage noted that if the definition of ‘personal information’ were expanded to include information that ‘referred to’ or ‘related to’ an individual, it would make large scale data studies—where privacy is protected by de-identifying information or encrypting significant elements—impossible.[57]
6.41 One other issue that arose in submissions and consultations was whether business or commercial information was ‘about’ an individual—for example, information on the number and type of prescriptions issued by a particular health service provider, where patient identifiers have been removed. It was suggested that this kind of information should not be protected by the Privacy Act as it relates to the health service provider’s business practices, rather than his or her personal affairs.[58] The Article 29 Data Protection Working Party, however, has stated that:
Drug prescription information … whether in the form of an individual prescription or in the form of patterns discerned from a number of prescriptions, can be considered as personal data about the physician who prescribes this drug, even if the patient is anonymous.[59]
6.42 The OPC has also stated that, if an individual’s identity can be determined from business information, the information is personal information for the purposes of the Privacy Act.[60] The Australian Government noted in its response to the recommendations of the Taskforce on Reducing the Regulatory Burden on Business that the publication of detailed information on the charging practices and performance of health service providers is likely to have industry wide implications and any proposed reform would need to take these implications into account.[61]
6.43 While the Privacy Act would not stand in the way of this kind of regulatory reform, in the absence of such reform the Privacy Act will apply to such information. The extent to which business or commercial information is ‘about’ an individual and, therefore, constitutes ‘personal information’ is also considered in Chapter 54 in relation to credit reporting information and Chapter 63 in relation to health information.
Ability to contact
6.44 In its submission to the Inquiry, PIAC noted the Senate Committee privacy inquiry view that consideration should be given to extending the definition of ‘personal information’ to include information ‘that enables an individual not only to be identified, but also contacted’.[62] PIAC expressed support for this view on the basis that the right to be left alone is an important element of the right to privacy and should be included in the Privacy Act.[63]
6.45 On the other hand, Australia Post was concerned that extending the definition in this way would prevent businesses contacting individuals, even where they are not identified or identifiable, and would be inconsistent with the policy objectives of the Privacy Act.[64]
6.46 The OPC has made clear that a business can use personal information taken from public sources—such as the phone book—to contact potential customers. Thus, even if contact information were ‘personal information’, businesses could use the information to contact individuals. The obligations imposed by the Privacy Act in these circumstances would be to:
tell potential customers the business’ name and how to contact it, why the information has been collected, to whom the business usually discloses such information and how the customer can get access to the information (NPP 1.5);
- only use the information for the purpose it was collected, that is, to approach the customer, or for a related purpose that the potential customer would expect (NPP 2.1(a));
- do what is reasonable to make sure the information is correct and to delete or correct information that it finds is not correct (NPP 3);
- keep the information reasonably secure (NPP 4);
- have a privacy policy (NPP 5); and
- give the potential customer access to the information on request and correct any errors the customer points out (NPP 6).[65]
- 6.47The Cyberspace Law and Policy Centre agreed with the ALRC that information that simply allows an individual to be contacted without conveying anything about the individual’s identity or characteristics should not fall within the proposed definition of ‘personal information’ and suggested that this be clarified in the legislation or the Explanatory Memorandum.[66]
ALRC’s view
6.48 The current definition of ‘personal information’ contains the following elements:
- information or an opinion;
- including information or an opinion forming part of a database;
- whether true or not;
- whether recorded in a material form or not;
- about an individual;
- whose identity is apparent from the information or opinion; or
- whose identity can reasonably be ascertained from the information or opinion.[67]
- 6.49Although a number of these elements are unproblematic, the ALRC’s view is that one element is unnecessary and that others do not reflect the standards set in international instruments dealing with the privacy of personal information and should be changed.
Elements requiring no change
6.50 The following elements of the definition of ‘personal information’ should remain unchanged: information or an opinion; whether true or not; and whether recorded in a material form or not. The ALRC received very few submissions indicating that these elements of the definition were problematic.
6.51 Personal information should be ‘about’ an individual. The ALRC notes that, although a number of international instruments use the term ‘relates to’, the Privacy Act terminology is consistent with the APEC Privacy Framework and reflects that fact that the information must be about an identified or reasonably identifiable individual.
Forming part of a database
6.52 The second element of the definition—‘including information or an opinion forming part of a database’—is unnecessary and should be deleted. It may have been helpful to make this clear in 1988 when the Privacy Act was originally passed, but in the current environment it is no longer a matter of uncertainty. In addition, the recommended definition of ‘record’, discussed below, expressly includes ‘information stored in electronic or other formats’.[68]
Whose identity is apparent or can reasonably be ascertained from the information
6.53 This element of the definition should be amended to bring it more into line with other jurisdictions and international instruments. Noting the distinction between ‘identity’ and ‘identification’, discussed above, the Privacy Act should apply to information about an individual who is ‘identified or reasonably identifiable’ rather than information about an individual whose ‘identity’ is apparent, or reasonably ascertainable. The APEC Privacy Framework, the OECD Guidelines, the Council of Europe Convention and the EU Directive use the terms ‘identified’ and ‘identifiable’. The recommended terminology is more consistent with this language and international jurisprudence and explanatory material based on the terms ‘identified’ and ‘identifiable’ will be more directly relevant.
6.54 The definition of personal information should include an element of reasonableness. Whether an individual can be identified or is identifiable depends on context and circumstances. While it may be technically possible for an agency or organisation to identify individuals from information it holds, for example, by linking the information with information held by another agency or related organisation, it may be that it is not practically possible. For example, logistics or legislation may prevent such linkage. In these circumstances, individuals are not ‘reasonably identifiable’.
6.55 In addition, the definition of ‘personal information’ should not be limited, as it currently is, to information about an individual whose identity is apparent or can reasonably be ascertained ‘from the information’. An individual is ‘reasonably identifiable’, when the individual can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation may access without unreasonable cost or difficulty.
6.56 The ALRC notes the concerns raised by stakeholders, particularly about the proposed clarification to be included in the Explanatory Memorandum—that information is reasonably identifiable when an individual can be identified from information in the possession of an agency or organisation or from that information and other information the agency or organisation has the capacity to access or is likely to access. While this test is included expressly in the Data Protection Act 1998 (UK), it may lack sufficient flexibility and should not be included in the amended Privacy Act or Explanatory Memorandum.
6.57 As noted by Microsoft Asia Pacific, whether an individual is ‘reasonably identifiable’ from certain information requires a consideration of the cost, difficulty, practicality and likelihood that the information will be linked in such as way as to identify him or her. This is an appropriate formulation of the test. The ALRC does not agree with the Australian Privacy Foundation that the test should be whether an individual is ‘potentially identifiable’. A great deal of information is about potentially identifiable individuals but where identifying the individuals would involve unreasonable expense or difficulty, and is unlikely to happen, the ALRC is of the view that the information is not ‘personal information’ for the purposes of the Privacy Act.
6.58 As noted by the OPC, the issue is also context specific. Information that is not ‘personal information’ in a particular context is discussed further below in relation to research. Where an independent intermediary, such as the Western Australian Data Linkage Unit (DLU), is used to remove identifying particulars and to code information provided to researchers the information in the hands of the researchers is not about ‘identified or reasonably identifiable’ individuals for the purposes of the Privacy Act. The individuals remain, however, ‘potentially identifiable’.
6.59 The ALRC notes the United Kingdom Information Commission’s view that information need not be linked to a name and address in order for the individual to be ‘identified’. The examples provided include: the collection of information about internet users with the intention of linking that information to names and addresses; and targeting individuals with advertising without linking the information to names and addresses or making any effort to identify individuals in the physical world. The Information Commissioner takes the view that such information is ‘personal data’. This information would also fall within the recommended definition of personal information and should be protected by the Privacy Act.
6.60 While stand alone telephone numbers, street addresses and IP addresses may not be personal information for the purposes of the Privacy Act, such information may become personal information in certain circumstances. The ALRC acknowledges that telephone numbers relate to telephones or other communications devices, IP addresses to computers, and street addresses to houses, rather than individuals, but notes that such information may come to be associated with a particular individual as information accretes around the number or address. The ALRC notes ACMA’s concern that it may be difficult to determine when an IP address becomes personal information. It is the ALRC’s view, however, that given the exceptions provided in the model UPPs for actions required or authorised by or under law, investigations of suspected unlawful activity and for enforcement activities, this issue will not hinder investigative and enforcement action by the Authority.
Ability to contact
6.61 Information that simply allows an individual to be contacted—such as a telephone number, a street address or an IP address in isolation—would not fall within the recommended definition of ‘personal information’. As noted above, the Privacy Act is not intended to implement an unqualified ‘right to be let alone’. As information accretes around a point of contact and it becomes possible to link that information to a particular individual and to target that individual—for example, with advertising material—the information becomes ‘personal information’ for the purposes of the Act. If an agency or organisation can reasonably identify direct mail recipients by linking data in an address database with particular names in the same or another database, that information is ‘personal information’ and should be treated as such.
Conclusion
6.62 The then Privacy Commissioner, Malcolm Crompton, expressed the view that:
Privacy laws need to be in the form of general principles, as information handling is highly contextual. This can create a significant margin for interpretation and implementation.[69]
6.63 Because of this, elements of the definition of ‘personal information’ will continue to give rise to theoretical uncertainty. While much information will fall clearly inside or outside the definition, there will be a need for ongoing practical guidance in relation to areas of uncertainty. The OPC has suggested that it issue further guidance on the meaning of ‘personal information’. The ALRC agrees that such guidance will be necessary to indicate how the definition operates in specific contexts. In particular, the ALRC recommends that the OPC develop and publish guidance on the meaning of ‘identified or reasonably identifiable’.
Recommendation 6–1 The Privacy Act should define ‘personal information’ as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.
Recommendation 6–2 The Office of the Privacy Commissioner should develop and publish guidance on the meaning of ‘identified or reasonably identifiable’.
[1]Privacy Act 1988 (Cth) s 6(1).
[2] M Crompton, ‘Under the Gaze, Privacy Identity and New Technology’ (Paper presented at International Association of Lawyers 75th Anniversary Congress, Sydney, 28 October 2002).
[3] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [3.19]–[3.24]; Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005; Australian Privacy Foundation, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 1 March 2005; Centre for Law and Genetics, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 1 February 2005.
[4] Y Poullet, Report on the Application of Data Protection Principles to the Worldwide Telecommunications Networks (2004) Council of Europe, 33.
[5] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[6] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 7.15; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 69.
[7] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), art 1.
[8] Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 28 January 1981, Council of Europe, CETS No 108, (entered into force generally on 1 October 1985), art 2.
[9] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 2.
[10] European Union Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN WP136 (2007).
[11] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [9].
[12] S Booth and others, What are ‘Personal Data’?—A Study Conducted for the UK Information Commissioner (2004), 8.
[13] Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 2(1).
[14] Privacy Act 1993 (NZ) s 2.
[15] Information Privacy Bill 2007 (WA) cl 6.
[16] Data Protection Act 1998 (UK) s 1(1).
[17] United Kingdom Government Information Commissioner’s Office, Data Protection Technical Guidance: Determining What is Personal Data (2007).
[18] Ibid.
[19] United Kingdom Government Information Commissioner’s Office, Data Protection Act 1998 Legal Guidance (2001), 12.
[20] United Kingdom Government Information Commissioner’s Office, Data Protection Technical Guidance: Determining What is Personal Data (2007).
[21] S Booth and others, What are ‘Personal Data’?—A Study Conducted for the UK Information Commissioner (2004), 11.
[22] Australian Privacy Foundation, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.
[23] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007).
[24] Ibid, Proposal 3–5(a).
[25] Ibid, Proposal 3–5(b).
[26] Ibid, Proposal 3–5(c).
[27] BPay, Submission PR 566, 31 January 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Veda Advantage, Submission PR 163, 31 January 2007; AXA, Submission PR 119, 15 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007.
[28] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007.
[29] Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[30] BPay, Submission PR 566, 31 January 2008.
[31] DLA Phillips Fox, Submission PR 111, 15 January 2007.
[32] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[33] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; School of Public Health—University of Sydney, Submission PR 504, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australian Library and Information Association, Submission PR 446, 10 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; I Graham, Submission PR 427, 9 December 2007; Australian Digital Alliance, Submission PR 422, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[34] Australia Post, Submission PR 445, 10 December 2007.
[35] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australia Post, Submission PR 445, 10 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; I Graham, Submission PR 427, 9 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[36] Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[37] GE Money Australia, Submission PR 537, 21 December 2007.
[38] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.
[39] Acxiom Australia, Submission PR 551, 1 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[40] Acxiom Australia, Submission PR 551, 1 January 2008.
[41] Insurance Council of Australia, Submission PR 485, 18 December 2007.
[42] AAMI, Submission PR 147, 29 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[43] Australasian Compliance Institute, Submission PR 419, 7 December 2007.
[44] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[45] Australian Communications and Media Authority, Submission PR 522, 21 December 2007.
[46] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.
[47] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[48] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[49] Ibid.
[50] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[51] Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[52] Law Council of Australia, Submission PR 527, 21 December 2007.
[53] Medicare Australia, Submission PR 534, 21 December 2007.
[54] Confidential, Submission PR 536, 21 December 2007.
[55] P Youngman, Submission PR 394, 7 December 2007.
[56] BPay, Submission PR 566, 31 January 2008.
[57] Veda Advantage, Submission PR 163, 31 January 2007.
[58] Australian Health Insurance Association, Submission PR 161, 31 January 2007; IMS Health Asia, Consultation PC 124, Sydney, 8 March 2007.
[59] European Union Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN WP136 (2007).
[60] Office of the Privacy Commissioner, Frequently Asked Questions: When is Business Information Covered by the Privacy Act? <www.privacy.gov.au/faqs/bf/q8.html> at 30 April 2008.
[61] Australian Government, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business—Australian Government’s Response (2006), 5–6.
[62] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.14].
[63] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[64] Australia Post, Submission PR 78, 10 January 2007.
[65] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001).
[66] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[67]Privacy Act 1988 (Cth) s 6(1).
[68] Rec 6–6.
[69] M Crompton, ‘Under the Gaze, Privacy Identity and New Technology’ (Paper presented at International Association of Lawyers 75th Anniversary Congress, Sydney, 28 October 2002).